Security 1st Design Principle 

 

"Security by Design"
&

 "Security by Default"

+

"Privacy by Design"

Security by Design is...

Integrated…
Automatic…
Efficient…
Cost effective…
Transparent…
Adaptive…
Usable – UI/UX important

Colorful women and men stand next to each other holding large yellow stars.

 

Customers should not have to choose between
security and usability

 

If security is something special for people to get or do, 
then most will not get or do it 

Bad security design is expensive

  • Incremental security measures become more costly and less secure
  • 6.5x more expensive to find and fix an application flaw in development than during design
  • 15x more expensive during testing
  • 100x more expensive during production

National Institute of Standards and Technology (NIST)

 Why?

  • Requires coordination of multiple activities and environments (i.e., PROD vs. UAT)
  • Finding the vulnerable code
  • Fixing the vulnerable code
  • Testing of the feasibility of the fix
  • Testing the setup of the fix
  • Creating and testing international/localized versions
  • Posting of the fix
  • Retesting the fix and dependent systems
  • Writing support documentation related to the fix
  • Handling negative public perception
  • Bandwidth and download expenses
  • Lost productivity
  • Customer implementation efforts
  • Potential loss or postponement of market opportunities 

Relative cost to repair defects

Architectural (security) design
Coding / unit test
Implementation
Integration test
QA testing
Release 
Maintenance

1x

5x

6.5x

10x

15x

30x

100x


Cost - Security graph. Left axis is cost $0 and $$$$$ and Bottom axis is Security None - Maximum. Break even line is about halfway up the cost axis Safe zone is below the breakeven line and in the high security area. Danger area is medium security area

https://www.nist.gov/sites/default/files/documents/director/planning/report02-3.pdf

IBM Systems Sciences Institute

Let us help you design an effective cybersecurity strategy

Cybersecurity Strategy