You must always follow the security principles listed below.

Layered security controls increase the security of the system as a whole by providing a complete mediation. If one security control fails, other controls should still protect their areas. The common example is that you should not rely solely on a firewall to protect an internal application because an attacker could circumvent the firewall. This is a design principle that should guide the evaluation of controls by reducing the probability of a single-point failure.

A positive security model explicitly defines what is allowed and rejects everything else. This should be used instead of a negative security model that defines only what is disallowed, because the negative model allows everything else, including new or unknown attacks. If you use a negative model when protecting your application, you will never know if you have addressed everything.

Failures should not have a negative impact on security. Failures can occur within or outside of the security controls. If something within the control fails, it should fail in a secure way that does not allow the control to be bypassed. Failures outside the controls should also fail securely so that they do not affect the controls. For example, if there is a problem checking if a user has permission to view data, it should fail in a way that does not allow the user to view the data.

Users should have the least amount of privilege required to perform their business processes. The business processes themselves should also require the least amount of privilege necessary to perform the processes. If this is not followed, the user may be able to perform operations that they should not be authorized to perform.

Security by obscurity relies on secrecy or complexity of the system to keep it secure. This is a weak security control that almost always fails. The security controls should be based on well-known principles and best practices.

Security controls should be simple. If a control is complex, it can be hard to implement, test, maintain, and evaluate its effectiveness.

Potential attacks should be detected, logged, and responded to. If you do not detect intrusions, then the attacker has unlimited time to perfect an attack. If you can detect intrusions, then you can prevent the attacker from launching more attacks. The logs can provide forensics if your system is ever attacked.

External systems should not be trusted implicitly because they are likely to have different security policies and postures. They should be evaluated from a security standpoint before they are considered trusted.

Out of the box, your application should be secure. It should be left up to the costumers to reduce the security as desired.

The attack surface is measured by the number of entry points into the system. Every entry point is associated with a certain level of risk. By reducing the attack surface, the overall risk is reduced as well.