Zero trust is one of the hottest buzzwords (or buzzphrases) in technology today. It was named the third most exciting technology in our State of Application Strategy 2022 research, and garners significant mindshare up and down the organizational stack.
One of the overlooked truths of zero trust is that it’s really a mindset, not a technology or solution. Which is why I continue to come back to our core belief about zero trust:
“We believe zero trust security is, at its core, a mindset—a belief system—from which techniques and tactics emerge and leverage specific technologies, which can then be applied to address a broad spectrum of security threats.”
Which is why it’s important to revisit Security Rule Zero.
For those who aren’t familiar with the concept of “Rule Zero,” it derives from role playing games in which rules play a significant role. Rules determine the order of interaction, the interpretation of dice rolls, and what you can and cannot do. Just like the real world. But in role playing games there is a Rule Zero, which supersedes all other rules: “the GM is the final arbiter of all things in the game.” This essentially means the GM can change, add, and remove rules at any time. And trust me, they often do.
It may surprise some folks to learn that security has a Rule Zero and it is this:
“Thou shalt not trust user input. Ever.”
This is not a new rule; it has been brought to the fore many, many times before and I’ve written a number of times on it as a reminder that it is core to security best practices. Failure to follow this rule leads to vulnerabilities that can explode into widespread, dangerous exploitation.
Security Rule Zero remains relevant today—perhaps even more so than it ever has. With the proliferation of APIs and explosion of digital services, there are more bots and scripts and bad actors out there than ever. And while credential stuffing remains a top attack technique, there is no lack of news about exploits taking advantage of digital services and APIs that fail to adhere to Security Rule Zero.
Trusting user input is anathema to the very concept of zero trust. No user input—whether that user is human, software, or system—should be assumed to be safe to process without inspection. Period. Full stop.
One of the core principles—the beliefs—of zero trust is to assume compromise. Compromise can mean the presence of malware or control by a bad actor. That’s the state of the system. The consequence is that data—messages—coming from that system may be malicious.
Ergo, therefore, and thusly, you should never trust any input from a user. Period.
As stated above, this basic rule leads to tactics (inspection) and technologies (WAAP, WAF, NGF) that can be used to detect and neutralize a wide variety of attacks.
Security Rule Zero is a core component of zero trust. Adopting it will lead to more effective tactics and stronger security for everyone.
Stay safe out there.
About the Author
Related Blog Posts
At the Intersection of Operational Data and Generative AI
Help your organization understand the impact of generative AI (GenAI) on its operational data practices, and learn how to better align GenAI technology adoption timelines with existing budgets, practices, and cultures.
Using AI for IT Automation Security
Learn how artificial intelligence and machine learning aid in mitigating cybersecurity threats to your IT automation processes.
The Commodification of Cloud
Public cloud is no longer the bright new shiny toy, but it paved the way for XaaS, Edge, and a new cycle of innovation.
Most Exciting Tech Trend in 2022: IT/OT Convergence
The line between operation and digital systems continues to blur as homes and businesses increase their reliance on connected devices, accelerating the convergence of IT and OT. While this trend of integration brings excitement, it also presents its own challenges and concerns to be considered.
Adaptive Applications are Data-Driven
There's a big difference between knowing something's wrong and knowing what to do about it. Only after monitoring the right elements can we discern the health of a user experience, deriving from the analysis of those measurements the relationships and patterns that can be inferred. Ultimately, the automation that will give rise to truly adaptive applications is based on measurements and our understanding of them.
Inserting App Services into Shifting App Architectures
Application architectures have evolved several times since the early days of computing, and it is no longer optimal to rely solely on a single, known data path to insert application services. Furthermore, because many of the emerging data paths are not as suitable for a proxy-based platform, we must look to the other potential points of insertion possible to scale and secure modern applications.