What is... Security by Design?

In this series of posts, I introduce multiple concepts of DevOps in simple and clear ways. This one is Security by Design.


Security by design addresses unauthorized access to systems.
This covers security controls (authentication, authorization, availability, accountability, integrity and confidentiality).

Principles (by OWASP)

  • Minimize attack surface area: Ensure that added features are secure.
  • Establish secure defaults: Define secure defaults.
  • Principle of least privilege: Accounts or services have the minimum privileges required to perform its tasks.
  • Principle of defense in depth: Implement multiple layers of centralized validation and audit controls.
  • Fail securely: If a request or change fails, it must remain secure.
  • Don’t trust services: Do not trust services, especially external services or libraries.
  • Separation of duties: Use a specific role for for each different task.
  • Avoid security by obscurity: To secure, instead of relying on the secrecy of the architecture and source code, rely on good architecture, query limiting, and audit controls.
  • Keep security simple: Rather than over-engineering, use simple architectures and design patterns.
  • Fix security issues correctly: Fix issues quickly and then add new tests.


  • Access control
  • Audit security events
  • Configuration change control
  • Cryptography module
  • Error handling
  • Incident monitoring
  • Non-repudiation
  • Session control
  • Timestamps
  • Unsuccessful login attempts


Your browser is out-of-date!

Update your browser to view this website correctly. Update my browser now