Secure by design
Last updated: 27 August 2025
Delivery teams need to incorporate effective cybersecurity practices when building digital services and technical infrastructure.
Rationale
Ensure that security is embedded from the start. Delivery teams should work to reduce vulnerabilities and improve cyber resilience while aligning with internal policy and cross government initiatives such as the Home Office 2030 Digital Strategy, and the Government Security Group (GSG) Secure by Design Framework.
Security controls that are designed to mitigate understood risks are easier to test and measure for their effectiveness. It is important to implement security features that deliver valuable counters to threats, are balanced with user needs and facilitate the ongoing operation and iteration of our services.
Applications and Implications
- Establish a security culture within the team, where everyone is responsible for security. Engage with security teams early and ensure Home Office Cyber Security (HOCS) guidance is followed.
- Security is embedded early and continuously throughout the software development lifecycle, reducing vulnerabilities and rework
- Use threat modelling techniques to understand the landscape and actors. This will help to identify threats and risks against your architecture holistically, including shared capabilities or services
- Apply defence-in-depth with multi-layered proportionate security controls to protect against a range of threats
- Apply secure defaults, encryption in-transit and at rest, enforce the principle of least privilege and Zero Trust, and manage secrets securely
- Follow secure coding standards, conduct threat modelling, and integrate security checks into code reviews and CI/CD pipelines
- Scan dependencies, maintain a clear dependency map, and understand the wider supply chain risk