Secure by Design

Authors: Abdulhamid A. Ardo, PhD Researcher, University of Salford, Julian M. Bass, Head, Computer Science and Software Engineering at University of Salford, Tarek Gaber, Lecturer in Computer Science & Software Engineering, University of Salford.

The vast majority of products and services that contain software code are vulnerable to attack. Nowadays, all businesses, regardless of their size or industry, are susceptible to hostile attacks that aim to take advantage of weaknesses in mobile apps, web apps, web servers, among others.

The digital transformation policies raise the exposure of SMEs to digital security threats. The reliance on the use of digital technologies, due to COVID-19 crisis, increases the chance of making these type of businesses victims of cybercrime. Adopting IoT-based services led to increased digital connectivity but also intensified the quantity of vulnerabilities that could be exploited and increased the possibility of attacks. Also, due to the expanding use of cloud computing services, sensitive data is increasingly being transferred to third parties outside of the company in question. This resulted in the security and protection questions of such data being maintained by such third parties. Despite the fact that artificial intelligence (AI) can help digital security teams perform better in protecting and securing data, AI-based systems are also subject to new types of attacks such as: Input Attacks which involve changing the input data to AI-based system in order to change the expected output to serve the attacker’s goals; and Poisoning Attacks which aim to corrupt the creation process of the AI system to cause it to malfunction in the attacker’s intended manner. One way to address these problems is by considering the security throughout the software development process which is often referred to as “secure-by-design”

A secure-by-design agile software development process is a systematic method applied throughout the development lifecycle that places security at the centre of product development. It broadens the process beyond the design phase. Thus, in a secure-by-design agile software development process, security issues are considered at the requirements, design, implementation, testing, deployment, and maintenance stages. Here are some different techniques performed at each software development phase.

Security Requirements

Defining security requirements in a clear and consistent manner is key to developing secure software applications [1]. Cybersecurity breaches can be reduced by adopting the following practices.

  • Security backlog: Is a list of requirements like the product backlog; however, it contains only security specific items. The security backlog is periodically updated by adding, reviewing, and prioritising items.
  • Evil user stories: Are included in security backlogs and focus on threat scenarios that describe how systems maybe attacked. These threat scenarios help to identify vulnerabilities that can be exploited by malicious actors [2]. It is a good practice to document evil user stories and model scenarios on real attacks. Evil user stories are usually reviewed in each iteration.
  • Hacker personas: Are a kind of user experience or interaction technique used for designing fictional users that might be interested in attacking the software. The Hacker persona is modelled to have users with different mindsets [3]. For example, a hacker persona maybe created for different malicious actors with different budgets and working practices.

Security Design

Adopting good software architecture, proper evaluation of risks and project monitoring reduces security flaws during implementation. Further, increasing the security competence of agile team members helps mitigate security threats. Some security practices at the design phase include:

  • Security Patterns: Like object-oriented software design patterns, aim to disseminate good practices in architectural design.  In software development, patterns help non-expert system users to benefit from specialist expertise. There are several security patterns available for authentication, access control and secure process management amongst others [4, 5].
  • Protection Poker: This technique, based on the planning poker concept, is used to prioritise software development activities according to their security risks. During the software development planning session, security activities are discussed, and every item is scored. Finally, scores are aggregated with the greater risk activities assigned a higher priority for development activity.
  • Risk Analysis: The risk assessment documentation contains a detailed analysis of the risks associated with each security requirement and these are reviewed after each iteration.
  • Misuse Cases: Are undesirable behaviours in software applications that can cause security breaches. They are sometimes described as negative use cases and are represented using UML notations.

Security Implementation

Poor implementation of security features can lead to software breaches [6]. Proper implementation of software security mechanisms can help identify and prevent software attacks. Security mechanisms for preventing software attacks include:

  • Secure Coding Rules: Security practices adopted to prevent coding flaws. Well established secure coding rules include adopting cryptographic standards, using secure third-party libraries, and avoiding the use of obsolete software functions. Other rules may include using programming guides and approved software tools [7].
  • Secure Code Reviews: Gives practitioners the opportunity to apply new security skills by giving and receiving feedback. To help mitigate software breaches, it is good practice to involve reviewers with security expertise.

Hardening Sprints: Are agile sprints which focus on stabilising software source code to prepare for release. They are mainly dedicated to security reviews, software performance and quality improvement, as well as delivery.

Security Testing

Security testing is performed to evaluate security requirements (including availability, authentication, authorisation, integrity, confidentiality, and non-repudiation) and to validate a software system’s ability to withstand attacks. Specialised security testing techniques are used to assess software implementation.

  • Penetration Testing: Is a form of black-box security testing where an actual attack is set-up by a third-party [8].
  • Automated Security Testing: Involves automated validation of security-related features. Security checks prevent distortion of code and ensure software vulnerabilities previously fixed do not recur.

Security Deployment and Maintenance

In this phase, the security controls that have been implemented are re-checked to ensure that the software is ready for deployment. Review sessions are performed to check security controls including static and dynamic configurations and container security before final software deployment. After deployment, a process of continuous software application monitoring is implemented to identify security vulnerabilities and address them promptly.


[1]        C. M. M. Bezerra, S. C. B. Sampaio, and M. L. M. Marinho, “Secure Agile Software Development: Policies and Practices for Agile Teams,” in International Conference on the Quality of Information and Communications Technology, Cham, 2020, pp. 343-357.

[2]        D. A. Barbosa, and S. Sampaio, “Guide to the support for the enhancement of security measures in agile projects,” in 2015 6th Brazilian Workshop on Agile Methods (WBMA), 2015, pp. 25-31.

[3]        M. Gondree, Z. N. Peterson, and T. Denning, “Security through play,” IEEE Security & Privacy, vol. 11, no. 3, pp. 64-67, 2013.

[4]        E. Fernandez-Buglioni, Security patterns in practice: designing secure architectures using software patterns: John Wiley & Sons, 2013.

[5]        M. Schumacher, E. Fernandez-Buglioni, D. Hybertson, F. Buschmann, and P. Sommerlad, Security Patterns: Integrating security and systems engineering: John Wiley & Sons, 2013.

[6]        S. L. Kanniah, and M. N. r. Mahrin, “A review on factors influencing implementation of secure software development practices,” International Journal of Computer and Systems Engineering, vol. 10, no. 8, pp. 3032-3039, 2016.

[7]        M. Sodanil, G. Quirchmayr, N. Porrawatpreyakorn, and A. M. Tjoa, “A knowledge transfer framework for secure coding practices,” in 2015 12th International Joint Conference on Computer Science and Software Engineering (JCSSE), 2015, pp. 120-125.

[8]        M. Felderer, M. Büchler, M. Johns, A. D. Brucker, R. Breu, and A. Pretschner, “Security testing: A survey,” Advances in Computers, pp. 1-51: Elsevier, 2016.

[9]        S. Kergroach. The Digital Transformation of SMEs. OECD Publishing, 2021.

[10]      M. Comiter. “Attacking Artificial Intelligence: AI’s Security Vulnerability and What Policymakers Can Do About It.” Paper, Belfer Center for Science and International Affairs, Harvard Kennedy School, August 2019.