Security and Privacy by Design

6.1. Security and Privacy by Design#

6.1.1. Security by Design#

Security by design means weaving security considerations into every phase of the software development lifecycle. Rather than adding on protections at the end or fixing problems later, we anticipate threats and integrate defensive measures from the start and at every stage. This approach minimises:

  • the number of vulnerabilities appearing later in the process or after installation, and

  • future costs of fixing any discovered vulnerabilities

To achieve security by design, the software developer or developers need to:

  1. develop the software by following proper development procedures

  2. adopt a culture of security

Adopting a culture of security means that developers place security as one of the main priorities of any project and proactively take steps to ensure it.

6.1.2. Privacy by Design#

Closely related to security by design is privacy by design. Modern web applications often handle sensitive data such as personally identifiable information and browsing history. By developing software with privacy by design developers protect both users and your organization from leaks and legal issues.

The Information and Privacy Commission of NSW provide a fact sheet on key principles for privacy by design:

  1. Proactive not reactive, preventative not remedial

Take a proactive approach, anticipating risks and preventing privacy-invasive events before they occur.

  1. Privacy as a default setting

Automatically protect personal information in IT systems and business practices as the default.

  1. Privacy embedded into design

Embed privacy into the design of any systems, services, products and business practices. You should ensure that privacy becomes one of the core functions of any system or service.

  1. Full functionality: positive-sum not zero-sum

Incorporate all legitimate interests and objectives in a ‘win-win’ manner, not through a ‘zero-sum’ (either/or) approach. This will avoid unnecessary trade-offs, such as privacy versus security, demonstrating that it is possible to have both.

  1. End-to-end security – full lifecycle protection

Put in place strong security measures throughout the ‘lifecycle’ of the information involved. Process personal information securely and then destroy it securely when you no longer need it.

  1. Visibility and transparency – keep it open

Ensure that whatever business practice or technology you use operates according to the stated promises and objectives and is independently verifiable. Make people fully aware of the personal information being collected, and for what purpose.

  1. Respect for user privacy – keep it user centric

Keep the interest of individuals paramount in the design and implementation of any system or service. You can do this by offering strong privacy defaults and user-friendly options, as well as ensuring appropriate notice is given.