Introduction¶
In Security by Design, prevention is not merely a layer of defence—it is the foundational mindset that separates proactive security from reactive crisis management. While detection and response are essential, they address failures after they occur. Prevention, by contrast, seeks to stop security incidents from happening in the first place by embedding controls, validating assumptions, and eliminating vulnerabilities as early as possible.
A common misconception is that perfect prevention is impossible, therefore effort should focus primarily on detection. While it is true that no system can be entirely immune to attack, the Security by Design approach asserts that prevention must be the first and primary line of defence. Every vulnerability that is prevented at design time eliminates a potential breach, reduces operational overhead, and avoids the unpredictable costs of incident response.
Prevention operates across multiple dimensions: architectural choices that reduce attack surface, secure defaults that eliminate risky configurations, input validation that rejects malicious data, access controls that enforce least privilege, and supply chain checks that block compromised dependencies before they enter the development pipeline. These measures are most effective when applied early—a principle often captured by the concept of “shifting left”—because vulnerabilities become exponentially more expensive to fix as they move toward production.
In this section, we will explore why prevention deserves renewed focus, how to defend against specific threats such as ransomware and zero-day attacks, and how to apply practical checklists that ensure a minimum viable level of security. Prevention does not mean perfection—but it does mean deliberate, consistent, and verifiable effort to stop threats before they can do harm.
Learning Objectives¶
By the end of this section, you will be able to:
Explain why prevention is the primary line of defence in a Security by Design approach
Distinguish between proactive prevention and reactive detection or response
Apply the “shift left” principle to identify and eliminate vulnerabilities earlier in the development lifecycle
Identify specific prevention strategies to defend against ransomware attacks
Describe practical techniques for preventing zero-day attacks without relying on signatures or known indicators
Define the characteristics of a Minimum Viable Secure Product (MVSP)
Recognise and mitigate supply chain risks using an open software supply chain attack reference checklist
Implement a checklist of prevention measures to embed security controls at design, development, and deployment stages
Sections¶
Learn more about why prevention is key when practising Security By Design in the following sections: