Secure by design

Overview [1]#

Secure by design is a Information security policy for design where the system is designed from the ground up to be secure.

Malicious attacks are taken for granted and design care is taken to minimize impact when a vulnerability or invalid user input is encountered.

Secure by design generally implies that everything works with the least amount of privileges possible.

For example a Web server that runs as the administrative user (root or admin) can have the privilege to remove files and users that do not belong to itself. Thus, a flaw in that program could put the entire system at risk. On the other hand, a Web server that runs inside an isolated environment and only has the privileges for required network and filesystem functions, cannot compromise the system it runs on unless the security around it is in itself also flawed.

Department for Digital, Culture, Media and Sport[2]#

The United Kingdom's Department for Digital, Culture, Media and Sport, publishes a Code of Practice to support all parties involved in the development, manufacturing and retail of consumer IoT with a set of guidelines to ensure that products are Secure by design and to make it easier for people to stay secure in a digital world.

The Code of Practice brings together, in thirteen outcome-focused guidelines, what is widely considered good practice in IoT security. It has been developed by the Department for Digital, Culture, Media and Sport (DCMS), in conjunction with the National Cyber Security Centre (NCSC), and follows engagement with industry, consumer associations and academia. The Code was first published in draft in March 2018 as part of the Secure by design report.


Information security

More Information#

There might be more information for this subject on one of the following: