Security by Design Redux 2024

Lawfare just released a paper Security by Design in Practice discussing the continuing evolution of the concepts and approaches of ensuring digital security. Seeing the “Security by Design” headline turned the clock back 16 years, to when we first used the term to headline our new security program.

In early 2008, despite the gathering storm clouds of the mortgage-fueled financial crisis, there was an aura of anticipation in tech. Apple was glowing after the spectacular debut of the iPhone the previous summer and preparing to open the app store. Android was solidifying with the first Android phone just a few months away, and retail e-commerce surpassed $120 billion in annual sales. The unabated growth of e-everything combined with the birth of the smartphone demanded deeper and more comprehensive thinking in software security.

Cigital launched the Building Security In Maturity Model (BSIMM), Microsoft released the first public version of their Security Development Lifecycle (SDL), and the open source Software Assurance Maturity Model (SAMM) was created with Fortify’s help.

At Bank of America, we built Security by Design, integrating security practices into the bank’s full software lifecycle from ideation to retirement, enabling rapid online expansion and safely grow mobile banking from zero to tens of millions of users.

It’s hard to believe it’s been over 16 years since that launch. It feels good to be a (small) contributor to the software security community’s accomplishments, unfortunately the almost daily headlines reporting security and privacy failures mean we have much more work to do.