Which statement best defines secure by design in software development?

• A. Adding security only after deployment and when issues arise.
• B. Integrating security considerations from the outset, using threat modeling, secure coding, and security testing throughout the SDLC.
• C. Securing the network perimeter with firewalls as the sole measure.
• D. Focusing on functionality first and security later if time permits.

Answer: (B)

Secure by design means weaving security into every stage of software development, not tacking it on after things break. It starts with requirements and design, where threats are identified and mitigations planned through activities like threat modeling. It continues through coding with secure practices—validating inputs, enforcing least privilege, careful memory and error handling—and across testing efforts, including static analysis, dynamic testing, and security-focused tests, throughout the development, integration, and release processes. The aim is to shrink the attack surface and build resilience from the outset, so the software remains safer in production and easier to maintain over time.

This approach reduces risk and cost by catching vulnerabilities early, when fixes are cheaper and less disruptive, and supports ongoing risk management through continuous improvement and monitoring. In contrast, security added after deployment reacts to issues rather than preventing them; relying solely on network perimeter controls ignores vulnerabilities inside the application and the broader system; prioritizing functionality with security as a later consideration leaves weaknesses that attackers can exploit long after development.