Learning Library

← Back to Library

Security by Design: Ten Principles

17m • Unknown Channel • security • tutorial • intermediate • Watch on YouTube ↗

Key Points

Embedding security from the outset (“shift‑left”) dramatically reduces vulnerability remediation costs compared with retrofitting security late in the development lifecycle.
The Principle of Least Privilege mandates granting individuals only the minimum access required for their role, with temporary permissions revoked when no longer needed, thereby shrinking the attack surface.
Defense in Depth requires layering multiple, interdependent security controls across all system tiers—endpoint, network, application, and data—so that an attacker must defeat every layer to succeed.
Focusing on the design phase allows teams to integrate these principles early, creating more elegant, cost‑effective, and resilient systems than costly after‑the‑fact fixes.

Sections

00:00:00 Design‑Phase Security: Shift‑Left Principles - The speaker explains why security must be baked into software early—especially during design—by illustrating cost impacts of late fixes and introducing the principle of least privilege as the first of ten secure‑by‑design guidelines.

Full Transcript

# Security by Design: Ten Principles **Source:** [https://www.youtube.com/watch?v=3l8GwLv2f3E](https://www.youtube.com/watch?v=3l8GwLv2f3E) **Duration:** 00:17:18 ## Summary - Embedding security from the outset (“shift‑left”) dramatically reduces vulnerability remediation costs compared with retrofitting security late in the development lifecycle. - The Principle of Least Privilege mandates granting individuals only the minimum access required for their role, with temporary permissions revoked when no longer needed, thereby shrinking the attack surface. - Defense in Depth requires layering multiple, interdependent security controls across all system tiers—endpoint, network, application, and data—so that an attacker must defeat every layer to succeed. - Focusing on the design phase allows teams to integrate these principles early, creating more elegant, cost‑effective, and resilient systems than costly after‑the‑fact fixes. ## Sections - [00:00:00](https://www.youtube.com/watch?v=3l8GwLv2f3E&t=0s) **Design‑Phase Security: Shift‑Left Principles** - The speaker explains why security must be baked into software early—especially during design—by illustrating cost impacts of late fixes and introducing the principle of least privilege as the first of ten secure‑by‑design guidelines. ## Full Transcript

