Security by Design

Security by design means building security properties into a system from the first design decisions, not layering controls onto a finished system. The UK NCSC Secure by Design guidance (2018, updated 2023) and the OWASP Top 10 (2021) both start from the same premise: security that is retrofitted is consistently less effective and more expensive than security that is designed in.

The NCSC identifies eight principles for secure systems. The most architecturally significant are: establish the context (what are you protecting, from whom, and under what threat model?); make the security model explicit (document trust boundaries, data flows, and authentication points in a design review); and apply secure defaults (systems should be secure out of the box, not requiring users to opt into security features).

OWASP Top 10 2021 introduced "Insecure Design" (A04:2021) as a new category, separate from implementation errors. Insecure design is a category of risks related to design and architectural flaws. Log4Shell is the canonical example: the JNDI feature was architecturally insecure. No amount of patching the surrounding code would have fixed the fundamental design error. It required removing the feature.

Threat modelling is the structured process of identifying what could go wrong with a system before it is built. STRIDE, developed by Microsoft in the late 1990s and formalised by Loren Kohnfelder and Praerit Garg, provides six categories of threat that together cover the attack surface of any software system.

Spoofing (S): claiming to be someone you are not. An attacker using stolen credentials to access an API. Mitigated by strong authentication: MFA, short-lived tokens, mutual TLS.

Tampering (T): modifying data without authorisation. An attacker intercepting an API request and changing the transaction amount. Mitigated by integrity controls: digital signatures, TLS in transit, parameterised queries.

Repudiation (R): denying that an action occurred. A user claiming they never placed an order that they did place. Mitigated by non-repudiation controls: audit logs with timestamps, digital signatures on critical actions.

Information Disclosure (I): exposing data to unauthorised parties. An overly verbose error message containing a stack trace with database connection strings. Mitigated by access controls, encryption at rest, minimum necessary data in logs and error responses.

Denial of Service (D): making a system unavailable. Flooding an API with requests until it exhausts connection pools. Mitigated by rate limiting, circuit breakers, auto-scaling, and edge protection (CDN, WAF).

Elevation of Privilege (E): gaining capabilities beyond those granted. An API parameter that allows a customer to access another customer's account by changing an account ID. Mitigated by server-side authorisation checks on every request, principle of least privilege.

Defence in depth is the security principle that no single control should be the only line of defence. If the outer control fails, the inner controls limit the impact. The analogy is a medieval castle: a moat, then a wall, then an inner keep, then the vault. An attacker who crosses the moat has not reached the vault.

In software architecture, defence in depth applies across layers. At the network layer: WAF (Web Application Firewall) blocks malicious HTTP patterns; VPC private subnets prevent direct internet access to databases; Security Groups enforce least-privilege network rules between containers. At the application layer: authentication verifies identity; authorisation checks permissions on every request; input validation blocks malformed data before it reaches business logic.

At the data layer: encryption at rest (AES-256) protects data if storage media is stolen; encryption in transit (TLS 1.3) protects data from interception; column-level encryption for PII (Personally Identifiable Information) limits the blast radius of a database compromise. At the operational layer: Security Information and Event Management (SIEM) systems detect anomalous patterns; intrusion detection systems flag unexpected network behaviour.

Log4Shell propagated so rapidly in December 2021 because many systems lacked outbound network controls on their application containers. A container that could not make arbitrary outbound TCP connections to the internet could not complete the JNDI lookup chain. Defence in depth at the network egress layer would have reduced the exploitability of the vulnerability for any system that had it deployed.

Secure defaults mean that a system is secure in its default configuration. A developer who installs and runs the system without additional configuration should not inadvertently expose an insecure system. Default credentials must not exist. Debug endpoints must not be enabled in production builds. Verbose error messages must not be the default response.

Zero trust architecture extends this principle to network design. Traditional perimeter security assumes that anything inside the corporate network is trusted. Zero trust assumes that no user, device, or service is trusted by default, regardless of network location. Every request is authenticated and authorised, even if it originates from inside the VPC (Virtual Private Cloud). Google's BeyondCorp model, published in 2014, was the first large-scale implementation: Google removed network-level trust entirely and enforced identity-based access for every internal system.

Log4Shell demonstrated that an organisation's attack surface extends to every library in every transitive dependency in every deployed container. The Log4j library was a transitive dependency in hundreds of commercial products: it was present in systems whose developers had never heard of Log4j, because a library they used directly depended on it.

A Software Bill of Materials (SBOM) is a machine-readable inventory of every software component in a deployed artefact, including transitive dependencies, their versions, and known vulnerabilities at the time of build. The US Executive Order on Improving the Nation's Cybersecurity (May 2021, EO 14028) mandated SBOM production for all software sold to the US federal government from 2022 onward. The EU Cyber Resilience Act (2024) extends similar requirements to products sold in the EU.

Architecturally, SBOM production integrates into the CI/CD pipeline at build time. Tools like Syft (by Anchore) or Trivy generate SBOM documents in SPDX or CycloneDX format from container images, Maven/Gradle dependency trees, or npm lock files. Pairing SBOM generation with a CVE scanner creates a continuous vulnerability monitoring loop: when a new CVE is published for a dependency, the SBOM enables automated identification of every affected service in the fleet.