Security by design: what it is and why it must be taken into account

Anyone working in the IT sector in any company has by now heard the term “security by design”. If anyone has so far considered it a mere buzzword to emphasize the importance of taking cybersecurity aspects into account in the management of digital infrastructures, they have got it very wrong. The concept of security by design is something that goes far beyond a simple statement of principle and represents a real revolution in terms of both processes and information technology management.

With Security by design the last shall be first

In development and design processes, IT security has always been regarded as a kind of “ugly duckling”. In fact, the verification of any security problems has always been relegated to the end of the processes. At best, verification was done at the end of design or development. At worst, it was left to time to bring any problems to light.

The results are there for all to see: neglecting security at the development and design stage, in addition to opening up real prairies to hacker attacks, has triggered a constant chase for updates and changes to software and devices, with the constant risk of incompatibilities emerging and an exponential increase in costs. The advent of the logic linked to security by design will (or should) lead to an enormous qualitative leap that will make the management of IT services much simpler.

Security by design in the IoT

One of the sectors set to gain the most from the logic of security by design is the “Internet of Things” (IoT), which has paid the heaviest price in recent years due to a lack of attention to cybersecurity. In fact, the constant alarms related to cyber attacks on IoT devices (from 'smart' home devices to those implemented in industry) are the result of a wretched race for production that has completely neglected the security aspect.

The first cases of malware dedicated to IoT, for instance, were able to exploit as an attack vector the use of predefined credentials for remote access to their control systems. In fact, manufacturers had not bothered to implement a system that forced users to change them and, in some cases, had even inserted backdoors (theoretically dedicated to remote updates) that allowed devices to be hacked very easily. Only later did cyber criminals have to 'settle' for more complex vulnerabilities to exploit, as they could in any case rely on an extremely large attack surface.

Security by design and GDPR: protecting privacy

The European Regulation 2016/679, better known as GDPR, includes an article, number 25, which explicitly includes a reference to security by design, which in the Italian edition is defined as follows: "Data protection by design". A direct, clear form that highlights the need to design solutions, software and services that already protect users' privacy at a conceptual level.

The measures and development best practices to achieve the objective of security by design allow data to be protected tout court. It must be borne in mind that the GDPR is a regulation and as such it places precise obligations, which must be fulfilled in order not to incur fines of up to EUR 20 million or 4% of turnover. With this in mind, security by design becomes a compulsory step in the development of any service that can handle personal information. A very effective incentive to adhere to this model.

Security by design: software towards DevSecOps

Whether it is the firmware of an IoT device or software dedicated to the delivery of business services, what is required today is to apply the logic of security by design through the adoption of a process called DevSecOps. The neologism is intended to indicate how, in addition to the developers (Dev) and those in charge of operations (Ops), it is also necessary to involve those responsible for security testing (Sec) from the outset. In practice, the procedure envisages that cyber security checks are already carried out during software development, through a continuous exchange between developers and analysts. The aim is to achieve a better security level and optimize the process.

More generally, however, the concept of security by design can be applied to any IT field, for instance (and especially) when dealing with the planning of digital networks and services. In this declination, even if we are not dealing with a real development phase, collaboration with security experts makes it possible to adopt a strategy geared towards data protection and service integrity from the outset. The benefits are enormous. In addition to enabling the implementation of more effective protection tools, the adoption of the security by design philosophy in fact lowers security costs and drastically reduces the risk of security incidents.