Secure by Design – Davidson

Anticipating Cybersecurity from the Design Stage

“Cybersecurity is not a feature you validate at the end of a project. No test can make up for a flaw born of poor design.” – Bruce Schneier, The Process of Security

In 2025, cyber-threats are evolving faster than ever: compromised software supply chains, known but unpatched vulnerabilities, the emergence of malicious AI…
Faced with this growing complexity, one certainty stands out: security can no longer be an afterthought. It must be built into the very design of systems.

That is the core of Secure by Design (SbD): a proactive, structured approach that embeds cybersecurity from the very first lines of code and throughout the entire development lifecycle.

⚠️ Not to be confused with Secure by Default, which aims to deliver a product with security settings already enabled by default—requiring no action from the user (e.g., MFA enabled, unused ports closed, non-essential services disabled).

Reacting Is No Longer Enough: Why Build Security in from the Start

The numbers speak for themselves:

+34% increase in attacks exploiting known vulnerabilities in 2025 (Verizon DBIR)
60% of incidents linked to design flaws by 2026 (Gartner)
50% of breaches in France caused by misconfigured or exposed equipment (ANSSI)

These findings reveal a structural weakness: security is still too often considered late in the project. Yet it is at the design stage that the majority of risks can be eliminated.

This calls for a cultural shift: stop treating security as a constraint and start viewing it as a driver of performance, reliability, and sustainability.

With the rise of technologies such as artificial intelligence and large-scale automation, the stakes are evolving. Strengthening security while improving the sustainability of our infrastructures? It’s possible—provided we anticipate it from the very beginning.

Generative AI & Autonomous Agents: New Challenges for Secure by Design

The rise of generative AI and autonomous agents able to act without direct human supervision introduces unprecedented risks.
To keep Secure by Design effective in such environments, three key issues must be anticipated from the very earliest project stages:

1. Managing Dynamic Identities

Non-human software entities—such as AI agents, ephemeral containers or micro-services interact with systems in temporary or automated ways.
These entities already perform critical actions: generating code, automating configurations, even initiating financial transactions.
This demands:

complete traceability of their actions,
dynamic reviews of their permissions,
continuous behavioral monitoring to detect any anomaly.

2. Automating with Discernment

Automation has become essential for raising the security level while improving responsiveness.
This includes:

automated patch management,
vulnerability testing integrated into CI/CD pipelines,
detection and response to malicious behaviors using tools such as EDR (Endpoint Detection and Response), XDR (Extended Detection and Response), or continuous network monitoring.

However, when poorly configured or left without supervision and clear governance, these powerful tools can create blind spots or even become attack vectors themselves.
Human involvement in their operation, calibration, and oversight remains indispensable to prevent drift and ensure their effectiveness.

3. Learning from Incidents

Consider a concrete example: in 2024, a test environment left exposed in the cloud allowed a former employee to exfiltrate data through a forgotten API.
Such an incident could have been prevented with a few safeguards:

segregating environments,
systematically revoking inactive access,
performing regular configuration audits.

To address this type of threat, reducing exposure risks requires these essential reflexes.

Beyond Greenfield Projects: A Long-Term Philosophy

While new projects often integrate security from the start, reality is more nuanced.
Most information systems still contain legacy components—sometimes critical—that were not designed with Secure by Design principles.
Completely rebuilding these environments is rarely realistic or economically viable in the short term.

Secure by Design should therefore be seen not only as a mandate for new projects but also as a long-term philosophy.
Even when applied natively in new systems, its principles can guide the continuous improvement of existing ones through:

corrective measures,
compensating controls.

These actions strengthen the security of current infrastructures while progressively moving them toward compliance.

A coherent Secure by Design approach combines foundational principles, practical tools, and adaptation to the real-world context of each organization.

Now let’s look at the concrete levers to activate in order to implement this approach—whether you’re starting from scratch or not:

Define and frame security requirements early in the project, aligned with both business and technical priorities, and perform security testing before go-live, including regular penetration tests.
Integrate security into CI/CD pipelines by using automated code-analysis tools: SAST (static analysis), DAST (dynamic analysis), IAST (interactive analysis), and SCA (software composition analysis).
Apply secure architecture principles by enforcing rigorous Identity and Access Management (IAM), implementing defense in depth, following the principle of least privilege, and enabling granular, dynamic access control based on Zero Trust Network Access (ZTNA)

4. Create remediation playbooks—documented cyber action plans—right from the design phase.

5. Control third-party dependencies and code provenance, including open-source components.

6. Align with key standards and regulatory frameworks such as the Cyber Resilience Act, ISO 27001, NIS2

7. Audit the supply chain, paying particular attention to critical service providers.

Designing secure systems also means designing lean systems—this is known as Green by Design: an approach aimed at reducing a system’s environmental footprint while strengthening its resilience.
It relies on practical levers such as:

eliminating unnecessary features,
limiting dependencies,
reducing resource consumption, and
optimizing code.

At Davidson Consulting, we design our own solutions—and those of our clients—based on rigorous Secure by Design practices, application resilience, and advanced maintainability, while integrating eco-design principles whenever possible.
This approach guarantees robust, scalable systems that meet both business and operational constraints.

For example, we:

maintain continuous technology watch,
provide regular training for our developers on secure development best practices—particularly regarding risks highlighted in the OWASP TOP 10 and by ITrust,
and run awareness campaigns.

Security is embedded from the design phase as part of our DevSecOps strategy.

Our CI/CD pipelines include automated testing:

SAST with SonarQube,
DAST with OWASP ZAP,
SCA with GitHub or GitLab,
enabling early detection of vulnerabilities.

Our teams are trained in the ISO 27005 and EBIOS RM frameworks to anticipate, assess, and manage risks in a continuous and structured way.

We secure our hybrid cloud architectures from the design stage, integrate automated unit testing and continuous alerting mechanisms, and hold weekly meetings dedicated to reviewing detected vulnerabilities and defining corrective action plans.

This approach reflects our strong commitment to security and system resilience.

In Conclusion: Building Resilience from the Design Stage

Secure by Design is not merely about “doing security better.”
It provides a framework for responsible engineering, aimed at building robust, sustainable, and trustworthy systems.

Alexis Poirot

Will you integrate Secure by Design into your next projects?

Or contact us here

Envie d’aller plus loin ?

📌 Discover our repository of 150 best practices
🔐 Explore our cybersecurity expertise
📲 Join us on LinkedIn to follow our initiatives in Cybersecurity, DevSecOps, and Green IT.