How the Secure by Design methodology is making the web safer

Have you ever heard of Secure by Design? You've certainly noticed that the world is undergoing a transition regarding cybersecurity and personal data protection: ordinary people are increasingly aware of their right to privacy on the web; the digital transformation, accelerated by the new coronavirus (SARS-CoV2) crisis, is encouraging companies to modernize their operations; governments around the world are enacting legislation to enforce the ethical use of sensitive public information, and so on.

In the midst of this broad discussion and the “digitalization” of society, Secure by Design has become increasingly important and a crucial practice for any project or enterprise. We are not talking about a solution or architecture, but rather a software development methodology that preaches the value of security in its innermost core. The idea is that data protection is regarded as an absolute priority in any application creation process: from the initial stages of its design to the final stages of the first stable build.

Before we go any further, it's worth remembering that, historically speaking, software and systems were almost never developed with cybersecurity in mind. Over the last two decades, the act of coding or even creating a website has become a reasonably simple endeavor. Developers have gotten “used to” having other priorities, such as user interface/experience, design, and, above all, agility in delivering code. Therefore, security is left aside, and any bugs or vulnerabilities are fixed later.

Privacy in the early days

However, we know that today's reality is completely different. This development format has become dangerous since cybercriminals are now able to quickly identify the so-called zero days (vulnerabilities that even the manufacturer doesn't know about) and exploit them to create gateways for malware. In addition, there is another historical problem: the irreparable resistance of end-users to install software updates; in other words, those who still insist on using older versions of operating systems who, out of sheer laziness of going through the process of installing new version, end up exposing themselves unnecessarily to threats and risks.

With the migration of systems to the cloud, the arrival of 5G, and the popularization of the Internet of Things (IoT) market, there will be, over the next ten years, an increasing amount of code being written daily. Wouldn't it be much better for everyone if these applications, systems, and firmware were designed from the beginning considering the security of those who will be using them?

It was based on this mentality that the practice of Secure by Design emerged, which aims to bring the area of development even closer to the field of information security. With security as a priority, new applications are now created in the best possible way to minimize the attack surface, reduce the collection of personal data as much as possible (minimization principle), and reach the market with a lesser need for security patches. There are currently some Security by Design frameworks (i.e. “ready templates”) that can be used to guide developers, but nothing that may be considered a universal rule.

Article translated from: Como a metodologia Security by Design está tornando a web mais segura — Perallis Security