.svg?width=185&quality=80&auto=webp&format=auto&cache=true&immutable=true&cache-control=max-age%3D31536000 "Home"){kind=logo}
.svg?width=13&quality=80&auto=webp&format=auto&cache=true&immutable=true&cache-control=max-age%3D31536000 "Top Navigation - Sign in - Icon")
Secure by Design is a software development philosophy that treats security as a foundational requirement rather than an afterthought.
Instead of building a product first and bolting on security fixes later, Secure by Design demands that security considerations are embedded into every stage of the development lifecycle — from architecture and design through coding, testing, deployment, and maintenance.
The core idea is straightforward: If you build something securely from the ground up, your users are protected by default rather than only when they know how to flip the right settings or when security gaps are fixed after the fact.
In practical terms, this means adopting several core security principles:
- Least privilege ensures that processes, agents — AI or otherwise — containers, and system services receive only the minimum access they need.
- Secure defaults make sure products ship with the safest configuration enabled out of the box.
- Defense in depth layers multiple security controls so no single failure becomes catastrophic.
And organizations can further strengthen resilience by eliminating entire classes of vulnerabilities through safer languages, frameworks, and design patterns.
Why was the Secure by Design approach introduced?
For decades, many players in the technology industry operated under a “ship fast, patch later” model. One consequence of that legacy is that cybersecurity can be seen as just a cost center — something that slows releases and frustrates developers. The impacts are playing out in real time: constant vulnerability disclosures, rushed emergency patches, and breaches that drain billions from organizations while exposing the personal data of hundreds of millions of people.
The Ivanti Connect Secure vulnerabilities, the Log4Shell exploit in a ubiquitous open-source library, and the MOVEit Transfer vulnerabilities all demonstrated that reactive security simply cannot keep pace with determined adversaries.
Recognizing this imbalance, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) — together with international partners — published formal Secure by Design guidance in 2023, urging technology manufacturers to take ownership of their customers' security outcomes.
Secure by Design principles argue that the burden of security should rest with the vendors who build technology products, not the end users who deploy them. This requires vendors to rethink how they prioritize speed and additional features, and to treat security as a core design requirement rather than a bolt-on enhancement. The shift moves the industry away from blaming users for failing to patch promptly and toward holding manufacturers accountable for shipping products that are secure from day one — even if that means slowing feature delivery or re‑engineering legacy approaches to reduce systemic risk.
Why Secure by Design matters most for cybersecurity solutions
It’s a striking reminder that even security tools can sometimes become the entry point for an attack. Yet it happens with alarming regularity.
This highlights a critical weakness for many organizations: Once a perimeter device is exposed, attackers will keep coming back to it repeatedly until it is fully secured. Firewalls and other edge systems can remain vulnerable even after a fix is available. Across all confirmed exploited vulnerabilities in recent analysis of incidents Sophos remediated, the median time between a vendor publishing an advisory or patch and an attacker exploiting that flaw was 322 days — almost a full year of opportunity for adversaries. Cybersecurity vendors can’t assume users are going to patch immediately.
The privileged position problem
Cybersecurity tools operate in the most sensitive and privileged parts of an organization's infrastructure. Endpoint detection agents run with kernel-level access. SIEM platforms ingest logs from every system. Identity providers hold the keys to every account. Firewalls sit at the boundary between trusted and untrusted networks.
When security products sit at the heart of an organization’s defenses, they carry a heightened responsibility to follow Secure by Design principles. Vendors in our industry play a critical role in protecting customers, and that trust comes with expectations around how products are engineered.
This privileged position means that a vulnerability in a security product doesn't just expose itself, it exposes everything it was designed to protect. An attacker who compromises an endpoint detection and response (EDR) agent doesn't just own one tool — they own the endpoint with the highest privileges. A flaw in a VPN appliance doesn't just break remote access, it hands an adversary a direct tunnel past every perimeter control.
What happens when Secure by Design is ignored?
The consequences of neglecting Secure by Design principles are well-documented and, if not followed properly, leave businesses, users, and the internet as a whole less safe.
- Escalating breach costs. When vulnerabilities are discovered post-release, fixing them is exponentially more expensive than addressing them during development.
- Erosion of trust. Customers, regulators, and partners lose confidence in organizations that suffer repeated security incidents. Reputation damage can outlast the technical remediation by years.
- Regulatory and legal exposure. Governments worldwide are tightening cybersecurity regulations. The European Union's Cyber Resilience Act, for example, will impose mandatory security requirements on products with digital elements sold in Europe. Organizations that ignore Secure by Design principles risk non-compliance, fines, and market exclusion.
- National security risks. Critical infrastructure — power grids, water treatment, healthcare systems — increasingly relies on internet-connected devices and systems. Insecure-by-default products in these environments create openings for state-sponsored adversaries and ransomware operators, with potential consequences that could upend someone’s everyday life.
- Perpetual patch fatigue. Without secure foundations, organizations are trapped in a reactive loop: scanning for vulnerabilities, prioritizing patches, testing updates, and deploying fixes — repeatedly. This drains resources that could be spent on deeper cybersecurity investigations.
Sophos’ commitment to Secure By Design
On May 8, 2024, Sophos became one of the first organizations to commit to CISA’s Secure by Design initiative, which focuses on seven core pillars of technology and product security:
- Multi-factor authentication.
- Default passwords.
- Reducing entire classes of vulnerability.
- Security patches.
- Vulnerability disclosure policy.
- CVEs.
- Evidence of intrusions.
Aligned with our core organizational values around transparency, Secure by Design has been a guiding force as we continually evaluate and improve our security practices.
We published our pledges for improvement and publicly share the progress we are making against the seven core pillars of the Secure by Design framework. Of course, cybersecurity is constantly evolving and the job is never “done.” Continuing to refine and enhance the application of Secure by Design principles across our portfolio is an ongoing — and central — part of our ethos.
In just one example, the latest version (v22) of Sophos Firewall further extends the Secure by Design capabilities of the solution, including:
- A new Health Check feature to reduce the risk of a misconfiguration leading to a potential attack.
- An all-new containerized control plane re-architected for maximum security and scalability that eliminates a whole class of vulnerabilities.
- The addition of a Sophos XDR Linux Sensor enables real-time monitoring of the system integrity of our entire customer base by our own security teams to identify and respond to attacks more quickly.
- Firmware updates that are encrypted and certificate-pinned for authenticity.
Together, the changes in v22 and previously delivered capabilities in Sophos Firewall strengthen forensic visibility, logging, and protective monitoring. These enhancements also support closer alignment with many of the areas covered by the U.K.’s National Cyber Security Centre’s guidance for network devices.
Additionally, our work in the Pacific Rim campaign gave us a front‑row view into how determined, well‑resourced threat actors operate — and what it really takes to defend against them. The campaign reinforced that adversaries aren’t waiting for weaknesses to appear; they’re actively hunting for design shortcuts, configuration gaps, and unpatched systems across global infrastructure. That experience directly shaped our Secure by Design approach.
It underlined that modern defenses must start with reducing the attack surface at the product level, building in strong defaults, tightening authentication paths, and eliminating opportunities for misuse long before a vulnerability ever makes it into the wild.
The path forward
Secure by Design doesn't eliminate all vulnerabilities, nor does it absolve organizations from ongoing vigilance. But it has become a fundamental foundation to cybersecurity for reducing the attack surface. The question is no longer whether Secure by Design is a good idea. It is how quickly it is adopted.
