Saltzer and Schroeder's Security Design Principles
- Open design - Assume the attackers have the sources and the specs.
- Fail-safe defaults - Fail closed; no single point of failure.
- Least privilege - No more privileges than what is needed.
- Economy of mechanism - Keep it simple, stupid.
- Separation of privileges - Don’t permit an operation based on a single condition.
- Total mediation - Check everything, every time.
- Least common mechanism - Beware of shared resources.
- Psychological acceptability - Will they use it?