Including a formal design step in your development process can help you achieve greater security.
Security
Security is something that the IT industry has generally not been successful in tackling to date. The number of data breaches and security vulnerabilities being announced is surely testament to this.
We can improve the security of the software systems we write using risk management. Risk management may sound difficult and offputting, but it's really just about thinking about what risks our systems might pose, and how we might avoid them.
An alternative to up front risk management is to do regular threat modelling. The risk management approach we suggest is really just a lighweight form of threat modelling, but encourage doing it before code is written, rather than at a later stage, as some processes suggest.
Surely the best time to identify risks is before they are introduced and not afterwards? If a risk is never introduced then the live system is more secure from the outset, and does not need costly rework that might impact the team's ability to deliver features.
Security is a core expectation of our customers. It is their right to expect that we treat their confidential data with care and respect, and do not allow it to fall into the wrong hands. We need to actively take steps to achieve security, and a well-formulated design process can be a significant step in the fight.
Security experts are in agreement that security cannot be put into a system as an add-on. A system will only truly be secure if it is something that is built in from the outset, and kept as a key goal throughout the system's life.