Defense in Depth
A security strategy employing multiple layers of protection so that if one defense fails, others remain to prevent or detect the attack.
Description
Defense in depth is a security strategy that implements multiple, overlapping layers of protection throughout a system. Borrowed from military strategy, the principle recognizes that no single security control is perfect -- any individual measure can be bypassed, misconfigured, or have unknown vulnerabilities. By layering defenses, the overall security posture remains strong even when individual components fail, forcing attackers to overcome multiple independent barriers.
In web application security, defense in depth manifests across multiple tiers. The network layer provides firewalls, WAFs, DDoS protection, and network segmentation. The infrastructure layer adds OS hardening, container isolation, and least-privilege access controls. The application layer implements input validation, output encoding, authentication, authorization, and session management. The data layer provides encryption at rest and in transit. The monitoring layer adds logging, intrusion detection, and alerting. Each layer catches what the previous layer missed.
The practical value of defense in depth is evident in common security scenarios. If an XSS payload bypasses input validation, output encoding catches it. If output encoding has a gap, Content Security Policy blocks the script execution. If CSP is misconfigured, HttpOnly cookies prevent session theft. No single control was perfect, but the combination prevented the attack from succeeding. This philosophy should guide all security architecture decisions -- never rely on a single control, always ask what catches the failure of each defense.
Prompt Snippet
Architect security as layered, independent controls: WAF rules (AWS WAF, Cloudflare) at the edge, rate limiting and IP reputation at the load balancer, input validation with Zod schemas at the API boundary, parameterized queries at the data access layer, output encoding at the rendering layer, CSP headers at the browser level, and audit logging at every tier. Design each layer to operate independently so a bypass at one level is caught by the next. Document your defense layers per OWASP category in a security architecture diagram and identify single points of failure where only one control exists. Run tabletop exercises to validate layered defenses against realistic attack scenarios.
Tags
Related Terms
Principle of Least Privilege
A security principle requiring that every user, process, and system component be granted only the minimum permissions necessary to perform its function.
Security Headers
HTTP response headers that instruct browsers to enable security mechanisms, reducing the attack surface of web applications.
OWASP Top 10
A standard awareness document listing the ten most critical web application security risks, maintained by the Open Web Application Security Project.
Threat Modeling
A structured process for identifying, quantifying, and addressing security threats to a system during the design phase.