universal security Commons: 3/5

Secure by Design

Also known as:

1. Overview

Secure by Design is a foundational approach to cybersecurity that embeds security measures into every layer of system architecture from the very beginning of the development lifecycle. Rather than treating security as an afterthought or a feature to be added on, this pattern integrates it as a core requirement, on par with functionality and performance. The problem it solves is the prevalence of vulnerabilities that arise from insecure design, which are often difficult and costly to fix after a product has been deployed. By shifting security to the left—addressing it in the earliest stages of design and development—organizations can significantly reduce their attack surface and build more resilient and trustworthy systems. The historical context of Secure by Design can be traced back to early principles of secure engineering, but it has gained significant traction in recent years due to the increasing frequency and sophistication of cyberattacks, including supply chain breaches and ransomware campaigns. These events have highlighted the inadequacy of reactive security models that rely on patching and perimeter defenses alone.

For organizations, adopting a Secure by Design approach is crucial for protecting sensitive data, maintaining customer trust, and ensuring business continuity. It moves the responsibility for security from the end-user to the technology provider, which is a more effective and equitable model. In the context of a commons, where resources are shared and collaboratively managed, Secure by Design is essential for building a secure and resilient digital infrastructure. It ensures that the technologies underpinning the commons are not a source of systemic risk. By making security a collective responsibility from the outset, commons-based communities can foster a culture of security and create a more robust and sustainable ecosystem for all participants.

2. Core Principles

  1. Least Privilege: Grant users, processes, and services only the minimum permissions necessary to perform their functions. This principle limits the potential damage from a compromised component, as an attacker will have restricted access to the rest of the system.
  2. Defense in Depth: Implement multiple layers of security controls, so that if one layer is breached, others are in place to thwart an attack. This approach avoids single points of failure and creates a more resilient security posture.
  3. Minimize Attack Surface: Reduce the number of entry points available to attackers by disabling unnecessary features, closing unused ports, and limiting the exposure of APIs and other interfaces. A smaller attack surface means fewer opportunities for exploitation.
  4. Fail Securely: Design systems to fail in a secure state. For example, if a system component encounters an error, it should default to a state that denies access or preserves the security of the system, rather than failing in an open or insecure state.
  5. Separation of Duties: Divide critical functions among multiple individuals or processes to prevent any single entity from having excessive control. This principle helps to prevent fraud and unauthorized actions.
  6. Don’t Trust, Verify (Zero Trust): Assume that all users, devices, and networks are untrusted, and verify every request for access. This approach, often referred to as a Zero Trust Architecture, requires continuous authentication and authorization.

3. Key Practices

  1. Threat Modeling: Proactively identify and analyze potential threats and vulnerabilities during the design phase. This practice helps to prioritize security requirements and inform the design of appropriate security controls.
  2. Secure Coding Standards: Establish and enforce secure coding guidelines to prevent common programming errors that can lead to security vulnerabilities, such as buffer overflows and injection attacks.
  3. Automated Security Testing: Integrate automated security testing tools into the development pipeline to identify vulnerabilities early and often. This includes static application security testing (SAST), dynamic application security testing (DAST), and interactive application security testing (IAST).
  4. Third-Party Component Analysis: Vet all third-party libraries and components for known vulnerabilities before incorporating them into the system. This is crucial for mitigating supply chain risks.
  5. Immutable Infrastructure: Treat infrastructure components as immutable, meaning they are never modified after deployment. If a change is needed, the component is replaced with a new one, which helps to prevent configuration drift and unauthorized changes.
  6. Continuous Monitoring and Logging: Implement comprehensive logging and monitoring to detect and respond to security incidents in real-time. This includes logging all security-relevant events and using security information and event management (SIEM) systems to analyze the data.
  7. Regular Security Audits and Penetration Testing: Conduct regular security audits and penetration tests to identify and remediate vulnerabilities in production systems. This provides an independent assessment of the system’s security posture.

