Cybersecurity & Tech

Security by Design in Perspective

Omid Ghaffari-Tabrizi, Justin Sherman, Paul Rosenzweig
Monday, September 22, 2025, 10:42 AM
Lessons Learned for Future Law, Policy, and Technology.
Cybersecurity. (École polytechnique - J.Barande, https://www.flickr.com/people/117994717@N06; CC BY-SA 2.0, https://creativecommons.org/licenses/by-sa/2.0/deed.en)
Meet The Authors

Published by The Lawfare Institute
in Cooperation With
Brookings

Subscribe to Lawfare

Editor’s NoteGoogle provides financial support to Lawfare. This article was handled independently pursuant to Lawfare’s standard editorial process.

In this paper for Lawfare’s Security by Design Paper (SbD) Series, Omid Ghaffari-Tabrizi, Justin Sherman, and Paul Rosenzweig reflect on the lessons learned from two years of research into software security by design. Building on more than two dozen articles, papers, and podcasts, they analyze how SbD can be more clearly defined, measured, standardized, and incentivized, while highlighting the challenges of developing metrics, the domestically focused nature of standards-setting, and the competing models for liability and compliance. The authors draw parallels to other regulatory frameworks, such as privacy by design, and emphasize that securing software requires a mix of law, policy, technology, and private-sector innovation. They conclude by identifying key open questions for future research, including international standards-setting, optimizing incentives, and understanding shifting public risk tolerance for insecure software.

Download the paper here or below.

 

Topics:
Cybersecurity & Tech
Back to Top
Omid Ghaffari-Tabrizi

Omid Ghaffari-Tabrizi

Read More
Omid Ghaffari-Tabrizi is Head of U.S. Federal Civilian Policy at Google, focused on bringing innovative technologies into the government. Prior to Google, he worked for the U.S. government and was a litigator. Omid received his B.B.A. and J.D. from the University of Miami and will receive his LL.M. in Government Procurement from the George Washington University Law School. He currently lives with his wife in Washington, D.C.
Justin Sherman

Justin Sherman

@jshermcyber
Read More
Justin Sherman is a contributing editor at Lawfare. He is also the founder and CEO of Global Cyber Strategies, a Washington, DC-based research and advisory firm; the scholar in residence at the Electronic Privacy Information Center; and a nonresident senior fellow at the Atlantic Council.
Paul Rosenzweig

Paul Rosenzweig

@RosenzweigP
Read More
Paul Rosenzweig is the founder of Red Branch Consulting PLLC, a homeland security consulting company. He formerly served as deputy assistant secretary for policy in the Department of Homeland Security. He is a professorial lecturer in law at George Washington University, a senior fellow in the Tech, Law & Security program at American University, and a board member of the Journal of National Security Law and Policy.
}

Subscribe to Lawfare