Security is no longer an afterthought but has become a fundamental component of any ICT process. Establishing secure infrastructure, applications, devices and processes requires integrated security most presciently through Secure-by-Design (SB-Design) and Secure-by-Default (SB-Default). While these principles may seem similar, they approach security from different angles.
This blog post explores the differences between SB-Design and SB-Default and how these concepts complement one another, and highlights the benefits of leveraging both approaches. To help understand the topics, let’s look at these concepts from a non-technical perspective.
SB-Design
Imagine you’re building a car. An SB-Design approach means incorporating the safety features from conception and throughout the build process. Engineers consider crumple zones, airbag placement, and material strength to ensure the vehicle’s safety.
SB-Design in the technology world is much the same. It is a proactive security approach that integrates security considerations throughout the entire development lifecycle. Some examples include:
Threat modeling to guide your security controls: identifying what cyber threats your concept faces and designing your controls to align to those threats.
Applying secure coding principles such as refraining from hardcoding sensitive information directly into source code.
Implementing and enforcing development processes to ensure that changes and code repository updates undergo a formal approval and review process.
Considering Common Vulnerabilities and Exposures (CVEs) in the planning and development stages to mitigate known risks upon release.
Adopting this approach ensures that security isn’t just bolted on at the end of a build but rather is baked in as a core component, embedded throughout the development process.
SB-Default
Now, imagine your gleaming new car is parked in the driveway. SB-Default is having your car doors automatically lock and the alarm system armed without the need to press a button each time. It’s all set up for you by default. In the technology space, this translates to having:
Pre-configured security settings: Software and IT devices should have security settings enabled by default. For instance, router manufacturers should configure WPA3 encryption as the default setting rather than WPA2.
Least privilege access: User accounts should have minimal access permissions by default.
Automatic updates: Back to our router: if it didn’t update automatically, would you think to check and update it regularly?
SB-Default makes security the default choice, making it harder to be insecure. Users don’t need to be security experts to be protected – the system comes pre-configured securely to take care of it for them.
To summarize, SB-Default is a component of SB-Design. As defined by ACSC:
|
SB-Design |
Security is designed into every stage of a product or service’s development. |
|
SB-Default |
Whereby products and services are configured for maximum security by default. |
How Can Adopting These Approaches Benefit You?
While the principles of SB-Design and SB-Default are frequently discussed in the context of software development, their applicability extends across ICT and business. This includes product manufacturing, security-conscious process development and system architecture. Implementing SB-Design and SB-Default principles is crucial for businesses as they can:
Reduce risk: Software, products and processes developed with a security-conscious approach inherently reduce likelihood and consequences of cyber risks.
Increase assurance: By ensuring that security is a fundamental part of the design and implementation process, organizations can provide greater assurance to stakeholders, customers and regulators that their systems are robust and secure.
Compliance: Adhering to SB-Design and SB-Default principles assures that entities are meeting regulatory and compliance requirements.
Simplified security management: SB-Design and SB-Default principles necessitate the standardization of security processes, which drives consistency and simplifies security management and maintenance.
Ease of implementation: Integrating security considerations early in the design phase makes it easier to implement. Pre-planning for security reduces the complexity and costs of adding security measures later in the development lifecycle.
Design and Default are Not Mutually Exclusive
SB-Design and SB-Default are complementary, not mutually exclusive. An SB-Design approach creates a foundation for SB-Default configurations. Imagine a strong, well-designed bank vault (SB-Design) equipped with a high-security lock (SB-Default). Both elements work together to create a formidable defense.
By integrating both principles, organizations can achieve more secure, resilient and reliable outcomes across their applications, systems, processes and solutions. Successful implementation in an organization not only requires adoption of concepts but the operationalization of this in clear processes and procedures.
