Skip main navigation


This step covers the OWASP security by design principles
Woman on ipad taking notes

The Open Web Application Security Project (OWASP) online community, works to improve the security of software by producing freely available articles, methodologies, documentation, tools, and technologies on web application security.

OWASP supports the fundamental idea of Security by Design being the building of security into products at the onset of the design process instead of adding security later through updates or third-party products. OWASP does this by promoting 10 Security by Design principles that should be embedded into the web application design process.

OWASP security design principles

Patchstack, in their article ‘Security by Design According to OWASP’, provide a succinct overview of the 10 important OWASP security principles:

1. Minimise attack surface area

Every new feature of an application increases vulnerabilities and thereby enhances the attack surface for threats to materialise. Therefore, developers must think of potential security implications of having that extra feature and find ways to minimise its overall effect on the system.

Example: Users are prevented from clicking on links in an email to prevent them from accessing spoof websites.

2. Establish secure defaults

A higher level of security should be applied by default for new users of the online product or service.

Example: Stronger passwords, multi-factor authentication and complex passwords applied at the onset of application use.

3. The principle of least privilege

The Principle of Least Privilege (PoLP) is an information security concept which maintains that a user or entity should only have access to the specific data, resources and applications needed to complete a required task.

Example: A user account for the sole purpose of creating backups does not need to install software.

4. The principle of defence in depth

Defence in Depth (DiD) is an approach to cyber security in which multiple security controls are applied by implementing a series of layered defensive mechanisms to protect information. The expectation is that there should be one mechanism securing the information if another fails to thwart an attack.

Example: If you expect a firewall to protect you, build the system as though the firewall has been compromised.

5. Fail securely

Handling application errors securely is a key aspect of secure coding. Here, the application/system functions in a manner to prevent loss of secure state (i.e. without introducing new security vulnerabilities for attackers to exploit) when a failure occurs or is detected in the system.

6. Don’t trust services

The inclination of software developers to bring additional functionality to a system using a module developed by a third-party or to obtain additional data (i.e. when training a machine learning algorithm) must always come with a mistrust of services by default.

7. Separation of duties

This principle emphasises that no user should be given enough privileges to misuse the system on their own.

Example: The person authorising a pay cheque should not also be the one who prepares the pay cheques.

8. Avoid security by obscurity

When this principle is applied the systems do not openly disclose some information. Only those who know where to search will find it. An ordinary example of security by obscurity is using non-indexed links to share data on the Internet.

9. Keep security simple

Implementing complex security mechanisms at times increases the risk of errors or increases the attack surface. Try to keep it simple!

10. Fix security issues correctly

A simple example relating to this principle is the application of security guidelines earmarked for an older version of a software. If security issues occur, they need to be fixed correctly and comprehensively.

Read: Application of OWASP principles

Read the following article which includes examples of the application of OWASP principles: Kaksonen, R 2021, Security design with principles, Medium, 2 March 2021.

© RMIT 2023
This article is from the free online

Security by Design

Created by
FutureLearn - Learning For Life

Reach your personal and professional goals

Unlock access to hundreds of expert online courses and degrees from top universities and educators to gain accredited qualifications and professional CV-building certificates.

Join over 18 million learners to launch, switch or build upon your career, all at your own pace, across a wide range of topic areas.

Start Learning now