Secure by design

Secure by design (SbD) is a principle of cybersecurity and systems engineering that requires systems to be built with security as a foundational property rather than as an afterthought. It is concerned with embedding protections at the earliest design stages of hardware, software, and services, so that security requirements shape the architecture itself, rather than being retrofitted later through patching or external controls.

In practice, Secure by Design means assuming that systems will be attacked, and therefore constraining their architecture so that compromises are difficult, contained, and recoverable. It emphasizes approaches such as the principle of least privilege, minimization of attack surfaces, defence in depth, and the integration of detection and response mechanisms. SbD contrasts with reactive approaches that rely primarily on vulnerability management after deployment, instead treating security as a design constraint equal to performance, usability, and cost.

Secure by Design has become increasingly prominent in the 21st century as large-scale cyber incidents, including supply chain compromises and ransomware campaigns, have demonstrated the limitations of reactive security. Governments, industry, and standards bodies now increasingly mandate SbD practices in areas ranging from defense systems to consumer Internet of Things (IoT) devices. The concept has parallels with related paradigms such as privacy by design, safety by design, and the broader movement towards resilient systems engineering.

The principle of Secure by Design has roots in security engineering practices dating back to the 1970s and 1980s, when early trusted computing standards such as the Orange Book (Trusted Computer System Evaluation Criteria, 1983) promoted mandatory access controls and least privilege.

Through the 1990s and 2000s, the rise of the internet, software vulnerabilities, and large-scale cybercrime shifted focus toward software assurance and secure coding. Microsoft’s Security Development Lifecycle (SDL), introduced in 2004, was among the first industry-scale frameworks mandating SbD-style practices in commercial software engineering.

Since the 2010s, SbD has been reinforced through:

• National standards such as NIST SP 800-160 (Systems Security Engineering) and the NIST Cybersecurity Framework.
• Government policies, including the UK’s Secure by Design Policy for digital services and the MoD’s 10 SbD principles.
• International standards, including the ISO/IEC 27000 series and ETSI TS 103 645 (IoT security).

Secure by Design is grounded in several foundational ideas:

• Security as a design constraint – security requirements must be captured during conceptual design and enforced throughout the lifecycle.
• Expect attacks – systems are assumed to operate in hostile environments where adversaries are active.
• Least privilege – users, processes, and services are granted only the permissions strictly necessary.
• Defence in depth – layered security controls reduce the likelihood of complete compromise.
• Minimise attack surface – only essential functions, interfaces, and services are exposed.
• Continuous assurance – security controls must be tested, monitored, and improved continuously.
• Avoid reliance on secrecy – security should not depend on proprietary obscurity but on robust, transparent design.

These principles overlap with and complement related paradigms such as Zero Trust Architecture (ZTA), privacy by design, and safety by design.

Secure by Design is not a single methodology but a design philosophy that can be embedded within different development lifecycles, including Agile, Waterfall, and DevSecOps. Well-known frameworks and methodologies include:

• Microsoft Security Development Lifecycle (SDL) – integrates security into every stage of product development.
• NIST SP 800-160 Volume 2 – applies systems security engineering to resilient system design.
• SEI Secure Design Patterns (Carnegie Mellon University, 2009) – reusable tactics for common security challenges.
• MoD Secure by Design Implementation Guide – tailored practices for the UK defense sector.

Secure by Design has been mandated or recommended across multiple domains:

• United States: NIST promotes SbD through SP 800-160 and SP 800-53 (security controls). The Cybersecurity and Infrastructure Security Agency (CISA) has also published Secure by Design principles for software manufacturers.
• United Kingdom: Government Digital Service (GDS) and the Ministry of Defence require SbD in digital services, mandating risk-driven design, continuous assurance, and minimization of attack surfaces.
• European Union: The Cyber Resilience Act emphasizes security throughout product lifecycles, aligning with SbD principles.
• Consumer IoT: ETSI TS 103 645 establishes security baselines, adopted in UK and EU IoT regulations

While widely endorsed, Secure by Design faces challenges in practice:

• Cost and complexity – early investment in security design can increase upfront costs.
• Legacy systems – applying SbD to older architectures is often impractical.
• Supply chain reliance – third-party software and components may undermine SbD practices.
• Human factors – poorly designed controls may cause users to bypass them, reducing effectiveness.

Despite these challenges, SbD is increasingly seen as essential in countering advanced persistent threats (APTs), ransomware, and supply chain attacks.

• Computer security
• Cyber security standards
• Hardening
• Multiple Independent Levels of Security
• Security through obscurity
• Software Security Assurance

• Secure Programming for Linux and Unix HOWTO
• Secure UNIX Programming FAQ
• Top 10 Secure Coding Practices
• Security by Design Principles