What Is Security by Design, and Why Is It Important?

Cybersecurity is commonly viewed as an afterthought. The echoes of “move fast and break things” mentality and the pressures of an extremely competitive software market have backed the industry into a corner. Security has become a cost to reduce rather than a priority to focus on throughout the whole software lifecycle.

In 2025, things are rapidly changing and cybersecurity is moving to the forefront.

Leaders from the world’s biggest enterprises, like JPMorganChase, are calling on software providers to prioritize security. Mid-market companies are realizing that security can be a competitive advantage. Governments are tightening cybersecurity regulations and collaborating with software companies to make the whole ecosystem more secure.

An April 2025 survey of IT and security professionals by Cloud Security Alliance shows that 86% of organizations are now prioritizing SaaS security, and 76% are increasing cybersec budgets. More than half of companies share too much data externally, with employees uploading sensitive information to unauthorized SaaS apps. Oversight is difficult, identity and access management remains a challenge, and GenAI tools are expanding the attack surface.

Cybersecurity is no longer something to add to a product after it reaches product-market fit. Security by design is now a competitive advantage for new products, and an existential imperative for leading enterprise software providers.

What Is Security by Design?

In short, security by design means that cybersecurity is a priority throughout the whole software product lifecycle – from the design phase all the way to long-term maintenance. 

According to Microsoft’s CEO Satya Nadella, security by design means that “security comes first when designing any product or service.”

Another useful definition comes from the influential report by America’s cyber defence agency, CISA:

“‘Secure by design’ means that technology products are built in a way that reasonably protects against malicious cyber actors successfully gaining access to devices, data, and connected infrastructure.”

Christoph Kern, Principal Engineer focused on information security at Google, offers yet another take on security by design in a recent research publication:

“Many safety and security hazards can only be mitigated when product developers consider them during design of a product—they must incorporate mitigations into its shape and basic structure.”

Security by design goes hand-in-hand with security by default – meaning software that is shipped to the end user with a secure default configuration. 

The same three sources from above describe security by default as:

• Microsoft – “Security protections are enabled and enforced by default, require no extra effort, and are not optional.”

• CISA – “‘Secure by default’ means products are resilient against prevalent exploitation techniques out of the box without added charge. These products protect against the most prevalent threats and vulnerabilities without end-users having to take additional steps to secure them.”

• Google – “For many physical products, customer expectations (and in some cases formal standards and regulations) call for the product to mitigate common hazards. [..] At Google, we think that software systems should be offered with a similar mindset, with basic safety and security features included in every version of the product, and enabled by default.”

What Are the Benefits of Security by Design?

Security by design is the foundation of protection against cybercrime. It’s a bit like herd immunity – the higher the number of software products that are secure by design, the less likely it is that a breach or attack deals damage across a large chunk of the technology ecosystem. 

The actual, global annual cost of cybercrime is a unclear – one number you might see thrown around online is $10.5 trillion in 2025, but it appears to be highly exaggerated. 

So, instead of the cost, it might be helpful to think about this in terms of how often cyber attacks happen.

Since 2006, the American Center for International & Strategic Studies has been maintaining a live list of significant security breaches, i.e. “cyber attacks on government agencies, defense and high tech companies, or economic crimes with losses of more than a million dollars.”

The PDF version of the list is 96 pages long, and there have already been 21 significant attacks recorded in 2025 (and it’s only June as I’m writing this article). Add to that countless attacks targeted at individuals or SMBs that didn’t make the list, and it’s easy to see why security by design is necessary. 

In many cases, security by design means preventing software vulnerabilities that have been understood for years. The Director of CISA recently pointed out that 10 out of 13 software defects that were deemed “unforgivable” by cybersec experts in 2007 are still prevalent in software today. 

Common Weakness Enumeration is a project that lists the most dangerous software weaknesses. Out of 25 top vulnerabilities in 2024, the most common one was cross-site scripting (XSS). It can lead to multiple negative outcomes – for example, leakage of private user data stored in cookies.

For most vulnerabilities, XSS included, the solutions are known and sometimes trivial. They’re just not prioritized in the software lifecycle because it’s not always feasible to spend extra money and development time to fix them – especially when it comes to new products where product-market fit isn’t guaranteed.  

Ultimately, major tech providers are the ones who have the biggest responsibility, need, and ability to implement secure-by-design principles. 

And when they do, the results can be astonishing. In a blog post from February 2025, Google engineers reported that their commitment to secure by design principles helped them reduce cross-site scripting vulnerability cases in their web apps from nearly 100 to just 1 per year. 

Not one per application – one across all of their applications that have adopted their secure-by-design web framework. That’s the power of security by design. 

