Secure by Design
A principle to build security into the manufacture of products to provide greater overall security and higher quality outcomes for end customers.
This is an initiative brought forward by the Cybersecurity & Infrastructure Security Agency (CISA) to ‘build cybersecurity into the design and manufacture of technology products.’ Secure by Design is a software development approach where security is integrated into every stage of the development lifecycle - by default and as standard - rather than being added as an afterthought. With threats from hackers, activists, and specialists groups, the cybersecurity challenges are only going to grow and evolve. It is about creating products which are more secure, more trusted and can be used everyday by its consumers. Pushing the responsibility back to the software manufacturers in the first place.
This approach helps organizations build resilient systems for its end users that comply with security standards, reducing the cost and challenges that come with addressing vulnerabilities post-deployment. CISA describes it as ‘Products designed with Secure by Design principles prioritize the security of customers as a core business requirement, rather than merely treating it as a technical feature.’
CISA describes the pledge as; This is a voluntary pledge focused on enterprise software products and services, including on-premises software, cloud services, and software as a service (SaaS)... The pledge itself has seven goals which request that additional security measures are implemented within a year of signing the pledge. For example - ‘Within one year of signing the pledge, demonstrate actions taken towards enabling a significant measurable reduction in the prevalence of one or more vulnerability classes across the manufacturer’s products.’ The full seven categories are:
1. Multi-factor authentication (MFA)
2. Default passwords
3. Reducing entire classes of vulnerability
4. Security patches
5. Vulnerability disclosure policy
6. CVEs
7. Evidence of intrusions
More can be read about the CISA Secure by Design Pledge on their website. IriusRisk has signed this pledge, which has over 200 signatures (as of December 2024) as we provide software products to end users in the United States of America - as well as other regions across the globe. We recently avoided a specific vulnerability in our application, through our design and implementation processes. More can be read about this in our article here.
As shared by CISA, ‘during the design phase of a product’s development lifecycle, companies should implement Secure by Design principles to significantly decrease the number of exploitable flaws before introducing them to the market for widespread use or consumption.’
Some benefits of implementing secure by design activities include:
Threat modeling is just one technique recommended for Secure by Design practices, however it is one of the most effective thanks to its proactive and strategic nature. Threat modeling is a repeatable way of assessing the security of your architecture, quantifying your level and likelihood of risk, and concluding with actionable countermeasures to mitigate those risks.
Although threat modeling can be done at any stage of the Software Development Lifecycle (SDLC), it provides most benefits when done in the Build phase as designs are being formed. Thus meaning weaknesses, specific vulnerabilities, and other categorized threats can be identified, prioritized and mitigated. Saving time, effort and resources later down the line. While also encompassing Secure by Design principles.
If businesses really want to demonstrate their commitment to developing secure and good quality products for its customers, while adhering to security and compliance needs, then implementing Secure by Design principles is the tangible way forward to achieve this. It provides a foundation to build upon for heightened security and increased customer trust.
.svg)