0:00the best security is the kind that's 0:02baked in not bolted on after the fact a 0:05retrofit is always going to be more 0:08expensive and probably not as elegant 0:11let's take a look at the development 0:12process if I start looking at 0:14requirements design Code test deployment 0:17and then map out the cost of a security 0:20vulnerability in terms of which phase 0:22it's found it turns out it looks about 0:25like this so it is way more expensive if 0:27you find something in deployment than if 0:29you find it earlier in the process so 0:31the big desire here in this case is to 0:34try to shift left in this process in 0:37other words bake the security in build 0:39it in from the start in this video we're 0:41going to focus specifically on the 0:43design phase and I'm going to give you 0:4510 principles for security by 0:49Design okay let's take a look at the 0:51first secure by Design principle it's 0:54what we refer to as the principle of 0:56least privilege it means don't give any 0:58more access than is abs absolutely 1:00necessary for any person to do their job 1:03function so let's take a look at this 1:05imagine a company has different 1:07classifications of the information they 1:09have of the data that they have so let's 1:11say they have internal use only this is 1:13something we don't really want the whole 1:15world to see but if they did it's not 1:16the end of the world then we have 1:18confidential stuff that really would be 1:21very sensitive stuff and then we have 1:23the keys to the kingdom now here is a 1:25general user and we may give them just 1:28access to the internal use only and 1:30maybe some very specific cases of 1:33confidential information where we 1:35segment that off this guy over here 1:38though he's the administrator he's got 1:40access to the keys to the kingdom which 1:43then in fact allow him to get to any of 1:46these other kinds of things as well so 1:47obviously we need to have that very 1:49locked down we don't want to give 1:50everyone access to everything and maybe 1:53in some cases we give this person 1:55temporary access to something else that 1:58falls into this realm but then we remove 2:01it as soon as they don't need it anymore 2:03that's the principle of lease privilege 2:05each one of them has only what they need 2:07in order to do their job and only for as 2:09long as they need it and not any longer 2:11than that that reduces the attack 2:13surface the next principle we'll take a 2:16look at is defense in depth defense in 2:19depth says I never want to rely on any 2:21single security mechanism to secure the 2:23entire system I want to have a system of 2:27interrelated uh defenses and make sure 2:30that they all would have to fail in 2:32order for someone to actually get into 2:33the system so let's take an example here 2:35here's an end user and they're going to 2:38use some endpoint device a laptop in 2:40this case could be a mobile device uh 2:42coming across a network to hit an 2:44application which pulls data from a 2:46database so that's a typical use case a 2:49typical architecture that we might see 2:51here so I'm going to look at each one of 2:53these layers and try to secure each one 2:54of them for instance here I need some 2:57ability to do identity and access 2:59management I might need need things like 3:02multiactor authentication and other 3:05things like that to ensure that the user 3:06is who they claim to be we would also in 3:09the identity governance part of this 3:11make sure that we've adhered to the 3:13principle of lease privilege and only 3:14given them what they need in terms of 3:16access rights and then here we're making 3:18sure that it's really them so we design 3:20these things into the system in order to 3:23be the first layer of Defense the next 3:25layer of Defense then is on the device 3:27itself and we do things like unified 3:30endpoint management to make sure that 3:32the device is configured as it should be 3:34it doesn't have viruses or malware or 3:36anything like that uh it's got a strong 3:39password if that's the way we've done it 3:40it the information's been encrypted on 3:42it a lot of things like that so uh that 3:45has to also be secure the network also 3:48needs to be secure we're going to use 3:50things like firewalls Network intrusion 3:52prevention systems and other things like 3:54that that there's in fact a lot of 3:56different technologies that go into this 3:58space but the idea is I'm not relying on 4:00just any one of those things there are 4:02multiples and they're all looking over 4:04each other and verifying the application 4:07well what are the things we might do 4:09there well I'm going to put in access 4:10controls so I want to make sure that the 4:13application only allows certain levels 4:16of access again implementing principle 4:18of lease privilege I'm going to scan the 4:20application for vulnerabilities I'm 4:23going to scan the source code I'm going 4:24to scan the operational system in both 4:27cases uh a lot of other things that we 4:29can do in that space and then finally 4:31the data itself we're going to encrypt 4:33it so we're we're going to use 4:35cryptography in order to make sure that 4:37the data if it does leak isn't easily 4:39seen by others and we're going to do 4:41things like backup and Recovery 4:43capabilities so that if for instance a 4:46malware comes along and blows this thing 4:48away ransomware case I can recover 4:51quickly so you can see the point here 4:53there's no single mechanism that is 4:55providing security it's a whole system 4:58of interrelated defenses that work 5:01together in order to make the system 5:02secure our next secure by Design 5:04principle is the principle of fail safe 5:08fail 5:09safe assumes that any system will 5:12eventually fail because Murphy's Law 5:15right anything that can go wrong will go 5:17wrong and it will especially in these 5:19cases so let's take a look at what a 5:22system should do with if in fact it does 5:25do one of those failures so let's take a 5:27look at a firewall let's say we allow 5:29this traffic to go through