Before we start

What is Security by Design?

15 August 2017

Software, hardware and security are subjects that have always been very closely linked. And yet, in the light of increasing networking with the Internet, they will have to dovetail even more closely in the future if protection is to be guaranteed. But something that sounds like common sense is still far from common practice in many sectors. In a digital and networked world, TÜV NORD is the byword for security and trust – which is why the company is continuing to break new ground with the Security by Design principle. Exactly what is involved here is the subject of this brief interview with Markus Wagner from TÜViT, a subsidiary of the TÜV NORD GROUP.

#explore: What is Security by Design?
Markus Wagner: This formulation is relatively easy to explain: What the term means is that security requirements on software and hardware need to be considered right from the development phase of a product so that security vulnerabilities don’t crop up later. After all, the longer the project goes on, the more the costs of eliminating vulnerabilities increase.

“We’re helping companies with the actual implementation of guidelines that have previously been defined.“

Markus Wagner

#explore: Is this issue relevant to all sectors?
Markus Wagner: Yes, I’ve no doubt that all industries are going to have to pay attention to it in the medium term. Security by Design has an important role to play, especially in the Internet of Things. And what needs to happen here is that security mechanisms need to be taken into account when the equipment is first developed. This is because the increasing networking of devices and sensors over the Internet and the fact that ever larger numbers of processes use software to run is opening up new fronts for undesired attacks. The Security-by-Design approach ensures significantly better quality and increases the resistance of hardware and software to attack.

With chip cards, for instance, it became necessary years ago to observe a relatively high security standard. However, a lot of industries are now looking at the Security by Design issue for the first time. To take just one example, there have never been any security requirements for what are known as smart meter gateways, which receive measurements from electricity meters and process and send them on to energy providers. This is now changing.

#explore: Why is Security by Design an important issue for TÜViT?
Markus Wagner: As IT professionals, we’re dealing with this issue on several levels. On the one hand, associations and federal agencies are commissioning us with the task of coming up with minimum standards for greater product security. Data transfer is one specific example of this. Users need to be able to rely on the secure and encrypted transfer of their data so that it can’t be intercepted by third parties. We’re also advising manufacturers on the implementation of the Security by Design principle. We’re helping companies with the actual implementation of guidelines that have previously been defined. Finally, we’re also testing software for security – meaning that TÜViT is involved in all the stages from the initial concept and design right through to certification. It must be said, however, that different departments and staff are responsible for the different phases, so that it isn’t down to one single individual to write the guidelines, advise the customer on them and, finally, to conduct the test. This is how we safeguard our independence.


Markus Wagner works in the IT security department at TÜViT, where he is responsible for areas including the specification of software guidelines.