Today’s Secure by Design paper shares Google’s years of experience using the concept to “build security in” during the design of a software product and throughout the development lifecycle, rather than “bolting it on” afterwards. We offer four principles for Secure by Design for software design, development and deployment:
- User/customer-centric design: we consider our products in the context of their use, and how user actions and choices could lead to adverse outcomes, especially when users cannot be reasonably expected to know whether a choice is risky.
- Developers are users, too: in our experience, the development and deployment ecosystem in which a software product or service is produced has significant influence on its security posture, so we consider how to ensure that the developer ecosystem encourages secure design and prevents vulnerabilities and errors.
- Thinking in terms of invariants: we ground our security design by defining properties that we expect to always hold for a system, even when it’s under attack — our security invariants.
- Design for understandability and assurance: software systems should be designed such that security experts can determine with confidence that the systems will indeed uphold their security invariants, and can do so at scale and throughout ongoing development over the lifecycle of the product.
These four principles can help produce products and services that are designed to automatically defend users from things like malicious servers, network-level adversaries, attacks through downloaded files, phishing attacks, and more. These principles can also significantly reduce entire classes of vulnerabilities.
