Mastering this one principle can bulletproof your software. Zero Trust principle.

Zero Trust flips the traditional security model on its head — it assumes nothing and no one is trustworthy by default, not even users or systems inside your network.

To help you truly grasp how powerful this mindset is, let me begin with a quick story

In the Greek mythology of the Trojan war- The Greeks and Trojans fought for ten long years, locked in a relentless battle, with neither side gaining an upperhand.

Then, one day, the Greeks had a genius (and sneaky) idea:
They built a massive wooden horse. But they concealed their fiercest warriors inside it .

The Greek army then pretended to sail away, leaving the wooden horse as a “gift” behind to the trojans

Thinking they had won, the Trojans brought the horse into their city.
But, as the night fell, the hidden Greek warriors got out , they opened the gates for their returning army, and Troy was burnt to ground.

So, what's this old-school myth got to do with software development?

Well, here's the deal: never trust anything at face value. That even the most harmless looking things- —like APIs, libraries, data, or third-party packages- can have nasty surprises hidden inside..

So, here is one useful takeaway for all modern devs- that is not to trust anything by default .

There is a beautiful term for this: “Zero Trust Architecture”

Junior dev Robin asked senior dev Batman, on how much trust should he put on other APIs, libraries, data, or third-party packages. Here is what happened

While it has become a marketing jargon and often used to shove unnecessary products into the throat of the IT team- but, there is definitely value in this concept.

I have personally benefitted a lot using zero trust principle , when designing and building Secure Software Systems.

Let me share 6 quick example of using Zero trust principle that I personally try to keep in mind, for building secure software:

1. 🔒Authenticate Every API Call

If your application calls an API , authenticate & verify it is the correct API, and that it has authority to do whatever it’s trying to do. Use oauth2 , JWT, mTLS etc .
Limit API tokens to specific scopes (e.g. a token for "read" should not allow "write").

2. ⚖️Principle of Least Privilege in Applications

Design your app to run with only the permissions it actually needs.
For example, your microservice that builds report only needs to read from database, it shouldn’t be allowed to write or drop tables in database.
A calculator mobile app should not be granted camera access of your phone.

3. 🔄Continuous Authorization & Re-verification

If a user logs in and remains active for X minutes, force re-authentication for critical actions like:

-Changing account settings

-Making financial transactions

-Accessing sensitive admin panels

If a user is attempting to access an area of your application that requires special permissions, reverify they have the permission to every single page or feature they use.

If a user has authenticated to your application , ensure you continue to validate it’s the same user that you are dealing with as they move from page to page.

4. 🛑Validate Input Everywhere, Even From ‘Trusted’ Sources

If your application accepts data, from any source, perform validation on the data.
Even, if it is data from your database- sanitize and validate before using it.
And don’t just do this validation once and then give a free-pass.

5. 🚧 Network: Allow By Exemption & Segment

everything In networks - block all devices, ips, ports by default and only allow by exemption/whitelisting . The exemption list if written on a paper, should be something like this

Separate critical components (e.g., build servers, artifact repositories, production environment etc) into distinct network segments. Enforce access controls at every segment boundary to prevent lateral moves.

6. 🔐Encrypt Everything, Everywhere

Always, encrypt data at transit . If the data is sensitive, then tokenize or encrypt data at rest too- so that it doesn’t leak.

…
So, you will see a meta pattern emerging here.

Never Trust by Default. Always Verify Continuously. Enforce Least Privilege

In other words, assume everything (users, applications, devices, data, network) could be compromised.
So you continuously:

1️⃣ Never Trust by Default —users, devices, services etc. —must authenticate and prove it’s legitimacy

2️⃣Re-verify authenticity and authorization at every step

3️⃣ Enforce Least Privilege Everywhere- Grant only the minimum access needed, and no more.

If you liked this newsletter issue on Zero Trust principle for software development, please consider sharing my following linkedin post on the same topic.
I created my first ever linkedin Carousel for this. So, would really appreciate a share