Building Secure Foundations: The Shift Towards Security by Design
“Security by Design” is no longer a best practice - it is a regulatory auditable imperative. Various global standards and frameworks now mandate that organizations adopt SbD principles to ensure compliance with data protection, privacy, and cybersecurity regulations.
Traditionally, security is reactive—addressed only after systems were developed or, worse, once a breach had already occurred. The limitations of this reactive approach have driven the emergence of the “Security by Design” philosophy, which prioritizes the integration of security measures right from the earliest stages of design and development. This principle has become a foundational aspect of the Software Development Lifecycle (SDLC), embedding security directly into the architecture of systems and products from the ground up.
Rather than relying solely on reactive methods like scanning run-time systems or identifying vulnerabilities after deployment, “Security by Design” focuses on preventing these risks much earlier in the process. It ensures that security considerations are a core element of the product development journey, reducing the likelihood of security flaws and minimizing the need for costly, time-consuming fixes later.
Regulators and international standards bodies have recognized the value of this approach. By incorporating “Security by Design” into the various frameworks, they are urging organizations to proactively identify potential security gaps and vulnerabilities, embedding robust security safeguards from the inception of any product or system. This shift towards a preemptive security strategy represents a significant evolution in how security is conceptualized and implemented across industries.
Relevance by Regulatory Framework
The table below outlines the “Security by Design” requirements within the current regulatory landscape and explains how organizations can achieve both procedural and technological compliance requirements with Prime Security.
NIST
The National Institute of Standards and Technology (NIST) is a U.S. government agency that develops and promotes measurement standards, technology, and science to enhance economic security and quality of life.
| Standard Name |
Control/Requirement ID |
Control/Requirement Description |
Compliance with Prime |
| NIST CSF 2.0 |
Platform Security (PR.PS) |
PR.PS-06 Secure software development practices are integrated, and their performance is monitored throughout the software development life cycle |
Prime incorporates secure development practices during the design phase and automatically identifies security risks |
| CA-02(02) Control Assessments | Specialized Assessments |
Specialized assessments can also be conducted early in the system development life cycle (e.g., during initial design, development, and unit testing). |
Prime facilitates the early identification of security risks by conducting security assessments during the initial design stage of system development lifecycle |
| SA-03 System Development Life Cycle |
a. Acquire, develop, and manage the system using an organization-defined system development life cycle that incorporates information security and privacy considerations. |
Prime incorporates security and privacy requirements into the organization's SDLC by identifying risks early in the design phase |
| SA-03 System Development Life Cycle |
d. Integrate the organizational information security and privacy risk management process into system development life cycle activities. |
Prime embeds the organization's security and privacy engineering principles or industry best practices into the design phase of SDLC |
| SA-08 Security and Privacy Engineering Principles |
Apply the organization-defined systems security and privacy engineering principles in the specification, design, development, implementation, and modification of the system and system components. |
| NIST 800-53r5 |
SA-08 Security and Privacy Engineering Principles |
Ensure that the systems security and privacy engineering principles are applied throughout the system development life cycle. |
Prime embeds security and privacy requirements at the design stage, ensuring they are upheld throughout the SDLC |
| NIST 800-53r5 |
PM-07 Enterprise Architecture |
Integrate security and privacy requirements and controls into the enterprise architecture to ensure they are addressed throughout the system development life cycle and are explicitly related to the organization's mission and business processes. |
Prime embeds security and privacy requirements at the design stage, ensuring they are upheld throughout the SDLC |
| NIST 800-53r5 |
RA-08 Privacy Impact Assessments |
Conduct privacy impact assessments for systems, programs, or other activities before developing or procuring information technology that processes personally identifiable information. |
Prime identifies engineering tasks that could potential cause privacy violations prior to them being started |
ISO
The International Organization for Standardization (ISO) is a global body that develops and publishes international standards for products, services, and systems across various industries.
| Standard Name |
Control/Requirement ID |
Control/Requirement Description |
Compliance with Prime |
| ISO/IEC 27001:2022(E) |
8.26 Application security requirements |
Control: Information security requirements shall be identified, specified and approved when developing or acquiring applications. |
Prime integrates into the organizational system development life cycle, detects and mitigates security gaps in the requirements given to systems and projects |
| ISO/IEC 27001:2022(E) |
5.8 Information security in project management |
Control: Information security shall be integrated into project management. |
Prime integrates information security into project management by embedding security requirements and risk assessments as early as possible in the development lifecycle |
| ISO/IEC 27002:2022(E) |
5.8 Information security in project management |
Control: Information security should be integrated into project management.
Purpose: To ensure information security risks related to projects and deliverables are effectively addressed in project management throughout the project life cycle.
Guidance: Information security should be integrated into project management to ensure information security risks are addressed as part of the project management. This can be applied to any type of project regardless of its complexity, size, duration, discipline or application area (e.g. a project for a core business process, ICT, facility management or other supporting processes).