Why Is Security by Design Important in 2025 and Beyond?

The issue of cybersecurity has gained huge momentum in 2025. From global banks to government institutions, industry thought leaders and regulators are pushing harder than ever to realize the long-standing vision of secure-by-design software. Meanwhile, software builders and providers are waking up to the fact that better security enhances their brand’s value proposition in the eyes of their clients.

Growing Enterprise Need for Secure-by-design Software

One of the biggest cybersecurity stories of 2025 is an open letter penned by Patrick Opet, Chief Information Security Officer at JPMorganChase.

It’s addressed at enterprise SaaS providers, but it sent shockwaves across the whole software industry. It begins with:

“The modern 'software as a service' delivery model is quietly enabling cyber attackers and creating a substantial vulnerability that is weakening the global economic system.”

The JPMorganChase CISO goes on to describe the biggest issues – here’s a short summary.

As organizations converge to a small set of leading SaaS providers, it creates a situation where an attack on one major SaaS/PaaS provider disturbs global markets.

Fierce competition among providers leads all of them to focus on rapidly releasing features in lieu of robust security, which exposes their entire client ecosystems to risk.

Modern SaaS integration, with OAuth singled out as one of the main culprits, leads to oversimplified interactions between internal enterprise resources and external systems on the internet:

• Poorly secured authentication tokens are stolen and reused

• Software providers gain privileged access without explicit consent or transparency

• Lack of transparency about fourth-party vendor dependencies expands the risk upstream

• AI and automation services amplify and rapidly spread these risks

In order to realize the vision of secure-by-design software, the JPMorganChase CISO calls on SaaS providers to:

• Reprioritize security to be at least as important as launching new products

• Provide continuous, demonstrable evidence that controls work effectively (not just annual compliance checks)

• Ship with secure-by-default configurations for clients

• Transparency about risks

Finally, he proposes several modern technical solutions as examples of how to strengthen the SaaS integration ecosystem:

• Confidential computing

• Customer self-hosting options

• Bring Your Own Cloud (BYOC) models

• Sophisticated authorization methods (beyond simple OAuth)

• Advanced detection capabilities

• Proactive measures to prevent abuse of interconnected systems

A letter like this might have been ignored in the past. In 2025, the risks of lacklustre cybersecurity are more evident than ever, and the industry response has been loud and mostly positive. 

Industry Recognition of the Value of Cybersecurity

Even before JPMorganChase’s CISO posted the letter, industry leaders have already been calling for higher prioritization of cybersecurity. 

In one interview, senior leaders from domain registrar company Verisign pointed towards the fact that security is becoming a competitive advantage:

“Cybersecurity is evolving. It’s no longer about just protecting the company from security risks; it’s becoming a new source of competitive advantage. Customers synonymize security with quality and value; hence it’s crucial to build security upfront into products and services, in order to gain and retain customer confidence.”

Charanjit Chana, Head of Development at UK-based marketing tech company Maglabs, responded to the CISO letter on his blog saying that prioritization of security is necessary, and the topic should be more popular in universities:

“Patrick Opet, the Chief Information Security Officer at J.P. Morgan sent an open letter that outlines the need for a shift in how much companies focus on features over security. It is not only necessary, but refreshing.

Everything is connected now, whether we like it or not. Web development is a state of bloat that has persisted into a second decade. There's not enough crafting on the web, it's all about delivery. Often at speed at the cost of security and definitely at the cost of privacy.

[..] Universities should spend as much time focusing on OPSEC as a concept as much as they would OOP and whatever else they push students towards these days.”

Amir Khayat, CEO of SaaS security provider Vorlon, wrote that the letter brought to the forefront the frustration that security leaders have been feeling for years:

“His message was blunt: Get your act together. Opet’s letter called out the lack of reliability, accountability, and transparency from too many cybersecurity and SaaS vendors. For many security leaders, it put words to a frustration that’s been simmering for years: we’re spending more than ever on tools, and yet we still can't answer basic questions during an incident.”

Mike Schwartz, founder of an Austin-based cybersecurity firm and leader of the Linux Foundation cybersec project Janssen agrees with the letter in his LinkedIn article:

“As your letter posits, we need to ‘modernize security architecture.’  In particular, you write that many SaaS ‘integration models collapse authentication (verifying identity) and authorization (granting permissions) into overly simplified interactions.’ I could not agree more. This brittle approach has proved insufficient. It creates an illusion of security which doesn't protect our institutions.”

When Patrick Opet posted his letter on LinkedIn, it generated over 1,700 reactions and 150+ comments. The majority of commenters were in agreement:

• “I agree! I was surprised by how many unsanctioned SaaS apps were outside central governance at my last company — nearly 70% (almost 600 apps) of the SaaS apps the company used were not within our SSO/MFA capabilities. The convenience for random business people to adopt SaaS apps without IT or Security is out of control.”

