Contents
Setting Security Objectives - Locking It Down Like a Boss.
Setting clear security goals is the first big step in keeping your web apps safe throughout the development process. These goals should be baked into the right parts of your organization and follow solid security principles—especially when it comes to dodging the big risks that show up in things like the OWASP Top 10.
When you're building web apps or services, your security objectives make sure to cover the basics of the "C.I.A." triad: keeping data Confidential, making sure it stays Accurate, and ensuring it's Available when needed. To keep them as specific as possible - The S.M.A.R.T. format may be a good starting point for you (Specific, Measurable, Achievable, Realistic, and Timely). We're planning to follow up with a more specficic article on that later.
Below is a list of good Security Objectives drawn from information security frameworks, web security best practices, and developer requirements. To make it a bit more tangible, we have added a few sample objectives - to save some screen real-estate it will be left to you to transform them into S.M.A.R.T. formatted objectives.
1. Core Identity and Access Control Objectives
The main objective here is to prevent Broken Access Control (a critical risk in modern API environments) and Identification and Authentication Failures.
Objective: Strong, Multi-Factor Authentication (MFA) Adoption
Achieve strong, cryptographically secured authentication for all users and services.
Implement robust multi-factor authentication (MFA) across all critical systems to resist credential-based attacks.
Objective: Enforced Authorization and Least Privilege
Ensure that all authenticated users and system processes operate strictly according to the principle of least privilege, granting only the minimum access necessary for assigned organizational tasks.
Ensure proper access controls and session management are enforced using zero-trust principles.
Implement Role-Based Access Control (RBAC) or Attribute-Based Access Control (ABAC) to define granular permissions based on user roles or attributes.
Objective: Secure Session Management
Protect the authenticity of communications sessions against session hijacking.
Invalidate session identifiers upon user logout or other session termination.
Generate unique, random, system-generated session identifiers.
2. Data Protection and Cryptography Objectives
The objective is to achieve Confidentiality and Integrity of information, preventing Cryptographic Failures and Data Leakage.
Objective: Confidentiality in Transit and at Rest
Protect the confidentiality and integrity of all transmitted and stored information.
Enforce HTTPS everywhere with proper certificate management and use Transport Layer Security (TLS) encryption to protect data during transmission.
Implement cryptographic mechanisms using strong algorithms (e.g., AES-256 or RSA-4096) to secure sensitive data (such as PII, PCI, and PHI) while at rest.
Objective: Key and Authenticator Management
Manage cryptographic keys in accordance with organizational requirements for key generation, distribution, storage, access, and destruction.
Avoid storing unencrypted static authenticators in applications or other static storage.
Objective: Data Minimization and Tokenization
For systems processing Personally Identifiable Information (PII), restrict processing to only what is directly relevant and necessary for the identified purpose (Minimization).
Where possible, reduce the exposure of sensitive data during transactions, such as through tokenization.
3. Software and Data Integrity Objectives
These objectives focus on eliminating vulnerabilities that lead to Injection attacks, Software and Data Integrity Failures, and general system compromise.
Objective: Input Validation and Injection Prevention
Check the validity of all information inputs against specified formats (syntax and semantics).
Prevent untrusted data injections (including SQL, XSS, and AI prompt injection) by separating data from code (e.g., using prepared statements or parameterized queries) and using output encoding.
Objective: Flaw and Vulnerability Remediation
Ensure the integrity of code and systems by implementing a verifiable flaw remediation process.
Ensure timely patch management and regular application security assessments to address known vulnerabilities in third-party and custom components.
Objective: Non-Modifiable Executable Programs
- Ensure the integrity of executable programs by loading and executing critical components from hardware-enforced, read-only media where appropriate.
4. Design, Maintenance, and Monitoring Objectives
These goals aim to embed security throughout the development lifecycle (SDLC) and ensure ongoing system resilience, addressing Insecure Design and Security Logging and Monitoring Failures.
Objective: Security by Design
Integrate threat modeling and architectural reviews from the initial design process to identify systemic weaknesses early.
Design the architecture using a defense-in-depth approach, allocating controls strategically across multiple layers (e.g., API gateway, service, data).
Objective: Least Functionality and Secure Configuration
Configure the system to provide only mission essential capabilities, prohibiting or restricting the use of unnecessary functions, ports, protocols, software, and services.
Avoid security misconfigurations (e.g., overly permissive CORS policies, default credentials) by implementing infrastructure as code with security templates and conducting regular security configuration audits.
