Secure Controls Framework
Download The SCF

Secure Engineering & Architecture (SEA)

Domain Principle

Apply industry-recognized secure engineering and architecture principles to deliver secure, compliant and resilient systems, applications and services.

Domain Intent

Organizations align cybersecurity engineering and architecture decisions with the organization’s technology strategy and industry-recognized practices, including secure-by-design, threat modeling, resilience engineering and defensible architecture decisions.

Domain Guide

Security built into systems from the beginning is materially less expensive and more effective than security bolted on afterward. The SEA domain governs the application of secure engineering and architecture principles throughout the design and development of systems, applications and services, including secure-by-design, threat modeling, resilience engineering and defensible architecture decisions.

 

The SCF's intent for SEA aligns security architecture and engineering the organization's technology strategy, not just with security team preferences. Secure architecture decisions that ignore business and technology context don't get implemented. SEA requires that cybersecurity engineering align with where the organization is actually going technically, which demands engagement between security architects and the teams designing systems.

 

Threat modeling is where SEA delivers outsized return. Organizations that skip it during design spend more fixing the wrong threat surfaces than they would have spent modeling them upfront. Identifying an attack path in an architecture diagram costs a whiteboard session; finding the same path through penetration testing costs weeks and often a redesign.