„Security-by-design” – bezpieczeństwo systemowe ICT – w przepisach, normach i praktyce

• Autorzy: Kostkiewicz Paweł

Identyfikatory

DOI

10.15199/59.2025.4.6

Warianty tytułu

EN

“Security-by-design” – systemic ICT security – in regulations, standards, and practice

• Języki publikacji: PL

Abstrakty

PL

W niniejszym artykule przedstawiono koncepcję „Security-by-design” jako podstawową zasadę planowania, projektowania, testowania, zamawiania i oceny zgodności rozwiązań ICT. Rozwiązania te obejmują produkty cyfrowe – zarówno sprzętowe, jak i programowe – a także systemy cyfrowe, usługi ICT i procesy informatyczne. Kluczowe tematy obejmują modelowanie zagrożeń, specyfikację wymagań bezpieczeństwa, założenia projektowe, zapewnienie jakości produktu końcowego oraz pełny cykl życia produktu – od wstępnego projektu do końca eksploatacji. Artykuł przedstawia źródła powstania koncepcji, aktualny stan wiedzy oraz założenia do wdrożenia w oparciu o systemowe podejścia w oparciu o ramy normatywne, takie jak: ISO/IEC/IEEE 15288 Systems and software engineering — System life cycle processes, ISO/IEC 27034 Information technology - Security techniques - Application security, ISO/IEC 15408 Common Criteria for Information Technology Security Evaluation, and ETSI EN 303 645 Cyber Security for Consumer IoT: Baseline Requirements.

EN

This article presents the concept of “Security-by-design” as a fundamental principle in the planning, design, testing, procurement, and conformity assessment of ICT solutions. These solutions include digital products—both hardware and software— as well as digital systems, ICT services, and IT processes. Key topics covered include threat modeling, security requirements specification, design assumptions, end-product quality assurance, and the full product lifecycle—from initial design to end-of-life. The article presents the origins of the concept, the current state of knowledge, and an outline of the concept of a systematic approach to the secure design and verification of ICT solutions based on normative framework and standards such as: ISO/IEC/ IEEE 15288 Systems and software engineering — System life cycle processes, ISO/IEC 27034 Information technology - Security techniques - Application security, ISO/IEC 15408 Common Criteria for Information Technology Security Evaluation, and ETSI EN 303 645 Cyber Security for Consumer IoT: Baseline Requirements.

Słowa kluczowe

PL

cyberbezpieczeństwo; modelowanie zagrożeń; cykl życia oprogramowania; zarządzanie płatnościami; ocena zgodności; kultura bezpieczeństwa

EN

cybersecurity; threat modelling; software development lifecycle; vulneranility management; conformity assesment

• Wydawca: Wydawnictwo SIGMA-NOT
• Czasopismo: Przegląd Telekomunikacyjny + Wiadomości Telekomunikacyjne
• Rocznik: 2025
• Tom: nr 4
• Strony: 42--53
• Opis fizyczny: Bibliogr. 50 poz., rys., tab., wykr.

