Ten Immutable Laws Of Security (Version 2.0)
You might have known the 10 Immutable Laws Of Security since quite a while. It is kind of the “collected non-technical wisdom” of what we see in security respeonse being it in Microsoft Security Response Center or in our Security Product Support.
There is now a version 2, which is still as important as version 1 was. The 10 Laws are:
Law #1: If a bad guy can persuade you to run his program on your computer, it's not solely your computer anymore.
Law #2: If a bad guy can alter the operating system on your computer, it's not your computer anymore.
Law #3: If a bad guy has unrestricted physical access to your computer, it's not your computer anymore.
Law #4: If you allow a bad guy to run active content in your website, it's not your website any more.
Law #5: Weak passwords trump strong security.
Law #6: A computer is only as secure as the administrator is trustworthy.
Law #7: Encrypted data is only as secure as its decryption key.
Law #8: An out-of-date antimalware scanner is only marginally better than no scanner at all.
Law #9: Absolute anonymity isn't practically achievable, online or offline.
Law #10: Technology is not a panacea.
Just make sure that you keep them in mind – there is no “patch” for them 
. The whole set of explanations can be found here: Ten Immutable Laws Of Security (Version 2.0)
Roger
Comments
- Anonymous
January 01, 2003
thank you - Anonymous
July 31, 2014
- So what about sandboxed code, or code running in a VM?
4. Same as 1, this may not necessarily apply to sandboxed content.
- Anonymous
January 11, 2015
@ajedi32, Running inside a VM isn't the same as #1. it's not really 'your computer' but a 'guest' computer. - Anonymous
August 14, 2015
The comment has been removed - Anonymous
October 08, 2015
@Gene So "if a bad guy can persuade you to run his program on your VM, then it's not solely your VM anymore"? ;-) Makes sense.