blogs & Things

Security-By-Design: Or… Better Safe Than Sorry!


Far too often security is the final afterthought of a Digital Transformation project


Software Developer: “I’ve built this really cool ‘feature’; now I must make it secure!

Security ArchitectFacepalm!


Sound familiar?

You may have come across it in your own Digital Transformation project or, (hopefully not) been a victim of this kind of thinking further down the line when it was far too late to do anything truly effective about it without spending a fortune in time and resources retrofitting a new solution.

That’s where one of cloudThings guiding principles come in… Security-By-Design.


In recent years it’s been good to see that Security-By-Design has started to gain a lot more prominence, becoming a mainstream development approach for many that aims to make a system secure from the very start, rather than scrambling to patch up vulnerabilities as they’re noticed, either at the end of a project or worse, during during a breach.

It’s an approach to software (and hardware) development with a stated aim of making a system as free from vulnerabilities as possible; ideally making it impervious to attack through measures such as Continuous Improvement (or in cloudThings parlance, Build Future), Continuous Testing, multifactor authentication safeguards and strict adherence to software development best practises.


Sounds great doesn’t it?

Unfortunately, Security-By-Design is still very much in its infancy, with many developers still only giving it a passing acknowledgement.

Far too often at cloudThing, when speaking to new clients, our software developers come across the same security errors and vulnerabilities time and time again.


Does this mean software developers are just lazy by nature? Or incompetent?

Of course not!


The problem is often one of culture and what various, different departments are held accountable for.

When starting a project, the development team will be asked to build a ‘feature’ and all their time and effort will likely go into making that ‘feature’ as great as possible.

Often security won’t be an issue till long after the ‘feature’ has gone live, so it receives little attention in development stages.


You see the problem that cloudThings founders saw a long time ago though don’t you?

That’s no way to future proof a business – or Build Future as we say here.

What Is Security-By-Design?

Security-By-Design is the opposite of Security-After-The-Fact.

Security-By-Design is defined as an approach to software development in which security is built into the system from the very beginning.

When considering a Digital Transformation project, a company that prioritises Security-By-Design (*cough, cloudThing, cough) will create software that’s been built from the ground up to be secure.

A risk led approach will favour considering, adapting, rejecting, testing and finally optimising multiple, different, security controls and then ensuring only the very best are built into the project’s architecture throughout its design, whilst being used as guiding governance by the software developers involved. With each new release or patch that comes after that, the security of the release and how it interacts with the system as a whole will be a primary concern.


You see, Cyber actors/Cyber criminals are lazy.

They’ll always target organisations that offer them up the path of least resistance.

That means, when attacking a system, they’ll likely use well known and predictable tactics, tools and patterns, known in the industry as reusable techniques.

Any Security Auditor worth their salt can apply security controls to combat these threats against a system by utilising approaches such as enforcing multifactor authentication, authorization, confidentiality, data integrity, privacy, accountability, safety and non-repudiation requirements for if/when your organisation comes under attack.


Think of it as though you’re building a bank if you like…

Of course, you want a beautiful building, with gorgeous architecture to attract clients but you don’t just say “oh… we’ve built it now, better throw a padlock on the front door”.

When building it you construct foundations that can’t be tunnelled through, walls that are blast proof, all entrances covered by hi-tech security and a great big, state of the art vault in the middle of the building.

That’s the real difference between Security-By-Design and Security-After-The-Fact.

Why Is Security-By-Design Important?

Well, as already mentioned, the obvious answer to that question is a system built to Security-By-Design principals is much more secure… by several orders of magnitude in fact.

And, although that’s a great reason, it’s not the only one…


Security-By-Design will actually reduce your overall costs and mitigate many future risks.

Think about the last project you were involved in.

We’re willing to bet that the last month or so is where you faced the most budget and time constraints.


Ask yourself… Is that really the best place to be considering the security of your entire system and organisation? (You don’t need to answer that by the way, the answers pretty obvious).


A Security-By-Design system will always end up with more resilient than a hastily added patch at the end of a project as, by implementing security measures in a step by step process throughout the project, you allow your designers to identify security flaws as they go, enabling them to quickly, easily (and cheaply) fix them, rather than having to overhaul the entire project at the end.

Identifying security related bugs early means they can be on the lookout for similar flaws, preventing further problems in the build process, or worse production.


Finally, the last point many forget when building a new system is that it isn’t an ‘end-goal’ in of itself. It will continue to organically grow, adapt and evolve over time as your organisation does.

If you’ve taken a Security-After-The-Fact approach then any future modifications to your system may well invalidate your entire security protocol without you even realising it, creating new risks for your organisation as well as multiple opportunities for malicious cyber actors.

That doesn’t happen with a Security-By-Design approach as your security is an inherent part of the system, not a bunch of controls stuck on around the edges.

Building A Culture Of Security-By-Design

All the above is well and good but skips over the most important step of all, building a culture of security within your organisation.

It has to start with a positive relationship between those commissioning the project and those building it, with everyone’s goals and values being aligned from the off.


Security-by-design breaks down traditional development/security silos, making security part of everyone’s role, which means everyone is both empowered and responsible for delivering a secure solution. Tony Leary – cloudThing Principal Architect

More blogs & Things

More blogs & Things

James Crossland in NonProfit

AI + Automation: Reducing Donor Churn & Maintaining Sponsor Interest

Churn management is a vital element of any marketing strategy, and the NonProfit sector is no exception. Knowing what to track and having a joined up view of all your donations data is vital for getting this right, and also opens the door to building innovative data-driven campaigns.   At our recent DataScience and Transformation in Charities […]

James Crossland in NonProfit

Dynamics 365 In NonProfit’s

Charities have unique funding concerns, and an obligation to spend as much as possible on their chosen cause. However, an investment in technology can offer ROI in the form of more than just improved fundraising. Dynamics 365 can help rework complex business processes, ensure compliance with stringent safeguarding and financial regulations, as well as consolidate […]

James Crossland in Tech

8 Ways Your Business Can Increase Turnover With Big Data

Understand how Big Data and Data Science can transform your business…   Big Data is the phrase that’s used to categorise any data that’s too large, complex, cumbersome or complicated to be managed and processed by conventional technology. To put that into a relatable context; being able to recommend your customers content, products or offers based […]

James Crossland in NonProfit

How To Reduce Donor Churn In NonProfits

Reducing Donor Churn doesn’t have to be a big task but does need to be a fundamental part of a NonProfit’s day to day processes   What Is Donor Churn? Donor Churn is the likelihood of an individual stopping their donations to a charitable cause for a variety of different reasons resulting in the non-profit organisation […]

James Crossland in Tech

Agile: Cutting Costs, Improving Quality & Accessing Talent

After using Agile to develop software products for several years, we thought we’d share the challenges we encountered at the start, what we did to change and the results we saw (which were ultimately uplifts in quality and efficiency)…   My development team has been using Agile to develop software product since 2007. Personally, I’ve seen many […]

James Crossland in Tech


What’s the difference between UI and UX?   Simply put UI (or User Interface) are the pages, screens, buttons, icons and any other visual aspects of a website or App that let you interact with it… or to expand on that into the non-virtual world… UI is how you experience using something – For instance in opening a fridge, […]