Security by design and why there is no alternative

What is security by design?

Security by design is a cyber security method that allows an organisation to automate data security controls. Security by design focuses on preventing and preparing for cyber security breaches rather than resolving the problem and recovering systems after an intrusion has occurred. In software engineering, security by design indicates that software products and capabilities have been built to be safe and are using proven security patterns.

Often known as secure by default, it indicates that companies consider cyber security from the outset of a project. Secure by design indicates that software engineers have designed the software to be secure from the start, reducing the possibility of defects that could compromise a company’s information security.

Following Rob van der Veer -Principal Expert, Security & Privacy and AI, security by design is becoming a standard development technique for ensuring the security and privacy of software systems. Security is assessed and built into the system at every level, which starts with a robust architecture design.

The security-by-design approach and IoT.

While the security by design approach to system design is not new, the cloud has made it easier for developers to implement security-by-design. Major public cloud providers recognized the lack of security best practices a long time ago in their early days – when they used to be just IaaS providers, the idea was called “Shared Responsibility Model” and it didn’t work.

Today it still doesn’t, but some change is finally visible in the form of a new wave of security-oriented services, serverless platforms rapidly improving documentation, and some budgets being spent on basic security awareness among clients. But the norm is still based on the assumption that the client is supposed to educate himself.

In the rapidly growing Internet of Things (IoT) ecosystem, where virtually every conceivable device, object, or entity can be assigned a unique identity (UID) and be networked to be addressed over the Internet, security by design is rapidly becoming a critical case. One of the major problems with some or maybe most of the IoT devices is that security has not been properly considered when designing those products for networked devices and especially objects that are not typically networked.

As bills from lawyers exceed tolerable numbers, companies fell victims not only to cyber crime but, first of all, to their own ignorance in the area of data security and rules of survival in the XXI century. As IoT grows and more connected devices increase in the industrial Internet of Things, companies need to strengthen security by taking a forward approach to cyber security, such as security by design.

IoT requires security by design.

At the annual Consumer Electronics Show in Las Vegas, Federal Trade Commission chairwoman Edith Ramirez praised the potential of the so-called Internet of Things, which included instant health monitoring devices connected to networks or household appliances. At the same time, she warned that such devices could interfere with consumer privacy if manufacturers and service providers did not include appropriate safeguards. So, do we have anything to fear? “There is no doubt that the Internet of Things (IoT) has the potential to transform our daily lives,” – Ramirez says:

It has the potential to provide huge benefits for consumers, but it also has significant privacy and security implications.

Ramirez sensitized conference attendees that adopting a ‘security by design approach to creating internet-connected devices is fundamental and should be the focus of every company.

Small devices are kind of a problem. You have limited computing capabilities. Some of it is going to be very disposable and lightweight, which is going to be difficult to maintain and make a business case and do security updates for.

– says Joseph Lorenzo-Hall, CTO at the Center for Democracy and Technology, a Washington-based digital rights group.

Ways to address security issues

At every stage of development, an application is vulnerable to attacks. Therefore, organisations need to take appropriate precautions to protect themselves and their clients. That can be achieved in various ways while maintaining the online customer experience.

Security professionals should be introduced as early into the design process as possible and, together with Designers, Developers and Customers – can work together to address security issues before they arise. The first step is good collaboration and understanding of basic security patterns. A trustworthy SecDevOps team is critical in any case that involves systems connected over the Internet.