4. Implementation

Implementing Secure by Design is a cultural and process-oriented shift that requires commitment from all levels of an organization. A step-by-step approach begins with establishing a security-first mindset, where security is a shared responsibility, not just the domain of a specialized team. This involves providing security training to all developers, architects, and product managers. The next step is to integrate security activities into every phase of the software development lifecycle (SDLC). This includes conducting threat modeling during the design phase, using secure coding practices during development, performing automated security testing during the build and test phases, and implementing continuous monitoring in production. Key considerations include the need for strong governance, clear security policies and standards, and the allocation of sufficient resources for security.

Several tools and frameworks can support the implementation of Secure by Design. The Microsoft Security Development Lifecycle (SDL) and the NIST Cybersecurity Framework provide comprehensive guidance on integrating security into the development process. Threat modeling tools like OWASP Threat Dragon can help to identify and prioritize threats. Static and dynamic application security testing (SAST/DAST) tools can be integrated into the CI/CD pipeline to automate vulnerability detection. Success in implementing Secure by Design can be measured by a reduction in the number of vulnerabilities found in production, a decrease in the time to remediate vulnerabilities, and an overall improvement in the organization’s security posture. Ultimately, the goal is to make security an intrinsic part of the development process, rather than a bolt-on at the end.

5. 7 Pillars Assessment

Pillar Score (1-5) Rationale
Purpose 5 Secure by Design directly supports the purpose of building resilient and trustworthy systems. It ensures that the core mission of the organization is not undermined by security vulnerabilities.
Governance 4 Effective implementation of Secure by Design requires strong governance, including clear security policies, standards, and roles and responsibilities. However, it can be challenging to implement consistently across large organizations.
Culture 4 A successful Secure by Design strategy relies on a culture of security where everyone is responsible for security. This requires a significant cultural shift in many organizations.
Incentives 3 Incentives for developers are often focused on speed and features, not security. To make Secure by Design effective, organizations need to create incentives that reward secure development practices.
Knowledge 4 Developers and architects need to be trained in secure design principles and practices. While there is a growing body of knowledge on this topic, there is still a skills gap in the industry.
Technology 5 There is a wide range of technologies available to support Secure by Design, from threat modeling tools to automated security testing platforms. These tools can help to automate and scale security efforts.
Resilience 5 Secure by Design is a key enabler of resilience. By building security in from the start, organizations can create systems that are better able to withstand and recover from attacks.
Overall 4.3 Secure by Design is a powerful pattern for building secure and resilient systems, but it requires a holistic approach that addresses not just technology, but also governance, culture, and incentives.

6. When to Use

  • When developing new systems or applications, especially those that will handle sensitive data or perform critical functions.
  • When re-architecting existing systems to improve their security posture.
  • In regulated industries, such as finance and healthcare, where there are strict security and compliance requirements.
  • For any system that is exposed to the internet and therefore at high risk of attack.
  • When building a platform or ecosystem that will be used by multiple parties, as it helps to establish a baseline of security for all participants.
  • In the development of Internet of Things (IoT) devices, where security vulnerabilities can have real-world physical consequences.

7. Anti-Patterns & Gotchas

  • Security as a Gatekeeper: Treating the security team as a gatekeeper that developers must get past, rather than as a partner in the development process.
  • Over-reliance on Tools: Believing that simply buying and implementing security tools is enough to achieve Secure by Design, without addressing the underlying cultural and process issues.
  • Ignoring the Human Factor: Designing security controls that are difficult to use, leading users to bypass them.
  • Incomplete Threat Modeling: Conducting a superficial threat modeling exercise that fails to identify all relevant threats.
  • Security as a Final Step: Attempting to bolt on security at the end of the development lifecycle, which is the antithesis of Secure by Design.
  • Neglecting Legacy Systems: Focusing all security efforts on new systems while ignoring the security risks posed by legacy systems.

8. References

  1. Secure by Design - CISA
  2. Secure by design - Wikipedia
  3. Microsoft Security Development Lifecycle
  4. NIST Cybersecurity Framework
  5. OWASP Threat Dragon