The project management in use should require that:
- a) information security risks are assessed and treated at an early stage and periodically as part of project risks throughout the project life cycle;
- b) information security requirements [e.g. application security requirements (8.26), requirements for complying with intellectual property rights (5.32), etc.] are addressed in the early stages of projects;
- c) information security risks associated with the execution of projects, such as security of internal and external communication aspects are considered and treated throughout the project life cycle;
Early consideration of information security requirements for the product or service (e.g. at the planning and design stages), can lead to more effective and cost-efficient solutions for quality and information security.
|
Prime integrates information security into project management by ensuring that security risks are assessed and treated early and periodically throughout the project lifecycle. It incorporates security requirements, such as application security and intellectual property compliance, from the planning and design stages, leading to more effective and cost-efficient solutions |
| ISO/IEC 27002:2022(E) |
8.25 Secure development life cycle |
Control: Rules for the secure development of software and systems should be established and applied.
Purpose: To ensure information security is designed and implemented within the secure development life cycle of software and systems.
Guidance:
- c) security requirements in the specification and design phase (see 5.8);
|
Prime helps establish and apply rules for the secure development of software and systems by embedding information security requirements into the specification and design phases of the development lifecycle. This ensures that security is integrated from the outset, providing a foundation for building robust and secure applications |
| ISO/IEC 27002:2022(E) |
8.27 Secure system architecture and engineering principles |
Control: Principles for engineering secure systems should be established, documented, maintained and applied to any information system development activities.
Purpose: To ensure information systems are securely designed, implemented and operated within the development life cycle.
Guidance: Security engineering principles should be established, documented and applied to information system engineering activities. Security should be designed into all architecture layers (business, data, applications and technology). New technology should be analyzed for security risks and the design should be reviewed against known attack patterns. Secure engineering principles provide guidance on user authentication techniques, secure session control and data validation and sanitisation.
Secure system engineering should involve:
- a) the use of security architecture principles, such as "security by design", "defense in depth", "security by default", "default deny", "fail securely", "distrust input from external applications", "security in deployment", "assume breach", "least privilege", "usability and manageability" and "least functionality";
- b) a security-oriented design review to help identify information security vulnerabilities, ensure security controls are specified and meet security requirements;
- c) documentation and formal acknowledgement of security controls that do not fully meet requirements (e.g. due to overriding safety requirements);
- d) hardening of systems.
|
Prime helps organizations establish, document, and maintain secure system engineering principles throughout the development lifecycle, ensuring security is integrated into all architecture layers—business, data, applications, and technology. It supports security-by-design practices, such as "defense in depth," "least privilege," and "default deny," while guiding security-oriented design reviews to identify vulnerabilities and ensure adequate controls are in place |
PCI-DSS v4.0
The Payment Card Industry Data Security Standard (PCI DSS) is a set of security requirements designed to ensure that all companies that process, store, or transmit credit card information maintain a secure environment.
| Control/Requirement ID |
Control/Requirement Description |
Compliance with Prime |
| Requirement 6: Develop and Maintain Secure Systems and Software |
6.2.1: Incorporating consideration of information security issues during each stage of the software development lifecycle. |
Prime incorporates information security considerations during the design stage of the software development lifecycle, ensuring that potential risks are identified and addressed early. This proactive approach reduces the likelihood of discovering security vulnerabilities at later stages, minimizing costly rework and enhancing overall system security |
HIGHTRUST
The Hightrust (Health Information Trust Alliance) CSF (Common Security Framework) is a comprehensive security framework designed specifically for the healthcare industry. It combines and harmonizes various standards and regulations, including HIPAA, PCI, and ISO, to provide organizations with a unified approach to managing information security and privacy risks in healthcare.
| Control/Requirement ID |
Control/Requirement Description |
Compliance with Prime |
| Control Category: 10.0 - Information Systems Acquisition, Development, and Maintenance |
Control Objective: To ensure that security is an integral part of information systems.
Control Specification: Statements of business requirements for new information systems (developed or purchased), or enhancements to existing information systems shall specify the requirements for security controls.
