Secure by Design

Secure by Design is not a single tool, product, or one‑time activity. It is a holistic approach that requires security to be deliberately embedded from the very beginning, at the point where systems, software, and services are conceived and designed. Rather than reacting to vulnerabilities after deployment, Secure by Design emphasizes anticipating risk early and addressing it through intentional design decisions, clearly defined security requirements, and accountability across the entire lifecycle.

Secure by Design: A Guide to Assessing Software Security Practices, created by CIS and SAFECode, expands on this concept and provides a practical, measurable way for organizations to strengthen software security from development through deployment.  

Turning Secure by Design into Action 

CIS and SAFECode work together to help developers and end users move from intent to execution by combining deep industry expertise with practical, implementation‑ready guidance for building security in from the start. CIS provides trusted, widely adopted security baselines, translates standards into practices that teams can apply consistently, and supports shared defense across organizations and ecosystems. SAFECode strengthens this work by bringing leading software security expertise and proven development practices that help organizations put Secure by Design into practice at scale.

Why is Secure by Design Important?

Secure by Design isn’t something you add later or manage in isolation. It’s a deliberate approach to building, operating, and defending systems, starting with secure foundations and reinforcing them consistently over time using tools like CIS Critical Security Controls^® (CIS Controls^®), CIS Benchmarks^®, CIS Hardened Images^®, and CIS SecureSuite^®.

Whether you’re building commercial software or supporting public missions, Secure by Design helps reduce risk earlier, simplify security operations, and create systems that are resilient by design, not by reaction.