Good security principles should be reused. So save time and prevent extra risks by using good security principles for your new product. Why reinvent the wheel again?
You can also all download security principles to reuse them off-line in your own project:


You are invited to add or improve a security principle. Create a pull request on the list hosted on github, or use the mail form here.

Remember: Having good security principles for your new business/project/system is MUST. However security principles alone is not enough, we can offer on demand business IT consultancy to help you implement and manage your IT security. Contact us for more information.

In case of question regarding these security principles, please contact us.

Address Privacy&Security
StatementAddress Privacy & Security
RationaleInformation is power and this is certainly true in the context of technology-enabled global development interventions. How information is collected, stored, analysed, shared, and used has serious implications for both the populations about whom data are being transmitted, and the organizations transmitting the data.
  • Assess and mitigate risks to the security of users and their data.
  • Consider the context and needs for privacy of personally identifiable information when designing solutions and mitigate accordingly.
  • Ensure equity and fairness in co-creation, and protect the best interests of the end end-users.
Tag(s)design, Security
Always consider the users
StatementAlways consider the users
RationaleThe security of a software system is linked to what its users do with it. It is therefore important that all security-related mechanisms are designed in a manner that makes it easy for users to deploy, configure, use, and update the system securely. Security is not a feature that can simply be added to a software  system, but rather a property emerging from how the system was built and is operated. The way each user interacts with software is dictated not only by the design and implementation decisions of its creators but also by the cognitive abilities and cultural background of its users.
ImplicationsFailing to address this design principle can lead to a various problems, e.g.:
  • When designers don’t “remember the user” in their software design, inadvertent disclosures by the user may take  place. If it is difficult to understand the authorization model, or difficult to understand the configuration for visibility  of data, then the user’s data are likely to be unintentionally disclosed.
  • Designers sometimes fail to account for the fact that authenticated and properly authorized users can also be attackers! This design error is a failure to distrust the user, resulting in authorized users having opportunities to misuse the system.
  • When security is too hard to set up for a large population of the system’s users, it will never be configured, or it will not be configured properly.
Asset protection and resilience
StatementAsset protection and resilience
RationaleConsumer data, and the assets storing or processing it, should be protected against physical tampering, loss, damage or seizure.
ImplicationsIf this principle is not implemented, inappropriately  data (e.g. user or consumer)  could be compromised which may result in legal and regulatory sanction, or reputation damage.
Tag(s)Cloud, Security
Assume that external systems are insecure
StatementAssume that external systems are insecure.
RationaleThe term information domain arises from the practice of partitioning information resources according to access control, need, and levels of protection required. Organizations implement specific measures to enforce this partitioning and to provide for the flow of authorized information between information domains. The boundary of an information domain represents the security perimeter for that domain. An external domain is one that is not under your control. In general, all external systems should be considered insecure.
  • Take proactive security measurements to protect secure data crossing information boundaries.
  • Design secure information exchange interfaces (api's).
  • Make agreements with parties involved.
Audit information provision to consumers
StatementAudit information provision to consumers
RationaleConsumers should be provided with the audit records they need to monitor access to their service and the data held within it. If this principle is not implemented, consumers will not be able to detect and respond to inappropriate or malicious use of their service or data within reasonable time-scales. In most countries this is a legal requirement from privacy point of view.
  • Secure audit mechanism needed.
  • Requirements needed for audit data retention, storing, archiving.
Tag(s)Cloud, Security
Authenticate users and processes
StatementAuthenticate users and processes to ensure appropriate access control decisions both within and across domains.
RationaleAuthentication is the process where a system establishes the validity of a transmission, message, or a means of verifying the eligibility of an individual, process, or machine to carry out a desired action, thereby ensuring that security is not compromised by an untrusted source. It is essential that adequate authentication be achieved in order to implement security policies and achieve security goals.
ImplicationsAuthentication service needed for users and application processes.  
1 2 3 14