- Earn or give, but never assume, trust.
- Use an authentication mechanism that cannot be bypassed or tampered with.
- Authorize after you authenticate.
- Strictly separate data and control instructions, and never process control instructions received from untrusted sources.
- Define an approach that ensures all data are explicitly validated.
- Use cryptography correctly.
- Identify sensitive data and how it should be handled.
- Always consider the users.
- Understand how integrating external components changes your attack surface.
- Be flexible when considering future changes to objects and actors.