Specifications for the security control requirements include security controls to be incorporated in the information system, and supplemented by manual controls as needed. Further, security control requirements are considered when evaluating software packages, either developed or purchased.
|
Prime ensures that security is an integral part of information systems by embedding security control requirements into the specifications for new or enhanced systems. This approach ensures that security requirements are considered from the outset |
CSA controls matrix v4.0.12
The Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM) is a cybersecurity control framework specifically designed for cloud computing environments. It provides a comprehensive set of cloud-specific security controls to help organizations assess and improve their cloud security posture, align with various regulations, and enhance overall risk management in cloud deployments.
| Control/Requirement ID |
Control/Requirement Description |
Compliance with Prime |
| Application & Interface Security Secure Application Design and Development (AIS-04) |
Define and implement a SDLC process for application design, development, deployment, and operation in accordance with security requirements defined by the organization. |
Prime integrates the organization's security requirements into the SDLC by identifying risks and defining security controls during the application design phase |
Data Security and Privacy Lifecycle Management
Data Protection by Design and Default (DSP-07) |
Develop systems, products, and business practices based upon a principle of security by design and industry best practices. |
Prime enables the development of systems, products, and business practices based on the principle of security by design and aligned with industry best practices. It incorporates security requirements from the outset, ensuring that security is embedded throughout the development process |
Data Security and Privacy Lifecycle Management
Data Privacy by Design and Default (DSP-08) |
Develop systems, products, and business practices based upon a principle of privacy by design and industry best practices. Ensure that systems' privacy settings are configured by default, according to all applicable laws and regulations. |
Prime automatically identifies potential privacy violations during the design stage, ensuring that privacy requirements are integrated from the outset. It helps configure systems' privacy settings by default to comply with applicable laws and regulations, following the principle of privacy by design and industry best practices |
COBIT 5
Control Objectives for Information and Related Technologies (COBIT) is a framework created by ISACA for information technology (IT) management and IT governance. It provides a set of best practices for aligning IT with business objectives, optimizing IT resources, and managing IT-related risks and controls across an organization.
| Control/Requirement ID |
Control/Requirement Description |
Compliance with Prime |
BAI01 - Manage Programmes and Projects
BAI01.09 - Manage programme and project quality |
1. Identify assurance tasks and practices required to support the accreditation of new or modified systems during programme and project planning, and include them in the integrated plans. Ensure that the tasks provide assurance that internal controls and security solutions meet the defined requirements. |
Prime identifies compliance and regulatory violations at the design stage, ensuring that any issues are addressed early to support the accreditation of new or modified systems. By integrating these assurance tasks into project planning, it provides confidence that internal controls and security solutions meet defined requirements from the outset. |
BAI02 - Manage Requirements
BAI02.04 - Obtain approval of requirements and solutions |
1. Ensure that the business sponsor or product owner makes the final decision with respect to the choice of solution, acquisition approach and high-level design, according to the business case. Coordinate feedback from affected stakeholders and obtain sign-off from appropriate business and technical authorities (e.g., business process owner, enterprise architect, operations manager, security) for the proposed approach. |
Prime enables the business sponsor or product owner to make informed decisions on the solution, acquisition approach, and high-level design by identifying security risks early in the design stage. It provides insights into potential vulnerabilities and gathers feedback from stakeholders, ensuring that decisions are aligned with both business objectives and security requirements. |
BAI03 - Manage Solutions Identification and Build
BAI03.01 - Design high-level solutions |
3. Create a design that is compliant with the organization's design standards, at a level of detail that is appropriate for the solution and development method and consistent with business, enterprise and IT strategies, the enterprise architecture, security plan, and applicable laws, regulations and contracts. |
Prime ensures that designs comply with organizational standards by identifying security requirements and risks early in the development process. It aligns the design with business, enterprise, and IT strategies, the enterprise architecture, security plans, and relevant laws, regulations, and contracts. |
BAI03 - Manage Solutions Identification and Build
BAI03.02 - Design detailed solution components |
9. Proactively evaluate for design weaknesses (e.g., inconsistencies, lack of clarity, potential flaws) throughout the life cycle, identifying improvements when required. |
Prime focuses on identifying security flaws during the design phase by evaluating potential weaknesses, such as inconsistencies, ambiguities, and vulnerabilities. It provides early insights and recommendations for improvement, ensuring that security issues are addressed before they progress further in the development lifecycle. |
Institute of Internal Auditors
The Institute of Internal Auditors (IIA) is a global professional association that serves as the primary advocate, educator, and standard-setter for the internal audit profession. It provides guidance, certifications, and resources to enhance the effectiveness of internal auditors in various industries, promoting ethical practices and professional excellence in risk management, control, and governance processes.
| Control/Requirement ID |
Control/Requirement Description |
Compliance with Prime |
| F. How the organization addresses cybersecurity within their system development life cycle, including the following control aspects |
1. Planning: Cybersecurity has been identified as a key component when assessing risks and analyzing potential vulnerabilities. The scope and objectives of the software implementation should be included as the organization evaluates cybersecurity controls during the planning phase. |
Prime integrates cybersecurity risk assessments and compliance checks throughout the planning, requirements-gathering, and design phases of the SDLC. It identifies vulnerabilities early, ensures alignment with legal and regulatory standards, and recommends the necessary security controls that should be applied.