Twórcy

autor

Kostkiewicz Paweł

• NASK, Państwowy Instytut Badawczy

Bibliografia

• [1] ETSI (2024). ETSI EN 303 645 V3.1.3: Cyber Security for Consumer Internet of Things: Baseline Requirements. European Telecommunications Standards Institute. Link: https://www.etsi.org/deliver/etsi_en/303600_303699/303645/03.01.03_60/en_303645v030103p.pdf
• [2] International Telecommunication Union (dalej ITU-T) (2004). ITU-T X.805: Security architecture for systems providing end-to-end communications. ITU. Link: https://www.itu.int/rec/T-REC-X.805.
• [3] Bundesamt für Sicherheit in der Informationstechnik [dalej BSI] (2024) Technical Guideline TR-03183: Cyber Resilience Requirements for Manufacturers and Products, Part 1: General Requirements. Link: https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/TechGuidelines/TR03183/BSI-TR-03183-1-0_9_0.pdf .
• [4] BSI (2024) Technical Guideline BSI TR-03185 Secure Software Lifecycle. Link: https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/TechGuidelines/TR03185/BSI-TR-03185.pdf .
• [5] NIST (2024) SP 800-218A Secure Software Development Practices for Generative AI and Dual-Use Foundation Models: An SSDF Community Profile. Link: https://csrc.nist.gov/pubs/sp/800/218/a/final .
• [6] NIST (2022) SP 800-218 Secure Software Development Framework (SSDF) Version 1.1: Recommendations for Mitigating the Risk of Software Vulnerabilities. Link: https://csrc.nist.gov/pubs/sp/800/218/final .
• [7] Digital Policy Office (Hong Kong) (2024). Practice Guide for Security by Design [PDF]. Link: https://www.govcert.gov.hk/doc/PG%20for%20Security%20by%20Design_EN.pdf.
• [8] IEEE Cybersecurity (2025) Building Code for the Internet of Things. Link: https://ieeecs-media.computer.org/media/technical-activities/CYBSI/docs/Building_Code_IoT_online.pdf.
• [9] UK Government (2025) Secure by Design Principles. National Cyber Security Centre (NCSC).Link: https://www.security.gov.uk/policy-and-guidance/secure-by-design/principles/.
• [10] Ivanti (2025). What is Secure by Design? Terminology, Benefits & Guidelines. Link: https://www.ivanti.com/glossary/secure-by-design.
• [11] 10Guards. (2025. Secure by Design: From Concept to Cybersecurity Imperative. Link: https://10guards.com/secure-by-design.
• [12] Bright Defense. (2025). Secure By Design Guide. Link: https://learn.microsoft.com/en-us/windows/security/book/
• [13] Microsoft Corporation (2023). Windows 11 Security Book: Powerful security by design [PDF]. Link: https://www.microsoft.com/content/dam/microsoft/final/en-us/microsoft-brand/documents/MSFT-Windows-11-Security-guide-RWMvI1.pdf.
• [14] Microsoft Corporation (2025) Microsoft Security Development Lifecycle Practices Link: https://www.microsoft.com/en-us/securityengineering/sdl/practices.
• [15] Oracle Corporation (2025) Oracle Corporate Security Practices Link: https://www.oracle.com/contracts/docs/corporate-security-practices-4490843.pdf.
• [16] IBM (2018). Security in Development The IBM Secure Engineering Framework Link: https://www.redbooks.ibm.com/redpapers/pdfs/redp4641.pdf .
• [17] [IBM] IBM (2025) IBM Well-Architected Framework Link: https://www.ibm.com/architectures/well-architected/security
• [18] Mozilla Foundation. (2024). Mozilla Security Principles. Link: https://infosec.mozilla.org/fundamentals/security_principles.html
• [19] Infosys Limited. (2020). Security by design. Link: Security by design
• [20] CISA (2023) Secure By Design Pledge. Cybersecurity and Infrastructure Security Agency. Link: https://www.cisa.gov/securebydesign/pledge
• [21] European Commision (2019). Cybersecurity Act. Link: https://eur-lex.europa.eu/eli/reg/2019/881
• [22] NIST (2020). NIST Special Publication 800-160 Vol. 1: Systems Security Engineering. Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems; Link: https://doi.org/10.6028/NIST.SP.800-160v1
• [23] OWASP Foundation(2021) OWASP Top 10 Link: https://owasp.org/Top10/
• [24] CSA (Cloud Security Alliance). (2023). Cloud Controls Matrix (CCM). Link: https://cloudsecurityalliance.org/research/ccm/
• [25] European Commission (2024). Cyber Resilience Act (CRA) Regulation (EU) 2024/2847. Link: https://digital-strategy.ec.europa.eu/en/library/cyber-resilience-act
• [26] Israel National Cyber Directorate - Supply Chain Guide. Link: https://www.gov.il/he/pages/supply_chain_guide
