Anticiper la cybersécurité dès la conception

“The process of security is not a feature you validate at the end of a project.No test can patch a flaw born of poor design.”— Bruce Schneier, The Process of Security

In 2025, cyber-threats are evolving faster than ever: compromised software supply chains, known but unpatched vulnerabilities, the rise of malicious AI…
Amid this growing complexity, one certainty stands out: security can no longer be a layer added after the fact. It must be built into the very design of systems.

This is the core of Secure by Design (SbD): a proactive, structured approach that weaves cybersecurity into the system from the very first lines of code and throughout the entire development lifecycle.

⚠️ Not to be confused with Secure by Default, which aims to deliver a product with security settings enabled out of the box, without requiring any user action (e.g., MFA enabled by default, unused ports closed, non-essential services not exposed).

Reaction is no longer enough: why build security in from the start?

The numbers speak for themselves:

  • +34% increase in attacks exploiting known vulnerabilities in 2025 (Verizon DBIR)

  • 60% of incidents will stem from design flaws by 2026 (Gartner)

  • 50% of breaches in France are caused by misconfigured or exposed equipment (ANSSI)

These figures expose a structural weakness: security is still too often treated late in the project lifecycle. Yet it is precisely at the design stage that most risks can be eliminated.

This calls for a cultural shift: stop treating security as a constraint and start seeing it as a driver of performance, reliability, and long-term sustainability.

With the rise of technologies such as artificial intelligence and large-scale automation, the stakes are evolving. Strengthening security while improving the resilience and sustainability of our infrastructures is possible, but only if we anticipate it from the very beginning.

Generative AI & Autonomous Agents: New Challenges for SbD

The rise of generative AI and autonomous agents capable of acting without direct human supervision introduces unprecedented risks. To keep Secure by Design (SbD) effective in these environments, three major challenges must be anticipated from the very first stages of any project:

  1. 1. Manage Dynamic Identities

    Non-human software entities—such as AI agents, ephemeral containers or microservices—interact with systems in a temporary or fully automated way.
    These entities are already performing critical actions: generating code, automating configurations, even initiating financial transactions.
    This requires:

    • Complete traceability of their actions

    • Dynamic reviews of their permissions

    • Continuous behavioral monitoring to detect anomalies

    2. Automate with Discernment

    Automation is now a key pillar for raising security levels while maintaining responsiveness.
    Examples include automated patch management, vulnerability testing integrated into CI/CD pipelines, and detecting and responding to malicious behaviors through tools such as EDR (Endpoint Detection and Response), XDR (Extended Detection and Response), or continuous network monitoring.

    But if these tools are poorly configured or left without supervision and clear governance, they can create blind spots—or even become attack vectors themselves.
    That’s why human oversight in their operation, fine-tuning and ongoing monitoring remains indispensable to avoid drift and ensure effectiveness.

    3. Learn from Incidents

    Take a concrete example: in 2024, a test environment left exposed in the cloud allowed a former employee to exfiltrate data through a forgotten API.
    A few safeguards could have prevented this:

    • Segregate environments

    • Systematically revoke inactive access

    • Conduct regular configuration audits

    Facing these types of threats, reducing exposure requires these essential reflexes.

  • Cloisonner les environnements
  • Révoquer systématiquement les accès inactifs
  • Réaliser régulièrement des audits de configuration

While much is said about new projects that integrate security right from the design phase, reality is often more nuanced.

Most information systems still contain older—sometimes critical—components that were not originally built with Secure by Design principles. And for good reason: completely rebuilding these environments in the short term is neither always realistic nor economically viable.

That is why Secure by Design should not be seen solely as an imperative for greenfield projects, but also as a long-term philosophy.
When applied natively in new systems it sets the standard, but its principles can also guide continuous improvement on existing systems through corrective measures and compensating controls.

These actions strengthen the security of current infrastructures while supporting a progressive path toward compliance.

A coherent Secure by Design approach therefore blends foundational principles, practical tools, and adaptation to each organization’s real context—ensuring security is both proactive and sustainable.

Here are the concrete levers to activate in order to implement this approach—whether starting from scratch or not:

1. Define and frame security requirements from the outset
Align them with both business and technical stakes, and plan for security testing before production release, including regular penetration tests.

2. Embed security in CI/CD pipelines
Use automated code analysis tools such as SAST (Static Application Security Testing), DAST (Dynamic Application Security Testing), IAST (Interactive Application Security Testing), and SCA (Software Composition Analysis).

3. Apply secure architecture principles
Implement rigorous identity and access management (IAM), defense in depth, the principle of least privilege, and granular, dynamic access control based on Zero Trust Network Access (ZTNA)

4. Create remediation playbooks
Prepare documented cyber action plans right from the design phase.

5. Control third-party dependencies and code provenance
Include open-source components in your checks and validation processes.

6. Align with standards and regulatory frameworks
Such as the Cyber Resilience Act, ISO 27001, NIS2

7. Audit the supply chain
Pay particular attention to critical service providers and subcontractors.

Integrating Secure by Design ensures systems remain secure over the long term while also supporting an eco-responsible approach. Designing secure systems also means designing lean systems. This is known as Green by Design: an approach aimed at reducing the environmental footprint of IT systems while strengthening their resilience. It relies on practical levers such as eliminating unnecessary features, limiting dependencies, reducing resource consumption, and optimizing code.

At Davidson consulting, we design our own solutions—and those of our clients—around rigorous Secure by Design practices, application resilience, and advanced maintainability, while incorporating eco-design principles whenever possible. This approach guarantees systems that are robust, scalable, and adapted to both business and operational constraints. For example, we maintain an ongoing technology watch, provide regular training for our developers on secure development best practices—particularly against the risks identified in the  ’OWASP TOP 10 and by ITrust and run awareness campaigns.

Security is embedded from the very first design phase as part of our DevSecOps strategy.

ChatGPT a dit :

Our CI/CD pipelines include automated tests: SAST with SonarQube, DAST with OWASP ZAP, SCA with GitHub or GitLab, enabling early detection of vulnerabilities.

Our teams are trained in the ISO 27005 and EBIOS RM frameworks to anticipate, assess and manage risks continuously and in a structured way.

We secure our hybrid cloud architectures from the design stage, integrate automated unit tests, implement continuous alerting mechanisms, and hold weekly meetings dedicated to reviewing vulnerabilities detected in our tools and defining corrective action plans.

This approach reflects our strong commitment to both security and system resilience.

To conclude: building resilience from the design stage

Secure by Design is not just about “doing better” in security. It provides a responsible engineering framework designed to build systems that are robust, sustainable and trustworthy.

Alexis Poirot

And if you integrated Secure by Design into your next projects?

Talk to our experts : securite@davidson.fr

Or contact us here

 

Want to go further?

📌 Discover our repository of 150 best practices
🔐 Explore our cybersecurity expertise
📲 Join us on LinkedIn to follow our cyber, DevSecOps and Green IT initiatives.