Prime enables cyber security auditors to perform an effective audit process to ensure that security controls are being implemented at the design stage including formal audit evidence gathering. |
OWASP ASVS v4.0.3
Open Web Application Security Project (OWASP) is a nonprofit foundation dedicated to improving the security of software. It provides freely available articles, methodologies, documentation, tools, and technologies in the field of web application security.
| Control/Requirement ID |
Control/Requirement Description |
Compliance with Prime |
| V1.1 Secure Software Development Lifecycle |
1.1.1 Verify the use of a secure software development lifecycle that addresses security in all stages of development |
Prime integrates into the design phase of SDLC and provides the proper security practices before actual development starts |
CIS
The Center for Internet Security (CIS) is a nonprofit organization that develops and promotes best practice standards for cyber defense. CIS provides benchmarks, controls, and tools to help organizations improve their cybersecurity posture, with a focus on creating and maintaining consensus-based, vendor-agnostic security configuration guidelines for various IT systems and software.
| Control/Requirement ID |
Control/Requirement Description |
Compliance with Prime |
| Control 16 - Application Software Security |
16.1 Establish and maintain a secure application development process. In the process, address such items as: secure application design standards, secure coding practices, developer training, vulnerability management, security of third-party code, and application security testing procedures. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. |
Prime enables organizations to establish and maintain a secure application development process by identifying risks early and recommending security requirements aligned with best practices |
GDPR
The General Data Protection Regulation (GDPR) is a comprehensive data privacy law enacted by the European Union in 2018. It sets strict rules for how organizations must handle personal data of EU residents, including requirements for consent, data protection measures, and individuals' rights over their data.
| Control/Requirement ID |
Control/Requirement Description |
Compliance with Prime |
| Article 25 - Data Protection by Design and by Default |
1. Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing, the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organizational measures, such as pseudonymisation, which are designed to implement data-protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects.
2. The controller shall implement appropriate technical and organizational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed.
|
Prime helps organizations comply with data protection regulations by identifying cybersecurity risks during the design stage of the SDLC |
European Commission, Cyber Resilience Act
The European Commission is the executive branch of the European Union (EU). It proposes and enforces legislation, implements policies, and manages the day-to-day operations of the EU.
| Control/Requirement ID |
Control/Requirement Description |
Compliance with Prime |
| Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on horizontal cybersecurity requirements for products with digital elements and amending Regulation (EU) 2019/1020 |
(1) create conditions for the development of secure products with digital elements by ensuring that hardware and software products are placed on the market with fewer vulnerabilities and that manufactures take security seriously throughout a product's life cycle. |
Prime enables the development of secure products with digital elements by identifying vulnerabilities early in the design phase and ensuring they are minimized before market release. |
Monetary Authority of Singapore
The Monetary Authority of Singapore (MAS) is Singapore's central bank and integrated financial regulator. It oversees all financial institutions in Singapore, manages the country's exchange rate, operates its monetary policy, and works to ensure financial stability.
| Control/Requirement ID |
Control/Requirement Description |
Compliance with Prime |
| 5.4 System Development Life Cycle and Security-By-Design |
5.4.2 The security-by-design approach refers to building security in every phase of the SDLC in order to minimize system vulnerabilities and reduce the attack surface. The FI should incorporate security specifications in the system design, perform continuous security evaluation, and adhere to security practices throughout the SDLC. |
Prime implements a security-by-design approach by embedding specific security requirements during the design phase of the SDLC to minimize vulnerabilities and reduce the attack surface. It continuously evaluates the system for security risks and ensures adherence to best practices throughout development. |
| 5.6 System Design and Implementation |
5.6.1 As part of the design phase, the FI should review the proposed architecture and design of the IT system, including the IT controls to be built into the system, to ensure they meet the defined requirements, before implementation. |
Prime facilitates the review of the proposed IT system architecture and design during the design phase to ensure that all security controls align with defined requirements. |
The Future of Security by Design in Agile and CI/CD Environments
The evolution of Security by Design from a reactive, optional approach to a regulatory guideline reflects the increasing importance of cybersecurity in the modern world. As cyber threats continue to evolve, organizations can no longer afford to treat security as an afterthought. SbD ensures that security is a foundational element of system architecture, and compliance with international standards is critical to maintaining secure, resilient systems. By embracing SbD principles, organizations can protect their assets, meet regulatory requirements, and build trust with users in an increasingly interconnected digital landscape.
The rise of Agile development, alongside Continuous Integration and Continuous Delivery (CI/CD) practices, presents new challenges to the current, manual approaches. As CI/CD pipelines speed up the development and deployment cycles, the rapid pace of automation can reduce the capacity of human security architects to deliver timely and precise security guidance, and hence become a blocker to the business. To effectively address these challenges, the “Security by Design” framework must be reinforced by automated software tools, such as Prime, that can integrate security checks and controls seamlessly into the accelerated development process.