• “Industry-wide collaboration is critical, one company following best security practices isn’t enough when the components and dependencies they rely on might not. The entire ecosystem is showing serious cracks under the current velocity of threat actors.”

• “Important points Pat. The industry’s dependency on a few SaaS platforms has outpaced the risk frameworks needed to govern them. Integration convenience often bypasses core principles like least privilege and network segmentation. It’s time providers and customers realign on secure by design models instead of layering security on after the fact.”

• “Well said, Pat Opet. Both powerful and timely. As both a long-time enterprise CISO and Trust Officer and now providing identity security as SaaS, this deeply resonates. The cascading fourth-party dependencies and the explosion of machine identities and AI agents, all requiring access to sensitive resources, are especially concerning.”

Even Redditors were surprisingly positive about the letter. In one popular thread discussing the letter, many commenters are cynical (as per usual on Reddit), but plenty of users still agreed with Patrick Opet:

• “Great letter to share with senior leadership! This hits all the key points and is concise enough for people to actually read the whole thing. Key take away is to make the required investments in security before investing in more new features. Granted, new features = profits. BUT ... Downtime due to a security incident results in lost profits and reputational damage.”

• “Couldn't agree more. We spend more time managing vendor integrations and f**k ups than warranted. Systems engineering roles shifted to ‘bouncer’ roles”

• “Every significant incident we've managed in the past four years hasn't been in our own back yard. It is such a pain in the butt.”

From the largest organizations to small firms, the industry seems to be in agreement that there is a need for greater security across the tech ecosystem. In the middle of it all are regulators, who are using their top-down power to foster faster adoption of security by design.

Tightening Regulations Around Cybersecurity

The Director of United States’ Cybersecurity & Infrastructure Security Agency (CISA), Jen Easterly, described the software industry’s relationship with cybersecurity in the best way possible:

“We’re in the ‘before the seat belts’ era of software.” 

It’s a clear reference to the automotive industry. Today, you don’t even think about seat belts, you just fasten them when you enter your car. That wasn’t always the case – the push to include seat belts in all cars began around 1970 across the Western world, and it took several decades until it became a universal standard.

For CISA’s Director, it’s clear that software companies – just like car manufacturers in the 20th century – won’t create a secure digital ecosystem unless the public demands it. 

Dangerous software leading to system compromise can no longer be business-as-usual. Blaming users for poor security habits is no excuse. It’s time to focus on the software design flaws that enable poor security in the first place.

CISA is betting on industry cooperation in their push for better cybersecurity. Their 2024 Secure by Design Pledge has already been signed by hundreds of companies, including AWS, Palantir, GitHub, Google, or Scale AI. They’re also encouraging companies to become Common Vulnerabilities and Exposures (CVE) Numbering Authorities (CNAs) to transparently disclose the vulnerabilities in their own products.

In the European Union, the most recent cybersecurity initiative is the NIS2 directive for securing network and information systems. 

NIS2 is a legal framework to “uphold cybersecurity in 18 critical sectors across the EU,” which also encourages cross-border enforcement between EU countries. It expands the scope of the directive’s previous version, NIS1, by including more sectors – like social platforms or the space industry. 

It also introduced accountability for leadership of companies that don’t comply with cybersecurity risk management requirements, as a way to bring “cybersecurity to the attention of the boardroom”. NIS2 strengthened the CSIRT network (similar to CVE in the US), as a way to improve the flow of cybersecurity-related information between EU member states. 

There’s also the Cyber Resilience Act (CRA), which entered into force at the end of 2024 – but its main obligations will apply from December, 2027.

The CRA is focused on tech consumers. It “enhances cybersecurity standards of products that contain a digital component, requiring manufacturers and retailers to ensure cybersecurity throughout the lifecycle of their products.”

In other words – it's the EU's version of a push for security by design. It describes cybersecurity requirements that companies must meet at every stage of the product lifecycle.

Security by Design Is Here to Stay

In 2025 and beyond, security can no longer be treated as an afterthought. Regulators are pushing for better cybersecurity, and the majority of the software industry seems to be united in this cause. 

Big Tech is continuously proving the value of security by design – like in the case of Google’s web apps, where adopting a secure web framework allowed them to essentially rid their apps of cross-site scripting, the #1 vulnerability that most of the industry is struggling with.

Smaller organizations have more leeway here, as they might not be able to afford implementing robust security-by-design principles. But as long as major software providers do it, the positive effect will spread across the tech ecosystem, protecting mid-market companies in the process.