but this 5:32traffic we block so those are examples 5:35of the firewall operating the way we 5:37expect a firewall to operate now let's 5:40take a look at another example where the 5:41firewall has in fact failed something 5:44has gone wrong with it now what 5:47condition is it going to be when it 5:48fails does it become a permanent block 5:51until we fix it or does it become an 5:53open switch so what we don't want is for 5:57anything to get through that means even 6:00the good stuff we certainly want to 6:02block the bad stuff but for sure block 6:05even the good that's what's called fail 6:07safe the condition is it fails but it 6:10fails in a secure position that's what 6:13we want now the next one that we're 6:15going to take a look at is kiss 6:18principle this is keep it simple stupid 6:21now a longer version of this is economy 6:24of mechanism which even in and of itself 6:27is too long so let's get rid of that 6:29name and let's go with kiss keep it 6:31simple stupid if I'm trying to get from 6:33here to here what I don't want to do is 6:35tons of twists and turns because each 6:37one of these twists and turns introduces 6:40more complexity and complexity is the 6:42enemy of security the more complex a 6:44system is the harder it is to ensure 6:46that it's going to do in fact what we 6:49want it to do so what I want to do is I 6:51want to make the system as simple as it 6:54possibly can be and in making it simple 6:57I reduce additional vulner abilities our 7:00next secure by Design principle is the 7:03principle of separation of Duties 7:05sometimes called segregation of Duties 7:07but it's the same idea so with 7:09separation of duties I'll give you an 7:10illustration of this imagine a door with 7:13two deadbolt locks each with a different 7:15key and I'm going to give one user one 7:19of these keys and the other user the 7:23other key now if I lock both of those 7:26locks nobody is opening this door unless 7:29both keys have been used to unlock it so 7:32in other words I've spread the ability 7:34to open the door across two people why 7:37would I do that because now it makes it 7:39harder for one single bad actor to do 7:42something bad to the system it requires 7:44collusion in order to break into this 7:46system so separation of Duties is a good 7:49principle to keep up another one is 7:51about open design I want the system to 7:54be clear and open it's the opposite of 7:57security by obscurity which is something 7:59that no one really tries to design into 8:02a system but a lot of people feel secure 8:04if they think no one knows how their 8:06thing works so to give you an example to 8:09borrow from cryptography there's this 8:11thing called cryp uh Kirk off's 8:12principle and kirkoff came up with the 8:14idea that says if I have a crypto system 8:17so that means I'm going to take plain 8:19text that anybody can read I feed that 8:22into my encryption system and I'm going 8:25to get out a bunch of gibberish 8:27something that's an encrypted message 8:29that means that uh the only thing that 8:33someone should should really keep as a 8:35secret would be the key the key that's 8:36used to encrypt that data so this person 8:39trying to observe the system if they 8:41can't see into it they really don't know 8:44if this algorithm is good or not it 8:46could have all sorts of vulnerabilities 8:48that are hidden that no one has been 8:50able to see because the inner workings 8:52of the system have been kept secret a 8:55better idea is following Kirk off's 8:57principle where we actually take the 8:59plain text we feed it into the system we 9:03see how it works and we see how it 9:06creates the cipher text the encrypted 9:09version of all of that so the only 9:11secret in the system is in fact the key 9:14the way the system works is visible by 9:17anyone and that's how the best crypto 9:20systems in the world work it's not 9:23security by obscurity it's security 9:26through openness our next secure by 9:28Design principle is is that of 9:30segmentation that is there are going to 9:33be times when we specifically want to 9:35break the system up into pieces and that 9:38those pieces create a certain amount of 9:39isolation that give us additional 9:42security take for instance here's a 9:44townhouse and let's say these folks here 9:47have a fire and that fire is affecting 9:51their unit what we don't want to have 9:53happen is for that fire to spread so we 9:56put literally in construction between 9:58these units something we call a firewall 10:00that's where we get the term firewall 10:02from by the way on the network side but 10:04this is in physical architecture this 10:06firewall is designed to the and 10:08slow down the spread of fire from one 10:11unit to the next so that way the fire 10:13department can get there put the fire 10:15out before it burns down the whole 10:16building that kind of segmentation is 10:18also what we do with our networks and 10:21what we do with our security we take 10:23components that are of one level of 10:25security and put them in one area 10:28isolated from other areas that may have 10:30different levels of sensitivity so this 10:33idea of segmentation can be designed 10:35into a system to make it more secure how 10:38about another factor that often gets 10:41overlooked and that is we forget that at 10:43the end of all of this security chain is 10:45a human and the humans are often the 10:47weakest link in that chain so we should 10:49really be looking at 10:51usability human factors if we make a 10:54system too hard to use well then people 10:57will find ways to get around the 10:59security because not because they're 11:01evil just because they need to get their 11:02jobs done and they don't understand the 11:04reason for all that complexity here's a 11:07good example of how the security 11:08department has made things difficult and 11:11made things as a result less secure in 11:13the way that they designed the system so 11:15we put the requirements for instance 11:17with passwords we say your password has 11:20to be um let's say uppercase characters 11:25it has to also