Secure design principles

Where these come from

Most "secure design principles" lists trace back to Saltzer and Schroeder's 1975 paper The Protection of Information in Computer Systems. Fifty years on, the principles still describe why modern systems fail. Learn them as a toolkit for evaluating designs, not as trivia.

The principles

Economy of mechanism means keeping security-critical code small and simple. Complexity hides bugs; every line of a parser or authentication routine is attack surface. Security reviews fixate on "do we really need this feature?" for exactly this reason.

Fail-safe defaults means access should be denied unless explicitly granted. A new file share should start private; a firewall should start with deny-all. The opposite (default-allow, then patch holes) guarantees you'll miss one.

Complete mediation means checking authority on every access, not just the first. Caching an authorisation decision and never re-checking is how revoked users keep working for hours. Web apps fail this constantly: the menu hides the admin link, but the admin URL still works for anyone who types it.

Open design means security must not depend on the design being secret. This is Kerckhoffs's principle from cryptography generalised: assume the attacker knows how the system works, and rely only on the secrecy of keys/credentials. The contrast is security through obscurity: moving SSH to port 2222 stops nobody who scans. Obscurity can be a thin extra layer; it must never be the load-bearing one.

Separation of privilege requires more than one condition for sensitive access (two keys, password and hardware token, code review and CI checks). The design-level cousin of separation of duties.

Least privilege is covered with controls, but it belongs to this list and it's the one to reach for first in almost any "how would you limit damage?" question.

Least common mechanism calls for minimising components shared between users or security domains, because shared mechanisms are channels for leakage and interference. Cloud side-channel attacks (one tenant spying on another via shared CPU caches) are this principle ignored.

Psychological acceptability holds that security people will not tolerate gets bypassed. If the VPN takes four minutes to connect, staff will email files to personal accounts. A weaker control people actually use beats a stronger one they route around. Modern usable-security research is this principle grown up.

Defence-relevant additions

Minimise attack surface: fewer features, ports, endpoints and dependencies. Every dependency is someone else's code on your attack surface (the lesson of the supply chain attacks that pushed Software Supply Chain Failures to A03 in the OWASP Top 10:2025).

Secure by default means shipping the safe configuration out of the box. Users keep defaults; if the default is an open admin port and password admin, that's what the internet's scanners will find. Regulators increasingly demand this (the UK's PSTI Act banning universal default passwords on consumer devices, for example).

Shift left means dealing with security as early in the lifecycle as possible: requirements and design, not post-release patching. The earlier a flaw is found, the cheaper the fix: design-stage fixes cost a meeting; production fixes cost incident response, customer notifications and rewrites. Threat modelling, secure coding standards, dependency scanning and code review in CI are all shift-left in practice.

Trust but verify → never trust, always verify is the zero trust evolution covered under controls. Inherited trust (location on the LAN, an internal hostname) is how lateral movement works.

Using the principles

In an exam or design review, the pattern is: identify the decision, name the principle, state the consequence. For example:

"The application checks the user's role at login and stores isAdmin in the session forever." This violates complete mediation; a demoted admin keeps power until they log out. Re-check authorisation on each privileged action.

"Our protocol is secure because we haven't published how it works." This violates open design; it will be reverse-engineered, and then there's nothing left.

Quick recall

• Saltzer & Schroeder (1975): economy of mechanism, fail-safe defaults, complete mediation, open design, separation of privilege, least privilege, least common mechanism, psychological acceptability.
• Kerckhoffs: the system can be known; only keys are secret. Obscurity is seasoning, never the meal.
• Complete mediation failures = hidden-but-reachable admin pages, stale cached permissions.
• Secure by default and shift left: safe out of the box, security from design time.
• Usability is a security property: controls people bypass protect nothing.