• [27] [SBDP] CISA, NSA, FBI, ACSC, CCCS, CERT NZ, NCSC-NZ, NCSC-UK, BSI, NCSC-NL, NCSC-NO, NÚKIB, INCD, KISA, NISC-JP, JPCERT/CC, CSA, CSIRTAMERICAS (2023) Shifting the Balance of Cybersecurity Risk (Principles and Approaches for Secure by Design Software). Link: https://www.cisa.gov/sites/default/files/2023-10/Shifting-the-Balance-of-Cybersecurity-Risk-Principles-and-Approaches-for-Secure-by-design-Software.pdf.
• [28] Michael Benis (2023). Unlocking Cyber Resilience: INCD Cyber Supply Chain Methodology Explained. Link: https://www.linkedin.com/pulse/unlocking-cyber-resilience-incd-supply-chain-explainedmichael-benis-kyjnf/
• [29] Serge Drolet (2024) Évoluer avec l’approche Secure by design. Link: https://owasp.org/www-chapter-quebec-city/assets/presentations/OWASPSecureByDesign20241017.pdf + 2024/10/17 - Secure by Design et DevSecops | OWASP Foundation
• [30] ISO ISO 31700-1:2023 Consumer protection — Privacy by design for consumer goods and services — Part 1: High-level requirements. https://www.iso.org/obp/ui/en/#iso:std:iso:31700:-1:ed-1:v1:en
• [31] Madhu Murty (2025) The Hidden Cost of Ignoring Quality Early: Why Shift Left Still Hasn’t Shifted Minds. Link: https://www.linkedin.com/pulse/hidden-cost-ignoring-quality-early-why-shift-leftstill- madhu-murty-lpeke/
• [32] Fortinet (2025) What Is Shift Left Security? Link: https://www.fortinet.com/resources/cyberglossary/shift-left-security
• [33] Invi Grid (2025) Difference Between Security by Design and Shift Left. Link: https://www.invigrid.com/post/difference-betweensecurity-by-design-and-shift-left
• [34] NCSC (2024) GovAssure announcements and newsletters - UK Government Security – Beta
• [35] ISO (20211) ISO/IEC 27034-1:2011 Information technology — Security techniques — Application security Part 1: Overview and concepts
• [36] [SLA] Casola V. and others. A novel Security-by-design methodology: Modeling and assessing security by SLAs with a quantitative approach
• [37] [CyberMyths] Spafford E.H., Metcalf L., Dykstra J..(2023) Cybersecurity Myths and Misconceptions: Avoiding the Hazards and Pitfalls that Derail Us.
• [38] [BHLD] Peretz Renana Arizon, Hadar Irit, and Gil Luria (2022) The Importance of Security Is in the Eye of the Beholder: Cultural, Organizational, and Personal Factors Affecting the Implementation of Security by Design
• [39] [SEB-Fuchs] A. Fuchs and C. Rudolph „Security Engineering Based on Structured Formal Reasoning,” (2012) ASE/IEEE International Conference on BioMedical Computing (BioMedCom).
• [40] NIST SP 800-37, Risk Management Framework for Information Systems and Organizations—A System Life Cycle Approach for Security and Privacy
• [41] NIST SP 800-53, Security and Privacy Controls for Information Systems and Organizations.
• [42] [HOWDEN] https://www.howdengroup.com/sites/corporate.howdenprod.com/files/2023-07/9100%20Cyber%20Report%20 June%2023%20v04.pdf
• [43] [AUCS] ACSC (2023) Australian Cybers Security Strategy https://www.homeaffairs.gov.au/cyber-security-subsite/files/2023-cyber-security-strategy.pdf
• [44] [KELA] KELA (2025) AI Threat Report How cybercriminals are weaponizing AI technology. Link: https://info.ke-la.com/hubfs/Reports/KELA%20Report%20-%202025%20AI%20Threat%20 Report.pdf
• [45] [LWFR] E.Lostri, J.Sherman (2024) “Security by Design” in Practice: Assessing Concepts, Definitions, and Approaches Link: https://s3.documentcloud.org/documents/25049674/sbd_lostrisherman_final.pdf
• [46] [ANDER] (1972) Computer Security Technology Planning Study. Link: https://apps.dtic.mil/sti/tr/pdf/AD0772806.pdf
• [47] [GITHUB] Daigle K., GitHub Blog (2025) Octoverse: The state of open source and rise of AI in 2023. Link: https://github.blog/news-insights/research/the-state-of-open-source-and-ai
• [48] [BLDCK] BlackDuck (2025) 2025 Open Source Security and Risk Analysis Report. Link: https://www.blackduck.com/content/dam/black-duck/en-us/reports/rep-ossra.pdf
• [49] [X.800] ITU-T (1991) X.800: Security Architecture for Open Systems Interconnection for CCITT Applications
• [50] [ITUSEC] ITU-T (2024) Handbook ITU-T SEC-MANUAL (09/2024) - Security in telśecommunications and information technology (8th edition) Link: https://www.itu.int/epublications/publication/itu-t-sec-manual-2024-09-security-in-telecommunications-andinformation- technology-8th-edition

Uwagi

Opracowanie rekordu ze środków MNiSW, umowa nr POPUL/SP/0154/2024/02 w ramach programu "Społeczna odpowiedzialność nauki II" - moduł: Popularyzacja nauki (2025).