include some lowercase 11:27characters uh it has to include some 11:30numerics some numbers along the way it 11:33needs uh some special 11:35characters um it needs to be of a 11:38certain length let's say it's got to be 11:4032 characters long or or longer 11:42something like that um let's say we're 11:44also going to add in that it has to be 11:47unique um and it needs to be unique 11:51across each system so it's not the same 11:53password on multiple systems we're going 11:56to make sure that that this is not uh 11:59going to be replicated and it needs to 12:01be fresh so we're going to make you 12:03change it frequently all of these things 12:06go into what would theoretically be a 12:08very strong secure password but what do 12:11end users do when they look at all of 12:13this they say well I can't remember that 12:16if I had multiple passwords that were 12:18that level of complexity I can't 12:20remember it so what am I going to do 12:22well it turns out there's a solution 12:23that the end users came up with for this 12:26and it's this this is the first p 12:29password storage device that users turn 12:31to and they put all of these things up 12:33on their monitor somewhere no one will 12:35ever suspect to look right and it won't 12:38matter how strong the password rules are 12:41if people end up doing this you've 12:43created an insecure system so make sure 12:45when you design a system you design it 12:47to be usable as well as 12:49secure if you were aiming at a Target 12:52which ones of these Bull's eyes would 12:54you prefer the big one or the little one 12:57if you're trying to hit the target 12:59probably like this one but if you're 13:01trying to secure an infrastructure you 13:03want to present this to the outside 13:06world you want to in fact minimize the 13:09attack surface you want to make it so 13:12that it's really hard for somebody to 13:14thread the needle and get right to where 13:17your sensitive stuff is so I want to do 13:19that by limiting certain things so for 13:22instance I'm going to limit maybe 13:24external interfaces that I have is there 13:27really a need for that thing to be 13:30connected to a lot of other systems 13:31along those same lines I may want to 13:34limit remote access is there really a 13:37need for people to connect into this 13:39system from outside or would all the 13:41access be from a certain place or there 13:43are only certain IP addresses certain 13:45ranges or areas of the world where we 13:48know legitimate users would be so I 13:50could do some sort of limitation there 13:53and again reduce the attack surface how 13:55about limit the number of components 13:58that are in the system 14:00again this kind of goes back to the keep 14:01it simple fewer number of components 14:04also minimizes the attack surface and 14:07there's a lot of other things that we 14:08can do in this space but you get the 14:10general idea I want to make this into 14:14that so it's really hard for the bad guy 14:17and then our 10th principle of secure 14:20design is in fact 14:23secure by 14:26default so this now deals with the way 14:29the system operates in its default 14:32configuration when it just comes out of 14:33the box what is it going to look like so 14:36take a look at two houses here's a house 14:39that is insecure by default the front 14:41door is wide open the windows are open 14:44those are all attack surfaces and the 14:47way it's set up right now it is insecure 14:50we look at this house in this case the 14:52door is in fact closed we'll say it's 14:55locked the windows are down so secure by 14:59default so what are some of the 15:01principles then that we would look at in 15:03some of these cases so it would be 15:05things like a secure insecure by default 15:08would be by default everything is turned 15:11on all the features of the system are 15:13turned on versus secure by default would 15:17say only the required uh capabilities 15:21are turned on so I'm going to make it so 15:24that I've limited again attack surface 15:28I've limited the possibilities of a bad 15:30guy to exploit because only the things 15:32that are necessary you'll see that a lot 15:34of these principles relate to each other 15:35that's again very similar to principle 15:37of lease privilege then defaults also 15:40very important since we're talking about 15:42that is the default password configured 15:45and if it is well then that means it's 15:48going to be be the default on all of the 15:50systems all the instances of that system 15:52so if it's a consumer product everyone 15:54that buys that then they're going to all 15:56have the same password unless it gets 15:59changed it's much better if you make 16:01people Supply a password something 16:04that's determined during the 16:06configuration and set up the system that 16:08way you end up with uniqueness otherwise 16:10someone can just go out and figure out 16:12what's the default password for this 16:13particular device and assume that people 16:16have not changed that password and then 16:18they'll be able to get into all of those 16:20so we're going to make it a must Supply 16:22how about default IDs especially if 16:25those IDs are the administrator ID the 16:28super sensitive stuff if it's an admin 16:30ID maybe I want to make it so that when 16:33you uh actually configure and install 16:35the system you have to pick a different 16:38name for that you have to pick something 16:41that's going to be unique so you've made 16:43it harder for the bad guy because now he 16:45has to guess what is the admin account 16:48what is the admin password and then all 16:51of the capabilities that they might 16:52normally use to break in through those 16:54have been turned off so these are the 16:56kinds of things that we're looking for 16:58secure by 16:59default getting security right isn't 17:02easy but now I've given you 10 17:04principles for secure by design that way 17:06you can make sure that security is baked 17:09in from the start and not a bolt on at 17:11the end that way you save money and make 17:14your system more secure at the same time