secure-by-design
Secure by Design principles knowledge base for assessing adherence to security-first design, development, and deployment practices across the software lifecycle - Brought to you by microsoft/hve-core.
Best use case
secure-by-design is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Secure by Design principles knowledge base for assessing adherence to security-first design, development, and deployment practices across the software lifecycle - Brought to you by microsoft/hve-core.
Teams using secure-by-design should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/secure-by-design/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How secure-by-design Compares
| Feature / Agent | secure-by-design | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Secure by Design principles knowledge base for assessing adherence to security-first design, development, and deployment practices across the software lifecycle - Brought to you by microsoft/hve-core.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
SKILL.md Source
# Secure by Design — Skill Entry This `SKILL.md` is the **entrypoint** for the Secure by Design skill. The skill synthesizes the **UK Government Secure by Design Principles** (10 principles) and the **Australian ASD/ACSC Secure by Design Foundations** (6 foundations) into structured, machine-readable references that an agent can query to identify, assess, and improve adherence to secure-by-design practices across the software lifecycle. ## Normative references (Secure by Design) 1. [00 Principle Index](references/00-principle-index.md) 2. [01 Security Governance](references/01-security-governance.md) 3. [02 Risk-Driven Approach](references/02-risk-driven-approach.md) 4. [03 Secure Product Development](references/03-secure-product-development.md) 5. [04 Supply Chain Security](references/04-supply-chain-security.md) 6. [05 Usable Security Controls](references/05-usable-security-controls.md) 7. [06 Detect and Respond](references/06-detect-and-respond.md) 8. [07 Flexible Architecture](references/07-flexible-architecture.md) 9. [08 Minimize Attack Surface](references/08-minimize-attack-surface.md) 10. [09 Defense in Depth](references/09-defense-in-depth.md) 11. [10 Continuous Assurance](references/10-continuous-assurance.md) 12. [11 Secure Deprecation](references/11-secure-deprecation.md) ## Skill layout * `SKILL.md` — this file (skill entrypoint). * `references/` — the Secure by Design normative documents. * `00-principle-index.md` — index of all principle identifiers, categories, source mappings, and cross-references. * `01` through `11` — one document per synthesized principle area merging UK and AU guidance. ## Third-Party Attribution ### UK Government Secure by Design Principles * **Copyright**: Crown Copyright, UK Government Security Group * **License**: [Open Government Licence v3.0 (OGL-UK-3.0)](https://www.nationalarchives.gov.uk/doc/open-government-licence/version/3/) * **Source**: <https://www.security.gov.uk/policy-and-guidance/secure-by-design/principles/> * **Modifications**: Synthesized into structured principle-checklist format with cross-references; merged with Australian guidance into unified principle areas * **Trademark**: Use of UK Government content does not imply endorsement ### Australian ASD/ACSC Secure by Design Foundations * **Copyright**: © Commonwealth of Australia, Australian Signals Directorate * **License**: [Creative Commons Attribution 4.0 (CC-BY-4.0)](https://creativecommons.org/licenses/by/4.0/) * **Source**: <https://www.cyber.gov.au/business-government/secure-design/secure-by-design/secure-by-design-foundations> * **Modifications**: Synthesized into structured principle-checklist format with cross-references; merged with UK guidance into unified principle areas * **Trademark**: Use of ASD/ACSC content does not imply endorsement --- *🤖 Crafted with precision by ✨Copilot following brilliant human instruction, then carefully refined by our team of discerning human reviewers.*
Related Skills
pr-reference
Generates PR reference XML containing commit history and unified diffs between branches with extension and path filtering. Includes utilities to list changed files by type and read diff chunks. Use when creating pull request descriptions, preparing code reviews, analyzing branch changes, discovering work items from diffs, or generating structured diff summaries. - Brought to you by microsoft/hve-core
security-reviewer-formats
Format specifications and data contracts for the security reviewer orchestrator and its subagents - Brought to you by microsoft/hve-core.
owasp-top-10
OWASP Top 10 for Web Applications (2025) vulnerability knowledge base for identifying, assessing, and remediating security risks in web application environments - Brought to you by microsoft/hve-core.
owasp-mcp
OWASP MCP Top 10 vulnerability knowledge base for identifying, assessing, and remediating security risks in Model Context Protocol environments - Brought to you by microsoft/hve-core.
owasp-llm
OWASP Top 10 for LLM Applications (2025) vulnerability knowledge base for identifying, assessing, and remediating security risks in large language model systems - Brought to you by microsoft/hve-core.
owasp-infrastructure
OWASP Infrastructure Top 10 vulnerability knowledge base for identifying, assessing, and remediating security risks in internal IT infrastructure environments - Brought to you by microsoft/hve-core.
owasp-cicd
OWASP CI/CD Top 10 vulnerability knowledge base for identifying, assessing, and remediating security risks in continuous integration and continuous delivery environments - Brought to you by microsoft/hve-core.
owasp-agentic
OWASP Agentic Security Top 10 vulnerability knowledge base for identifying, assessing, and remediating security risks in AI agent systems - Brought to you by microsoft/hve-core.
jira
Jira issue workflows for search, issue updates, transitions, comments, and field discovery via the Jira REST API. Use when you need to search with JQL, inspect an issue, create or update work items, move an issue between statuses, post comments, or discover required fields for issue creation. - Brought to you by microsoft/hve-core
hve-core-installer
Decision-driven installer for HVE-Core with 6 clone-based installation methods, extension quick-install, environment detection, and agent customization workflows - Brought to you by microsoft/hve-core
gitlab
Manage GitLab merge requests and pipelines with a Python CLI - Brought to you by microsoft/hve-core
vscode-playwright
VS Code screenshot capture using Playwright MCP with serve-web for slide decks and documentation - Brought to you by microsoft/hve-core