The concept of Secure by Design, which means designing software with security built in before it leaves the drawing board, is fundamentally changing how software is developed.   

Software has often been designed with what’s known as “bolt-on security,” added after products are developed. But that means security is not inherent within the solution. Where there's a conjunction between the core product and a bolt-on, that’s an inflection point for an attack. 

That’s why a software provider’s commitment to Secure by Design principles has become so important – and why Ivanti was the first signatory to the Secure by Design Pledge of the U.S. Cybersecurity & Infrastructure Security Agency (CISA). 

Providers who sign the pledge promise to follow principles set forth by CISA. These stress weaving security measures into the very core of a solution, from its initial conception to final deployment. This makes the solution inherently resistant to attacks out of the box, rather than having to patch vulnerabilities after customer adoption – when it’s often too late to stem damage. 

Related: The Secure-by-Design Pledge: A Commitment to Creating a Safer Digital Future 

A fundamental security design principle 

The shadow that’s dogged the advance of digital technologies at nearly every turn is how cyber attacks have evolved to inventively exploit them. Today, they threaten to metastasize across hybridized networks, blackmail or disrupt enterprises, diminish customer confidence and deliver body blows to business bottom lines. But in the eyes of CISA, they’re also a very tangible threat to national security. 

By emphasizing a new, fundamental security design principle – that security should be designed into software from its earliest planning stages – Secure by Design will translate into more robust defenses against modern attackers who may be driven by profit or politics, or both.  
 
From Ivanti’s perspective as a pledge signatory, it’s important to take every step necessary to be aligned with Secure by Design principles. Providers must ask themselves questions like: Are we using a programming language that’s designed from a Secure Software Development Framework (SSDF) perspective to be memory-safe? Do we perform regular threat modeling to identify possible vulnerabilities? Are we using third-party libraries or components? What’s their security posture?  

Answering these questions demands a focus on security during the entire Software Development Lifecycle (SDLC), which involves: 

  • Embedding Secure by Design principles across the whole process rather than waiting until code is written, so security is a focus throughout planning and design. This means thinking about potential threats and designing defenses into the software. 
  • Catching vulnerabilities early by incorporating comprehensive security testing throughout development. This avoids the cost and complexity of doing so later during SDLC or after release. 

This represents moving beyond a “shift left” approach. In applying Secure by Design principles, developers now perform static application security testing and dynamic application security testing within the code set and conduct unit testing and integration testing during the entire SDLC process rather than delaying testing or threat modeling to the end. As part of this, they become accustomed to using testing tools almost daily. 

Related: 3 Takeaways From a Business Roundtable With U.S. Cybersecurity Leaders 

Beyond secure software 

Putting Secure by Design principles into practice is about more than writing and testing secure code. It's about taking a holistic approach to cybersecurity where a robust defense is built upon a secure organization. This involves measures like: 

  • Identifying weak points: It's crucial to understand where vulnerabilities exist within the organization, not just in software code. This means analyzing and optimizing multiple aspects of cybersecurity, ranging from employee training programs to security software patching and the company’s overall security posture. 
  • Protection and monitoring: Organizations need solid cybersecurity tools in place to actively – even proactively – manage risks. Those include monitoring systems for detecting suspicious activity and safeguards like firewalls to reject cyberattacks in the first place. 
  • Incident response: A crystal-clear plan for responding to cyber attacks is indispensable. It should outline how to detect an attack, assess its impact and take steps to recover and improve security measures. 

There’s a further aspect of implementing a secure software system based on Secure by Design principles: When people talk about Secure by Design, they’re often really referring to the “security by default” approach. These are complementary concepts. While Secure by Design means security considerations have been embedded in the product across its entire development lifecycle, security by default means the final product is secure out of the box, without the user having to go through extensive configuration. It’s already set up to deliver measures like secure logging or software authorization profiles, and it prioritizes forward-looking security over backward compatibility.  

Related: Practical Demo: Protect all endpoints with secure UEM countermeasures 

Customers benefit from Secure by Design  

When a software provider delivers solutions and platforms that follow Secure by Design principles, the benefits that matter most are the ones the customer experiences: 

  • Improved protection: When security features are built into software from the start, it's stronger and less vulnerable – and so is the network it’s running on. 
  • Enhanced DEX: Greater focus on security and testing during development can result in a more optimized product that’s more stable and disruption-proof, improving employee experience.  
  • Better ROI: A more secure product can minimize downtime and patching so users stay productive. 
  • Streamlined compliance: Adhering to stringent data privacy and security mandates can be easier with Secure by Design software, cutting the time and resources needed to pass compliance checks and preventing penalties. 
  • Enhanced reputation: Companies that make security a top consideration are seen as more trustworthy, which can enhance customer confidence and loyalty.