>> One of the simplest and most fundamental rules of effective security is to close everything down by default and only open things up as required, after careful consideration.

Which is why my Rails authorization library takes a whitelisting approach.

https://github.com/nathanl/authority#default_methods