Security Rule Zero is a Core Component of Zero Trust
Zero trust is one of the hottest buzzwords (or buzzphrases) in technology today. It was named the third most exciting technology in our State of Application Strategy 2022 research, and garners significant mindshare up and down the organizational stack.
One of the overlooked truths of zero trust is that it’s really a mindset, not a technology or solution. Which is why I continue to come back to our core belief about zero trust:
“We believe zero trust security is, at its core, a mindset—a belief system—from which techniques and tactics emerge and leverage specific technologies, which can then be applied to address a broad spectrum of security threats.”
Which is why it’s important to revisit Security Rule Zero.
For those who aren’t familiar with the concept of “Rule Zero,” it derives from role playing games in which rules play a significant role. Rules determine the order of interaction, the interpretation of dice rolls, and what you can and cannot do. Just like the real world. But in role playing games there is a Rule Zero, which supersedes all other rules: “the GM is the final arbiter of all things in the game.” This essentially means the GM can change, add, and remove rules at any time. And trust me, they often do.
It may surprise some folks to learn that security has a Rule Zero and it is this:
“Thou shalt not trust user input. Ever.”
This is not a new rule; it has been brought to the fore many, many times before and I’ve written a number of times on it as a reminder that it is core to security best practices. Failure to follow this rule leads to vulnerabilities that can explode into widespread, dangerous exploitation.
Security Rule Zero remains relevant today—perhaps even more so than it ever has. With the proliferation of APIs and explosion of digital services, there are more bots and scripts and bad actors out there than ever. And while credential stuffing remains a top attack technique, there is no lack of news about exploits taking advantage of digital services and APIs that fail to adhere to Security Rule Zero.
Trusting user input is anathema to the very concept of zero trust. No user input—whether that user is human, software, or system—should be assumed to be safe to process without inspection. Period. Full stop.
One of the core principles—the beliefs—of zero trust is to assume compromise. Compromise can mean the presence of malware or control by a bad actor. That’s the state of the system. The consequence is that data—messages—coming from that system may be malicious.
Ergo, therefore, and thusly, you should never trust any input from a user. Period.
As stated above, this basic rule leads to tactics (inspection) and technologies (WAAP, WAF, NGF) that can be used to detect and neutralize a wide variety of attacks.
Security Rule Zero is a core component of zero trust. Adopting it will lead to more effective tactics and stronger security for everyone.
Stay safe out there.