Security by Design
Also Known As
secure by design
security-first design
shift-left security
TL;DR
Integrating security requirements into software architecture and design from the very beginning, rather than bolting it on afterwards.
Explanation
Security by Design (SbD) means security is a first-class requirement alongside functionality — considered during threat modelling, system architecture, data flow design, and API contracts, not discovered during a pre-release penetration test. Core principles include: minimise attack surface, apply least privilege at every layer, use defence in depth, fail securely (default-deny), avoid security through obscurity, keep design simple (complexity breeds vulnerabilities), and separate duties. For PHP projects this means: choosing framework defaults that are secure out of the box, designing data flows that never touch user input without sanitisation, and reviewing every new feature through a threat-model lens.
Common Misconception
✗ Security by design means adding security features to an application. It means designing the system so insecure states are structurally impossible — e.g. an API that cannot return another user's data by construction, not by a check that could be forgotten.
Why It Matters
Security by design builds security into architecture decisions from the start — it is far cheaper to design out a vulnerability than to patch it after deployment, and some flaws cannot be patched without restructuring.
Common Mistakes
- Security as a final phase ('we'll add security later') — architectural flaws cannot be patched.
- Designing for the happy path only — not considering what happens when inputs are malicious.
- No threat modelling in the design phase — security gaps are discovered in production.
- Prioritising features over security constraints in early sprints — security debt compounds quickly.
Code Examples
✗ Vulnerable
// Design that makes security impossible to add later:
class UserController {
// All user data in one object — cannot restrict field visibility per role
// No audit log hook points — cannot add logging without rewriting
// Direct DB calls everywhere — cannot add encryption layer without touching all code
// Feature shipped — security 'added later' means full rewrite
}
✓ Fixed
// Security by design — bake it in from the start
// 1. Default deny
class Policy {
public function can(User \$user, string \$action, mixed \$resource): bool {
return false; // deny by default — explicitly grant per action
}
}
// 2. Fail securely — errors don't open access
function getUser(int \$id): User {
return User::findOrFail(\$id); // throws, not returns null
}
// 3. Immutable value objects — can't enter invalid state
readonly class Email {
public function __construct(public string \$value) {
if (!filter_var(\$value, FILTER_VALIDATE_EMAIL))
throw new \InvalidArgumentException("Invalid email: \$value");
}
}
// 4. Least privilege — each component gets minimum permissions it needsReferences
Tags
🤝 Adopt this term
£79/year · your link shown here
Added
15 Mar 2026
Edited
22 Mar 2026
Views
28
🤖 AI Guestbook educational data only
|
|
Last 30 days
Agents 1
No pings yesterday
Amazonbot 9
Perplexity 5
Google 3
Unknown AI 2
Ahrefs 2
SEMrush 2
ChatGPT 1
Also referenced
How they use it
crawler 23
crawler_json 1
Related categories
⚡
DEV INTEL
Tools & Severity
🔵 Info
⚙ Fix effort: High
⚡ Quick Fix
Run a threat model before writing code: identify trust boundaries, entry points, sensitive data, and the top 3 most likely attack scenarios
📦 Applies To
PHP 5.0+
web
api
cli
🔗 Prerequisites
🔍 Detection Hints
Absence of threat model documentation security requirements or security review in development process
Auto-detectable:
✗ No
⚠ Related Problems
🤖 AI Agent
Confidence: Low
False Positives: High
✗ Manual fix
Fix: High
Context: File