The way that UK governments design and deliver digital products is changing. The UK Government’s Secure by Design approach demonstrates a clear shift from treating security as an afterthought towards embedding it as a core design principle from day one.
This guide explains what Secure by Design means in practice, what it requires from your organisation, key benefits, and how to begin implementing it.
Who is This Guide For?
If you’re a Senior Responsible Owner (SRO), product owner, delivery lead, or security professional working within UK government organisations or supplying products and services to them, this guide’s for you.
If you’re:
- Building a new digital service.
- Procuring connected hardware
- Managing an existing product portfolio
Secure by Design also applies to you.
Understanding Secure by Design
It’s important not to consider Secure by Design a single policy. Rather, it’s a set of objectives, legal obligations, and expected outcomes that work together to define how government organisations should approach product security throughout the delivery lifecycle.
To break it down, the approach has three core objectives:
- To reduce the number of exploitable government products before they reach production.
- To ensure that security decisions are made deliberately and well-documented
- To ensure continuous assurance rather than point-in-time compliance.
What Legal Standpoints Should I Be Aware Of?
- Product Security and Telecommunications Infrastructure (PSTI) Act 2022: establishes mandatory security products for consumer connectable products sold in the UK.
- UK Code of Practice for Consumer IoT Security: a set of baseline security requirements for consumer internet-connected devices, ensuring manufacturers implement robust protections to safeguard users and data.
- GDPR: the General Data Protection Regulation requires organisations to protect personal data and privacy, ensuring that security measures in product design comply with data protection laws and safeguard user information.
The Design Approach: Ensuring You’re Risk-Driven from the Start
With Secure by Design, there’s no mandatory security approach. Instead, focus on ensuring security decisions are realistic and well-targeted, not dictated by cost.
Examples of Important Security Controls
- Design authentication flows for usability to ensure users can securely and easily access the system without unnecessary friction or confusion.
- Implement least-privilege access controls to ensure employees can only access what is needed to perform their role, nothing excessive, like admin permissions. Overprivileged accounts are among the most common findings in penetration tests of government systems, and they dramatically increase the impact of any compromise.
- Test user journeys for security friction to identify and resolve obstacles that might prevent users from completing their tasks, ensuring a smooth, safe user experience throughout the service.
Embedding Cybersecurity and Security Activities in the Lifecycle
| Security Activity | Lifecycle Phase | Responsible Role | How It Supports Secure by Design |
|---|---|---|---|
| Threat modelling sessions | Per release / Alpha onwards | Security Architect, Product Owner | Ensures risks are identified and addressed before code is written, supporting the risk-driven design mandate |
| Assign security responsibilities to delivery roles | Discovery / Project initiation | SRO, Delivery Manager | Establishes clear accountability from the outset, preventing security ownership gaps across the team |
| Secure code reviews | Development / Before merge | Lead Developer, Security Engineer | Catches logic flaws and vulnerability patterns that automated tools miss, fulfilling the secure development activity requirement |
| Integrate automated security testing in CI | Development / Build pipeline | DevSecOps Engineer, Developer | Provides continuous, low-friction detection of known vulnerability classes on every build without slowing delivery |
| Include security criteria in acceptance tests | Beta / Pre-release | QA Lead, Security Engineer | Ensures security requirements are treated as functional requirements, not optional extras, before a product moves to live |
| Map security activities to lifecycle phases | All phases | Delivery Manager, CISO | Creates a structured, auditable record of when and how security was addressed at each stage of delivery |
| Schedule regular vulnerability assessments | Live / Ongoing | Security Team, Third-Party Assessor | Provides continuous assurance that the security posture of a live product is maintained and any new vulnerabilities are identified promptly |
Continuous Assurance and Independent Assessment
Implementing these security controls shouldn’t be sporadic or one-off, but rather regularly monitored to provide continuous assurance and peace of mind regarding your organisational security. To keep good overheads on your controls, we recommend:
- Establishing continuous monitoring metrics
- Performing independent assurance periodically
- Maintaining evidence for audit readiness
Monitoring and Incident Response
- Instrument logging for high-risk events
- Define incident response runbooks
- Run tabletop exercises quarterly
Product Security Requirements and Security Controls
To demonstrate compliance with Secure by Design, robust product security requirements for digital delivery are essential. Product owners should be vigilant to ensure these controls are accounted for when both managing an existing product portfolio and building a new digital service.
- Define mandatory baseline security requirements
- Require secure boot
- Require firmware integrity checks
- Document third-party component security status
Managing the Attack Surface of Connected Products
To effectively manage the attack surface of connected products, your organisation should maintain a comprehensive inventory of all network-exposed components, minimise external interfaces and services, and enforce strong default configurations to increase awareness and reduce potential security vulnerabilities.
Implementation Roadmap and Design Activities for Adoption
Ensuring Policy Alignment and Compliance with UK Government Standards
Throughout the process of implementing a Secure by Design approach into your organisation, regularly check in to ensure the following:
- Map your security controls to relevant UK legislation to maintain compliance and align with legal requirements.
- Refer to the Product Security and Telecommunications Infrastructure (PSTI) Act to ensure your consumer connectable products meet mandatory security standards.
- Adhere to the UK Code of Practice for Consumer IoT Security as a baseline for protecting users and data effectively.
How Penetration Testing Supports Secure by Design
Penetration testing is one of the most direct ways to validate that your Secure by Design principles are working in practice, not just on paper. While threat modelling and secure code reviews identify risks during development, penetration testing provides independent evidence that your controls hold up against real-world attack techniques.
A skilled penetration tester will probe your authentication flows, access controls, network exposure, and third-party components in the same way a malicious actor would, surfacing vulnerabilities that internal teams, however diligent, are too close to the product to spot.
Scheduled regularly and aligned to your release cycle, penetration testing transforms Secure by Design from a framework into a continuously validated security posture.
Ensure your business meets compliance with OnSecurity’s platform-led pentesting. Receive real-time communication from expert testers and a complex understanding of business logic security risks, removing compliance complexity and boosting security.