Objective: Comprehensive Monitoring and Auditing
Enable comprehensive logging for key security-relevant events, including authentication attempts, access to sensitive resources, and administrative actions.
Implement automated tools and mechanisms (such as SIEM solutions) to support near real-time analysis of events and detect anomalous behavior or suspicious activity.
Objective: Continuous Validation and Testing
Conduct security testing continuously within the development (CI/CD) pipelines (Shift-Left).
Perform automated vulnerability analysis and regular penetration testing to validate controls against simulated adversary actions.
Objective: Incident Response Readiness
- Develop a clear and tested Incident Response Plan to ensure the organization can respond quickly and effectively to security breaches, minimizing damage and facilitating swift recovery.
Hopefully the example objectives above can provide a good starting point for development teams to ensure security is systematically integrated throughout the entire process, and not just treated as a checklist item to check.
The table below is another way to look at comprehensive security objectives for web application development, mapping them to the fundamental security principles and the associated NIST control family concepts:
| Security Domain | Security Objective (Goal) | Core Principle(s) | Supporting Control Concepts (NIST SP 800-53 Families) |
|---|---|---|---|
| I. Identity & Access | Strong Authentication & Credential Management: Implement strong, unique identification and authentication mechanisms to verify users and devices. | Authentication | Identification and Authentication (IA), Access Control (AC). |
| Enforced Authorization & Least Privilege: Restrict user and system component access strictly to the minimum necessary functions required for the job. | Authorization, Confidentiality | Access Control (AC), Account Management (AC-2), Role-Based Access Control (AC-3(7)). | |
| Secure Session Management: Protect active user sessions from unauthorized takeover or abuse. | Confidentiality, Integrity | Access Control (AC). | |
| II. Data Protection | Confidentiality of Data in Transit and at Rest: Ensure sensitive organizational and personally identifiable information (PII) is encrypted when stored and communicated across the network. | Confidentiality | Cryptographic Protection (SC-13), Protection of Information at Rest (SC-28), Transmission Confidentiality and Integrity (SC-8). |
| Data Minimization: Limit the collection, use, and retention of PII to only what is directly relevant and necessary for authorized purposes. | Privacy, Confidentiality | Personally Identifiable Information Processing and Transparency (PT), Minimization (SA-8(33)). | |
| III. System Integrity | Input Validation and Injection Prevention: Prevent the processing of malicious or malformed input that could lead to integrity failures or code injection attacks. | Integrity | Information Output Filtering (SI-15), System and Information Integrity (SI). |
| Secure Baseline Configuration: Ensure the system runs with only essential functionality enabled and that system components (hardware, software, firmware) conform to approved, documented security settings. | Integrity, Availability | Configuration Management (CM), Least Functionality (CM-7), Baseline Configuration (CM-2). | |
| Timely Flaw and Vulnerability Remediation: Establish a process to promptly identify, report, and correct system flaws (patches, updates) and remediate legitimate vulnerabilities within defined timeframes. | Integrity | Flaw Remediation (SI-2), Vulnerability Monitoring and Scanning (RA-5). | |
| IV. Resilience & Monitoring | High Availability and System Resilience: Design the system to operate under adverse conditions and ensure essential mission functions continue despite disruption, compromise, or failure. | Availability | Contingency Planning (CP), Predictable Failure Prevention (SI-13), Fail in Known State (SC-24). |
| Comprehensive Audit and Accountability: Log and review security-relevant events across the system to maintain accountability and detect inappropriate activity. | Accountability, Non-repudiation | Audit and Accountability (AU), Event Logging (AU-2). | |
| Incident Response Readiness: Develop and test capabilities to effectively prepare for, detect, analyze, contain, eradicate, and recover from security incidents. | Availability | Incident Response (IR), Contingency Planning (CP). |
Enjoy.
back to more articlessecurity AuthN AuthZ Authentication Authorization Availability CIA CIA Triad Confidentiality Continuous Validation Core Principles Data Confidentiality Defense-in-Depth DevSecOps Enforced Authorization HTTPS everywhere Identity and Access Control Incident Response Plan Integrity Least Privilege MFA Monitoring Multi-factor authentication SIEM SecDevOps Security Objectives Security by Design Shift-Left Testing System Integrity at rest cryptographic algorithms encryption in transit in transit encryption prompt injection secure engineering security architecture security information & event management untrusted data Identity & Access Resilience 2022
