Strategy concepts and best practices

Describe concepts like defence in depth, whitelisting, risk management, assurance etc.

Whitelisting versus blacklisting

You should always define what you will accept, not what you won't accept. The latter strategy can not be exhaustive and it is easy to make mistakes. Whitelisting on the other hand specifies exactly what you accept. This strategy can be found in input validation, web server hardening etc.