Skip main navigation

An overview of Security by Design principles

In this step, we introduce key Security by Design principles .
Abstract high tech digital technology background made of particles and metallic plates.

In this era of instant connectivity, our world is increasingly saturated with a wide range of software products and services, and technology devices that are run and managed through firmware.

These products must be reliable, user-friendly, functional and secure. It is well known that the benefits these online products and services bring to their users will be significantly negatively affected if they are not secure.

To be useful, online products, services and systems very often need to provide access to and store a wide range of data, including personal and sensitive data. Unfortunately, because of this they are often prime targets for cyber attack. If these products, services and systems are compromised, the consequences can be damaging, expensive, and embarrassing for both organisations and users alike.

Applications can be made much more secure by following specific Security by Design principles. These principles ensure that the application secures the systems and software at the foundation level, thereby making it easier to manage and maintain. A number of established groupings of principles are discussed in this topic; and while their approach to secure design varies, the objective of achieving a secure design remains the same: effective application security.

The five Security by Design approaches/principles that will be introduced this week are:

Diagram showing the four security by design principles as the CIA Triad, OWASP principles, NCSC cyber security design principles, Users, Usage and Usability (U3), and Secure-by-Design Foundations

Let’s look at each of these in a little more detail.

The Confidentiality, Integrity, Availability triad icon The Confidentiality, Integrity, Availability (CIA) triad: The CIA triad is considered the founding principle of information security. It also provides invaluable guidance when designing, developing, and maintaining cyber security. At the core of the CIA triad is confidentiality – preventing unauthorised access to information; integrity – preventing unauthorised changes to the information; and, accessibility – allowing access to information for those with the right credentials. The CIA triad guides information security policies, facilitating information security governance, management, and operational processes.
NCSC cyber security design principles icon NCSC cyber security design principles: The National Cyber Security Centre (NCSC) provides cyber security support and guidance to the most critical organisations in the UK, the wider public sector, industry, SMEs, and the public. The NCSC cyber security design principles were drafted based on the experience of architectural review and handling incidents across the UK Government and Critical National Infrastructure (CNI) systems in the United Kingdom. Today, cyber security institutions and organisations in other countries commonly adapt these principles to suit their specific needs. The NCSC principles are aimed at people who design information systems, such as security architects and designers and are most useful in the design and build phases of the online product or service development project. However, it is also possible to use these principles to review existing systems to determine their security design foundations.
OWASP Security by Design principles icon OWASP Security by Design principles: The Open Worldwide Application Security Project (OWASP) sees a clear difference between the insecure design (which creates design flaws) and insecure implementation (which creates implementation defects) of applications. They argue that a perfect implementation cannot fix the insecure design. Hence, the OWASP Security by Design principles are designed to facilitate defence in depth using a layered approach to security. The objective of the OWASP principles is to eliminate or mitigate the chances of a single point of complete compromise by incorporating a series of security safeguards and risk mitigation countermeasures.
U3 icon Users, Usage and Useability (U3): In their article, User, Usage and Usability: Redefining Human Centric Cyber Security, Grobler, Gaire and Nepal (2021) explore the advances made in developing and designing the human-centric cyber security domain. The article proposes a holistic approach to human-centric security design and implementation using the 3 U’s as three essential components for cyber security consideration. This concept contrasts with the OWASP principles that focus mainly on the secure design of applications.
Secure-by-Design Foundation icon Secure-by-Design Foundations: The Secure-by-Design Foundations, developed by the Australian Signals Directorate’s Australian Cyber Security Centre is an approach designed to assist both technology manufacturers and consumers across industry and government to adopt Secure-by-Design. The Foundations provide guidance on how to best approach Secure-by-Design, and identify key focus areas to uplift security as well as how each Foundation mitigates key risks.

These five approaches to Security by Design tackle designing security in applications from different perspectives. The following steps in this week of the course provide you with information about the focus of each approach.

© RMIT 2023
This article is from the free online

Security by Design

Created by
FutureLearn - Learning For Life

Reach your personal and professional goals

Unlock access to hundreds of expert online courses and degrees from top universities and educators to gain accredited qualifications and professional CV-building certificates.

Join over 18 million learners to launch, switch or build upon your career, all at your own pace, across a wide range of topic areas.

Start Learning now