Security by Design

The “Security by Design” project is a multiyear initiative with the objective of creating a density of work product in the area of software design security. This project evaluates several elements of software security, from the secure-by-design and secure-by-default principles to how legal and policy processes could require or incentivize security by design from software developers. It features long-form research papers, articles, podcast interviews and documentation on these questions.

Latest in Security by Design

Published by The Lawfare Institute in Cooperation With

Advancing Secure by Design Through Security Research

Jen Easterly Jack Cable

Apr 25, 2025

It is essential for U.S. policymakers to actively protect and promote the role of security research within an open and transparent ecosystem.
Calibrating Secure by Design With the Risks Faced by Small Businesses

Sezaneh Seymour Daniel Woods

Feb 14, 2025

Empirical evidence suggests guiding small businesses toward more secure configurations is more important than eliminating vulnerabilities.
“Privacy by Design” Lessons for “Security by Design”

Justin Sherman

Nov 19, 2024

Translating principles into technology and regulation
A Government Cybersecurity Backstop Isn’t a Silver Bullet

Edouard von Herberstein

Oct 21, 2024

An effective government backstop would require preexisting consensus on security standards, data sharing, and cooperation.
Measuring Policy Effectiveness of Cyber Defensibility and Deterrence

Jason Healey

Sep 10, 2024

The United States needs better ways to understand success in cyberspace. Doing so is now within reach, with the right, top-down approach.
Lawfare Daily: Eugenia Lostri and Justin Sherman on Security by Design in Practice

Stephanie Pell Eugenia Lostri Justin Sherman , +1

Aug 19, 2024

What does 'Security by Design' mean in practice?
“Security by Design” in Practice: Assessing Concepts, Definitions, and Approaches

Eugenia Lostri Justin Sherman

Aug 19, 2024

There is significant consensus about the meaning of "security by design," but less on the definition and utility of "security by default."
Investing in Rust

Shane Miller

Jul 19, 2024

U.S. public policy can help facilitate market adoption of a relatively new, efficient, and safe programming language called Rust.
Making Attestation Work for Software Security

Jim Dempsey Steven B. Lipner James Andrew Lewis

Jul 18, 2024

Attestation will be part of the federal government’s software procurement process for the foreseeable future. Let’s make it work.
Moving Slow and Fixing Things

Christos Makridis Iain Nash Scott J. Shackelford , +1

Jun 20, 2024

The United States could learn from Europe’s approach to incentivizing cybersecurity.
Standards of Care and Safe Harbors in Software Liability: A Primer

Derek E. Bambauer Melanie J. Teplinsky

May 31, 2024

Deciphering the Biden administration’s nascent software liability efforts.
Incentives for Improving Software Security: Product Liability and Alternatives

Steven B. Lipner

May 14, 2024

Tort liability is the wrong approach to improving software security; process transparency and Executive Order 14028 offer a path forward.