Secure by Design

Core principles

Secure by Design rests on three core tenets:

Build organisational structure to support security – security is resourced, incentivised, and measured as a business priority, not treated as an afterthought or a compliance checkbox

Take ownership of security outcomes – the technology vendor or development team accepts responsibility for the security of their product, rather than transferring risk to the end user through configuration guides and workarounds

Embrace radical transparency – vulnerabilities, patching timelines, and security architecture decisions are communicated openly, enabling informed risk decisions by customers

Secure by Design in practice

Implementing Secure by Design involves embedding security at each stage of the development lifecycle:

• Requirements – security requirements are defined alongside functional requirements, informed by threat modelling and risk assessment
• Architecture – system design follows security patterns such as least privilege, defence in depth, and secure defaults
• Development – secure coding practices, automated security testing (SAST, DAST), and peer review are standard workflow steps
• Deployment – systems ship with secure default configurations, not insecure defaults that rely on administrators to harden
• Maintenance – ongoing vulnerability management, patching, and monitoring are planned from the outset, not improvised

NCSC guidance

The NCSC’s Secure by Design guidance provides specific recommendations for UK organisations and technology vendors. Key elements include designing products so they are secure out of the box without requiring customer configuration, providing clear, honest security documentation, and supporting products with timely security updates throughout their lifecycle.

For organisations procuring technology, the NCSC recommends evaluating vendors on their commitment to Secure by Design principles, including their vulnerability disclosure practices, default security posture, and track record of security updates.

Cyberfort and Secure by Design

Cyberfort Secure by Design services enable organisations to implement the foundations required for embedding cyber security practices in information systems and digital delivery, building resilient digital services.

We work with organisations to make sure cyber security and resilience is built into systems from the beginning, so security is aligned to the organisation’s objectives and integrated with systems as design evolves. Our approach to Secure by Design removes focus on just achieving compliance and the pressures on the delivery and design teams. It empowers teams across an organisation to identify and manage security risks early in the lifecycle and offers the opportunity for innovation throughout a product or service lifecycle. Learn more about our threat modelling services →

Related glossary terms

• Zero trust – an architectural approach aligned with Secure by Design principles
• SOC 2 – an assurance framework that evaluates security controls in service organisations

External references

• Wikipedia: Secure by design – concept overview
• NCSC: Secure by Design – UK guidance for technology vendors and developers
• CISA: Secure by Design – US joint guidance (co-signed with NCSC and ACSC)
• Wikidata: Q7444066 – canonical entity identifier

Frequently asked questions