Secure by Design: A Primer

11 Oct 2023

Secure by Design is one of the most popular development methodologies used today because it ensures that data privacy and cybersecurity are integrated into every step of the development lifecycle.

Secure by Design is a software and hardware development methodology that has gained a large, dedicated following in the past two decades. Security-conscious developers have embraced the approach because it integrates cybersecurity considerations into every phase of the development process, reducing the number of security vulnerabilities and attack vectors substantially.

The Secure by Design movement originated with the Open Worldwide Application Security Project (OWASP), which was launched in December 2001 with the goal of “enabling organizations to conceive, develop, acquire, operate, and maintain applications that can be trusted.”

This nonprofit foundation served as a loose network for security-conscious developers searching for resources and best practices to ensure secure software development. Over the course of the past two decades, OWASP and government regulators have transformed the general idea of application security into the formalized principles and technical regulations collectively referred to as Secure by Design.

Secure by Design has rapidly become the dominant cybersecurity approach to software development. Developers can follow OWASP guidelines on Secure by Design, in addition to relevant national guidelines, to ensure that products adequately protect data privacy and incorporate the latest security practices.

Understanding Secure by Design

Secure by Design is a software development approach that integrates cybersecurity protections and data privacy considerations into every stage of the Software Development Lifecycle (SDLC). This includes the integration of security considerations into:

  • Requirement Analysis
  • Planning
  • Architectural Design
  • Software Development
  • Testing
  • Deployment

Crucially, organizations that follow Secure by Design principles look at cybersecurity and data privacy protections as a core business goal, rather than an afterthought. The best practitioners launch software development projects with cybersecurity as the number one priority, and they figure out how to protect consumer data before launching development or writing a single line of code.

The cybersecurity-first strategy is what differentiates Secure by Design from other approaches since it ensures that the development team cannot build insecure software without intentionally ignoring data privacy in each stage of the SLDC.

This approach has not only been embraced by the private sector and software engineering communities to identify vulnerabilities and reduce the number of threats. Governments across the world have mandated that federal agencies, contractors, and even private companies adopt this approach to prevent data breaches and build technology that safeguards data and generates consumer trust.

International Guidance on Secure by Design

In April 2023, cybersecurity agencies across the Western world released consolidated international guidance on Secure by Design and Secure by Default, providing engineers with a strong roadmap to create technology with data privacy and cybersecurity built-in as a core feature.

Titled Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Security-by-Design and -Default, this document is perhaps the most important resource for organizations intent on building Secure-by-Design principles into their development process.

This comprehensive guidance on Secure by Design was produced in collaboration with the following authorities:

  • Cybersecurity and Infrastructure Security Agency (CISA) – United States
  • National Security Agency – United States
  • Federal Bureau of Investigation – United States
  • National Cyber Security Centre – United Kingdom
  • Cyber Security Centre – Australia
  • Centre for Cyber Security – Canada
  • Federal Office for Information Security – Germany
  • National Cyber Security Centre – Netherlands
  • CERT NZ – New Zealand
  • National Cyber Security Centre – New Zealand

In the document, the world’s leading cybersecurity agencies make a strong case for integrating Secure by Design principles into every technology product, including those produced by the private sector.

A Rising Number of Cyber Threats

These agencies argue that the rising number of cyber-attacks in critical sectors, like government facilities, financial services, enterprises, telecommunications, and real estate, are putting people’s lives at risk—and necessitate widespread adoption of the Secure-by-Design approach to combat this threat. The authors wrote:

To create a future where technology and associated products are safer for customers, the authoring agencies urge manufacturers to revamp their design and development programs to permit only Secure-by-Design and -Default products to be shipped to customers. Products that are Secure-by-Design are those where security of the customers is a core business goal, not just a technical feature. Secure-by-Design products start with that goal before development starts.

Cybersecurity and Infrastructure Security Agency

By performing risk assessments before launching the development process, organizations can build more secure software and hardware that can withstand many common forms of cyber-attack. This may save organizations money and reduce time spent patching vulnerabilities. It will also spare firms from the reputational damage associated with a successful cyber-attack and help organizations avoid regulatory sanctions.

