The key insight in this book is that good software design often leads to good security. Therefore, you don’t have to choose between features and security – you can have both at the same time. The most important idea in this regard is domain primitives. Never represent anything as a primitive type (string, int, float etc). Instead, create custom classes that capture the domain restrictions. For example, the quantity of books ordered should not be an int. Instead, it should be a Quantity value object that can only have values between 1 and (say) 240. By tightly defining what valid values are, a lot of security problems are avoided.
Other ideas have the same goal – to restrict what should be possible to do. Only include valid actions and nothing else. This includes immutability, complete objects at construction, tailored methods instead of generic getters and setters etc.
There is also a lot of good advice on how to protect against denial of service attacks (validate incoming data in the right order), how to include security tests in the test suites, and on how to use exceptions. There are lots of code examples in Java that make the ideas clear.
I really liked Secure by Design, because it shows concrete ideas you can start using right away. I have written a longer review on my blog: https://henrikwarne.com/2020/03/22/secure-by-design/

A very interesting book which taught me a lot. I understood why some things in the monolith product I was working in were the way they were and I learned some important ideas and thought methodologies for my own private coding projects.