1. train your developers 2. don't overdo 3. secure what's important _to users_, even if that means: "don't do some tests" 4. Your frameworks and plugins are likely to be boggus, fix them
SOLID SRP (never more than one reason for a class to change) OC Principle (O for extension, C for modification) Liskov Substitution (OK to use derived class without knowing it) Interface Segregation (not depend on what you don't need) Dependency inversion (based on abstraction)