OWASP have a new Security Principles document available.
Inevitably applications are designed with security principles architects knew about, security folks included. However, as this project demonstrates there are far more than just a 'few' principles, most of which never make it into the design. For example, security design happens with perhaps a handful of principles: - least priviledge - perimiter security - defense in depth As a result, we regularly see designs without separation of privilege.
The principles and aphorisms cover reduction of surface area/attack vectors, reluctance to trust and a large collection of aphorisms (including Design for Failure, Orthogonal Security Mechanisms, Semantically consistent defence in depth and Use the Correct Algorithm And Correct Key Size).
The project is welcoming collaborators at GitHub.