Login
iscover
Pieter Danhieux, Co-Founder and CEO of Secure Code WarriorShare this article on:
Powered by
MOMENTUM
MEDIA
Powered by MOMENTUMMEDIA
While awareness of the concept of ‘Secure by Design’ is growing within many organisations, its usage remains fragmented and inconsistent.
At its core, Secure by Design is meant to shift the onus of software security from end-users to software vendors, and, by extension, their AppSec and development teams. It promotes building secure software from the ground up rather than retrofitting security after development.
However, interpretations of what constitutes Secure by Design vary significantly from company to company. Some organisations focus narrowly on access controls and authentication, while others stretch the term to include everything from threat modelling to cultural change.
This so-called ‘definition sprawl’ has led to a diluted and often ineffective execution of the core tenets. Unfortunately, if organisations can’t even agree on what Secure by Design means, they certainly won’t be able to measure its success.
Five pillars, but no blueprint
Despite the lack of consensus, some common components have emerged in enterprise approaches to Secure by Design. The five typical elements are:
Threat modelling and security architecture: Often lacking developer involvement, but crucial for pre-emptive risk mitigation.
Security policy: Governing the use of trusted tools and third-party code.
Paved path methodology: Standardised toolchains and approved libraries that guide secure development.
Cultural transformation: Moving from isolated security champions to integrated DevSecOps practices.
Scanning and remediation: Use of SAST/DAST tools to catch vulnerabilities, though often plagued by noise and false positives/negatives.
These pillars provide a framework but not a roadmap. Many organisations struggle to stick to a standard security program rollout, which hampers scalability and long-term improvement.
The threat modelling dilemma
One of the limiting factors faced by many organisations is the current state of threat modelling. Although widely acknowledged as essential to Secure by Design, a lot of organisations treat it as a checkbox activity to satisfy compliance requirements rather than a robust, ongoing practice.
Also, developers, who are arguably best positioned to understand code and design flaws, are often excluded from this process due to a lack of security proficiency.
While only security-skilled developers should be involved, meaningful internal security upskilling programs are rare. Organisations need to closely examine their knowledge provisions and ensure the required skills are being covered.
AI and automation: Opportunity or risk?
The growing presence of AI coding assistants has further complicated the security equation. While some organisations are cautiously optimistic, others are still grappling with how to distinguish between beneficial and potentially harmful models.
There is clear momentum toward automating threat modelling and other secure coding practices, but this is still in early stages. Recent industry research found 65 per cent of organisations use entirely manual threat modelling processes, although many are evaluating AI-powered tools to speed up adoption and standardisation.
It needs to be understood that getting started is half the battle. AI can be the catalyst that moves threat modelling from compliance checkbox to strategic differentiator, but only if used wisely.
A fragmented vendor landscape
Adding to the complexity, there is no single vendor or platform offering a comprehensive Secure by Design solution. Instead, organisations must piece together capabilities from various providers and select a range of components, including threat modelling tools, application security posture management (ASPM), scanning engines, and developer upskilling and measurement platforms.
Open standards like the OWASP Application Security Verification Standard (ASVS) show promise, but are only truly effective when paired with modern, developer-driven security programs.
The road ahead: Standardisation and developer enablement
Despite the challenges, the need for a coherent Secure by Design strategy is more urgent than ever. Rising threats from state-sponsored actors, the proliferation of insecure software, and the increased pace of software development demand a unified response.
There needs to be a fundamental rethinking of the role developers play in security. This includes the embedding of security ownership into the development lifecycle and empowering engineers with the tools and knowledge they need to successfully manage and mitigate code-level security issues.
As enterprises look ahead to a more regulated and risk-sensitive future, aligning on definitions, benchmarking outcomes, enabling developers, and managing developer risk may be the only path forward. Otherwise, Secure by Design risks becoming just another well-intentioned slogan rather than the software security revolution it was meant to be.
Be the first to hear the latest developments in the cyber industry.
