Security by design integrates security from the beginning of development — secure defaults, minimal attack surface, threat modeling, input validation built-in rather than bolted on.
"Bolt-on" security (added after development) is expensive and less effective. Security by design = security built into architecture, code, and deployment from day one. "Secure by default" means the safe configuration requires no effort from users.