LOGBOOK

HELP

Quiz Entry - updated: 2026.05.31

What does Security by Design mean?

Build security into the system from the first day of design, and consider it in every phase of the lifecycle — not as a bolt-on at the end.

The opposite is "build the feature, ship it, then have a security review tell us what's broken." That approach is catastrophically more expensive — the further into the lifecycle a flaw is found, the more rework it costs to fix.

What "from the start" looks like in practice:

  • Requirements: security requirements alongside functional ones (data sensitivity, threat model, regulatory needs).
  • Design: threat modelling (STRIDE, attack trees) before any code.
  • Implementation: secure coding standards, automated SAST in CI.
  • Testing: DAST, fuzzing, pen-testing.
  • Deployment: hardened configs, secrets management.
  • Maintenance: patch cadence, vulnerability monitoring, incident response.

Why it matters: a SQL-injection bug caught in design review costs maybe an hour of conversation. The same bug caught in production might cost a breach disclosure, regulatory fines, and rebuilding customer trust.

Tip: "Shift left" is the modern slogan for the same idea — move security activities earlier in the development pipeline.

From Quiz: ISF / Session Handling & Login Protocols | Updated: May 31, 2026