Defining principles is a great way of getting to the core of a subject. Here are ten of our favourites for “Secure by Design”.

They’re all things you can discuss and implement early in a secure software development lifecycle to help ensure that security is built into the very foundation of your product.

–

01 – Reduce the attack surface area

Fewer openings means fewer risks, so start by minimising entry points for threats. Separate things logically where possible to keep potential vulnerabilities isolated and controlled.

02 – Apply defence in depth

Don’t rely on a single line of defence. Layer multiple safeguards—for example, just because you have a Captcha on your login form doesn’t mean you can’t also also use login attempt monitoring.

03 – Fail securely

Assume things will go wrong – and prepare for it. Design systems to (sensibly) lock down during failures, granting access only when each security step is completed successfully.

04 – Avoid security by obscurity

Security shouldn’t rely on hiding URLs or code (it’ll be found!). Strong security is transparent and solid, not something concealed or cryptic.

05 – Keep security simple yet effective

Simplicity strengthens security. Complex controls are prone to errors and often harder to manage.

06 – Model possible threats

Document and prioritise potential vulnerabilities and attack paths. Identify hidden threats that aren’t immediately obvious.

07 – Apply least privilege

Limit access wherever possible. Users should only have the permissions they need to do their jobs – nothing more. This will minimise the fallout if credentials are compromised.

08 – Use fail-safe defaults

If in doubt, deny access. Only grant permissions where explicitly required. It’s a simple rule that prevents unnecessary exposure.

09 – Complete mediation

Ensure that every access request is checked against your security policies, every single time. Continuous vigilance keeps policies enforced.

10 – Consider psychological acceptability

In simple terms, security shouldn’t be a burden. Design systems that don’t impede users but still enforce necessary protections. This encourages safe practices without user frustration.

–

By embracing these principles (and others like them), you can make security a natural part of your approach to building products.

Remember, Secure by Design is about building stronger foundations. It’s a commitment to building more secure products, from the start, and reaping the rewards for you and your customers for years to come.