European Union

Organizations located within the European Union will soon be required to follow similar guidance, as defined in the proposed EU Cyber Resilience Act, which will require manufacturers to build cybersecurity protections into new hardware and software.

The regional organization argues that the rising number of successful cyber-attacks, combined with the high cost associated with these attacks, requires a firm regulatory response. The EU states that technology products are especially susceptible to cyber-attack because of:

  1. a low level of cybersecurity, reflected by widespread vulnerabilities and the insufficient and inconsistent provision of security updates to address them, and
  2. an insufficient understanding and access to information by users, preventing them from choosing products with adequate cybersecurity properties or using them in a secure manner.
Cyber Resilience Act

Because of this precarious situation, the EU has proposed a series of cybersecurity rules mandating Secure by Design principles be integrated into all technology product development by using a “coherent cybersecurity framework, facilitating compliance for hardware and software producers.”

The goal is to ensure that fewer products are shipped to market with security vulnerabilities and to “enhance the transparency of security properties of products with digital elements,” empowering consumers to take control of their own information security.

United States

Executive agencies, government contractors, and critical infrastructure firms located in the US must also integrate Secure by Design methodologies into new products.

The National Institute of Standards and Technology (NIST) mandates that those organizations follow approved Secure by Design principles, detailed in SP 800-160 Volume 1 Revision 1: Engineering Trustworthy Secure Systems. This document “describes a basis for establishing principles, concepts, activities, and tasks for engineering trustworthy secure systems.”

It is important to note that NIST does not grandfather in legacy systems built before Secure by Design mandates, nor does it distinguish between the size or scope of a product. Organizations are also expected to integrate Secure by Design principles into both new products and legacy software updates.

NIST has said, “Such principles, concepts, activities, and tasks can be effectively applied within systems engineering efforts to foster a common mindset to delivery security for any system, regardless of the system’s purpose, type, scope, size, complexity, or stage of its system life cycle.”

The White House Leads the Charge

Federal guidance is not just important for regulated organizations either. Leaders at the White House, CISA, and NIST have urged private-sector companies to embrace Secure by Design principles and to focus on building products that have tight data privacy controls tightly integrated into their software and hardware.

The White House made this position clear in the March 2023 National Cybersecurity Strategy, where it stated, “Too many vendors ignore best practices for secure development, ship products with insecure default configurations or known vulnerabilities, and integrate third-party software of unvetted provenance.”

In addition, the White House said that many software developers are shielding themselves from liability by leveraging their market position and favorable contracts.

Despite current incentives to avoid liability for poor cybersecurity, the National Cybersecurity Strategy argues “We must begin to shift liability onto those entities that fail to take reasonable precautions to secure their software.” The strategy continues, “Companies that make software must have the freedom to innovate, but they must also be held liable when they fail to live up to the duty of care they owe consumers.”

Cybersecurity is an Organizational Concern

Jen Easterly, Director of CISA, has echoed this sentiment and spoken about the problems associated with insecure private-sector products in detail, particularly in her February 2023 article Stop Passing the Buck on Cybersecurity. She wrote, “Widespread use of unsafe technologies is compounded by a common practice in many organizations and companies of relegating cybersecurity to the ‘IT people’ or to a chief information security officer [CISO].”

She went on to say that CISOs and IT specialists “are given this responsibility, but not the resources, influence, or accountability to ensure that security is appropriately prioritized…”

To fully embrace Secure-by-Design as a guiding principle, organizations must integrate the ideology into every aspect of the development process and imbue leaders and subject matter experts alike with the authority and resources to overcome profit-based objections that may compromise security.

In Summary

The emergence of the Secure by Design movement was a landmark event in the world of software development.

Prior to the campaign to make security a core product feature, most manufacturing companies considered cybersecurity to be an afterthought, using an approach many cybersecurity agencies refer to as “Vulnerable by Design.” This led to a continuous cycle of suffering cyber-attacks, identifying vulnerabilities, and delivering patches to consumers long after the damage was done, continued ad nauseam.

By integrating the Secure by Design approach in the planning, development, deployment, and maintenance stages of the production process, organizations break this cycle and reduce the number of successful cyber-attacks. This type of proactive approach also saves organizations time and money, in addition to helping firms avoid embarrassing data breaches that harm public trust and reduce revenue.