├── README.md └── List of Security Axioms.md /README.md: -------------------------------------------------------------------------------- 1 | # SecurityAxioms 2 | This is a list of Computer and Network Security Axioms. Please feel free to submit ones that should be added to this list. 3 | 4 | References: 5 | http://www.catholicapologetics.info/catholicteaching/philosophy/axiomata.htm 6 | http://www.shawnleegregory.com/p/list-of-axioms.html 7 | -------------------------------------------------------------------------------- /List of Security Axioms.md: -------------------------------------------------------------------------------- 1 | # This is a collective list of Axioms from the Security Community. 2 | Example reference: http://www.catholicapologetics.info/catholicteaching/philosophy/axiomata.htm 3 | 4 | Computer Security Axioms: 5 | ======================== 6 | 1. "If a system or network is vulnerable to legacy malware, then it is certainly vulnerable to targeted attacks." Christopher Sistrunk 2016 (Sistrunk's Axiom) 7 | 2. If an attacker can use an existing feature of a targeted system, then they aren't required to use a zero-day. Ralph Langner 2011 8 | 3. "Give a man an 0day and he'll have access for a day, teach a man to phish and he'll have access for life." @thegrugq 2015 9 | 4. Compliance does not equal security. (unknown) 10 | 5. "A backdoor for one is a backdoor for everyone." @munin 2017 11 | * "But the reality is if you put a back door in, that back door's for everybody, for good guys and bad guys." Tim Cook 2015 12 | 6. Security is a journey, not a destination (unknown) 13 | * Earliest reference to full quote above is by Joel G. Ogren in 1999 14 | * "Security is a process, not an end state." Mitch Kabay 1998 15 | * "Security is a process, not a product." Bruce Schneier 1999 16 | 7. If something (has code/is online/has a computer chip), it can be hacked (multiple variations)(unknown) 17 | * "As society becomes more and more computerized, it becomes eminently more hackable." Deth Vegetable, Cybermania 1994 18 | * "Everything is hackable" A.J. Reznor 1997 19 | * "Whenever an appliance is described as being 'smart', it's vulnerable." Mikko Hypponen 2016 20 | 8. "Security's worst enemy is complexity" Bruce Schneier 1999 21 | 9. "Ability to type on a computer terminal is no guarantee of sanity, intelligence, or common sense." Eugene Spafford 1987 (Axiom #2 from his Axioms of Usenet) 22 | 10. Any security technology whose effectiveness can't be empirically determined is indistinguishable from blind luck. (Geer's Law) Dan Geer 2003 23 | * "Geer’s law is a paraphrase of the analysis first presented in 'Information Security: Why the Future Belongs to the Quants.'” - Ian Grigg & Peter Gutmann 2011 24 | 11. "New tools are adopted for the productivity boost they offer, not any increased security." Adam Crain 2020 25 | 26 | ----- 27 | Microsoft's 10 Immutable Laws Version 2.0 (2011) 28 | https://technet.microsoft.com/en-us/library/hh278941.aspx 29 | 30 | Microsoft's 10 Immutable Laws Version 1.0 (2000) 31 | https://web.archive.org/web/20001207195000/http://www.microsoft.com/technet/security/10imlaws.asp 32 | --------------------------------------------------------------------------------