Secure by Design
Principle · Chapter 11
Build systems that are secure by following proven, well-known security principles and practices — rather than patching security in afterward.
Principles & Practices
Section titled “Principles & Practices”- Minimize the attack surface — the attack surface is every point an attacker can use to get in. Reduce it via controls and secure practices; weigh it when choosing between designs that meet the same functional requirement.
- Defense in depth — no control is perfect, so layer multiple independent techniques. If one fails, another may still stop the threat.
- Principle of least privilege (PoLP) — grant users and components only the privileges strictly necessary. Complex components shouldn’t hold many privileges; split them if needed. It takes effort to find the true minimum, but precision minimizes the attack surface.
- Avoid security by obscurity — hiding internal details is a weak control; use it only alongside stronger controls, never as the primary defense.
- Keep designs simple — complexity is the enemy of security: harder to reason about threats, more room for implementation/config mistakes, larger attack surface. Favor simple, elegant designs (see minimizing complexity).
- Secure by default — ship maximally secure out of the box; reducing security should require a deliberate user change (e.g. 2FA on by default).
- Default deny — access is denied unless explicitly granted (allowlist), not granted unless explicitly denied. Complements secure-by-default.
- Validate input — distrust and validate all input from untrusted sources: UI, CLI args, environment variables, third-party data (whose policies may differ from yours).
- Secure the weakest link — a system is only as secure as its weakest component; attackers target it, so harden it.
- Security must be usable — controls that are too intrusive get circumvented. Be as secure as needed, not more; make mechanisms understandable and minimize the effort/clicks users must expend. Relates to Usability.
- Fail securely — on failure, keep the system and data in a secure state; use proper exception handling and default to denying access.
Related
Section titled “Related”- Directly counters the threat categories from Threat modeling.
- Least privilege and default deny reappear as mitigations in common web security risks.
Citations
Section titled “Citations”- Software Architect’s Handbook (Packt, 2018), Ch.11 “Secure by design”, pp. 856-867.