Security by design or secure by design is an approach to product development that considers cybersecurity at the onset. It does away with the “let’s cross the bridge when we get there” outlook on cybersecurity and makes software or hardware more secure. It is similar to designing a house and ensuring that it is earthquake-resistant and hurricane- or typhoon-proof.
Security by design ensures that security controls are built into a product’s design, rather than as an afterthought. Such an approach reduces the likelihood of cybersecurity breaches and has become common in product development.
Other interesting terms…
Read More about “Security by Design”
Security by design applies to any software or hardware. The approach incorporates commonly used cybersecurity strategies and techniques into the architectural design process. These tactics ensure the implementation of necessary security protocols or procedures should the system fall under attack. At the very least, these protocols include:
- Authorization and accountability: Only authorized users can access certain parts of the system, making accountability clearer.
- Authentication: Users, regardless of privileges, undergo the necessary authentication process.
- Data confidentiality and availability: Data remains secure, private, and accessible only to authorized users when needed.
- System integrity: Data and the system as a whole cannot be tampered with by unauthorized users.
Including these protocols and more within the architectural design means they would still be implemented even when products undergo several modifications.
4 Principles of Security by Design
The principles that guide the security by design approach could differ from one organization to another. But the Open Web Application Security Project (OWASP) listed some principles that programmers should adhere to. With these in mind, they can design secure products. Below are four security by design principles.
Principle of Attack Surface Reduction
An attack surface is the sum of all vulnerabilities present in software, applications, devices, or any other products that can serve as entry points for cyber attackers. As such, every time a new feature or functionality is added to a product, the attack surface becomes wider. In security by design, the principle of reducing the attack surface means limiting user access to specific product functions and features to minimize risks.
Principle of Least Privilege
The least privilege principle ensures that users only have the minimum power necessary to complete a particular task. Suppose a virtual assistant has an editor role in a blogging platform. In that case, he or she should not be able to perform administrative tasks, such as adding and removing users and activating plugins.
Principle of Secure Defaults
Developing a product following the security by design approach means the product should have default security measures in place, regardless of user preference. These measures include password character requirements, how often users are prompted to change passwords, and the data required during the user registration process.
Principle of Defense in Depth
Defense in depth (DiD) is a military principle that aims to delay enemies by putting as many obstacles in their way as possible. That translates to incorporating more than one way to make a product secure from a cybersecurity standpoint. For example, online funds transfer through a bank’s mobile app would require the user to log in with a username and password. Also, users are required to enter a one-time pin (OTP) sent to the user’s registered email address or phone number. In the process, an IP address check and brute-force detection are also implemented.
After knowing the answer to “What is security by design?” it is essential to note that the approach does not make a product cyber attack-proof. Still, following the basic principles and security protocols help reduce the chances that attacks will succeed. Like an earthquake-resistant and hurricane-proof house design, destruction remains likely if an earthquake or a hurricane is strong enough. Without security by design, though, products could also be vulnerable to more attacks. In a house’s case, threat actors could include tornadoes or fires.