Microsoft’s 10 Immutable Laws of Security (also known simply as the 10 Immutable Laws of Security) is a security article written in 2000 by Scott Pulp at the Microsoft Security Response Center. The article lists 10 mistakes that are not necessarily a result of product flaws. Instead, the list highlights why sound judgement is an important consideration when it comes to cyber-security.

Although the article stated important reasons why technology cannot solve the problems of security alone, it received a divided response. Whilst some claimed that the article was Microsoft’s way of avoiding responsibility for some of the security flaws of their products, others praised it as covering some important security basics. In fact, the article remained influential enough for it to be republished as a second version with slightly altered wording 15 years later.

The list of version 1 is as follows:

  • Law #1: If a bad guy can persuade you to run his program on your computer, it’s not your computer anymore
  • Law #2: If a bad guy can alter the operating system on your computer, it’s not your computer anymore
  • Law #3: If a bad guy has unrestricted physical access to your computer, it’s not your computer anymore
  • Law #4: If you allow a bad guy to upload programs to your website, it’s not your website any more
  • Law #5: Weak passwords trump strong security
  • Law #6: A computer is only as secure as the administrator is trustworthy
  • Law #7: Encrypted data is only as secure as the decryption key
  • Law #8: An out of date virus scanner is only marginally better than no virus scanner at all
  • Law #9: Absolute anonymity isn’t practical, in real life or on the Web
  • Law #10: Technology is not a panacea

The list of version 2, with the differences in italics, is as follows:

  • Law #1: If a bad guy can persuade you to run his program on your computer, it’s not solely your computer anymore.
  • Law #2: If a bad guy can alter the operating system on your computer, it’s not your computer anymore
  • Law #3: If a bad guy has unrestricted physical access to your computer, it’s not your computer anymore
  • Law #4: If you allow a bad guy to run active content in your website, it’s not your website anymore.
  • Law #5: Weak passwords trump strong security
  • Law #6: A computer is only as secure as the administrator is trustworthy
  • Law #7: Encrypted data is only as secure as the decryption key
  • Law #8: An out-of-date antimalware scanner is only marginally better than no scanner at all.
  • Law #9: Absolute anonymity isn’t practically achievable, online or offline.
  • Law #10: Technology is not a panacea

 

Last updated: 5 September 2017