Defense Theory Explained in Depth: Meaning and Approach

The in-depth defense principle is something that is widely discussed in pretty much every web development community when someone mentions the keyword “web application security”. But what exactly is it and why is it so important? That is what we are going to find out in this article.

What is Defense in Depth?

Defense in depth is a security strategy referring to the approach of using multiple layers of security to protect an application (a so-called “assets.”) This illustration illustrates the Defense in Depth strategy in its entirety. Imagine the center of the circle as your application. Whatever is around it will be part of a defense-intensive strategy.

You get the point – the more layers that surround your web application, the more secure it becomes. Obviously, there’s another side to this as well – the better the security of your web application, the worse user-friendly it can be, so you really need to aim to get the best of both worlds. The goal of most security engineers in the web application space is to get a good CDN (Cloudflare, or the same Imperva) to protect the first layer of their web application with WAF, some aimed at implementing access control, some aimed at bots. Is for security’s sake, protect some logins as well.

deep use of defense

It’s good to understand Defense in depth, but remember that we really have to practice what we preach – in other words, we need to use the capabilities that Defense provides deeply to protect our web applications. needed. We’ve touched on some of this in the topic above (protecting web applications with WAF, implementing access control, etc.), but there’s more to it than just harnessing the capabilities provided by WAF – Defense in Depth Due to the fact that we must secure not only our web application, but also everything behind it: look closely at the circle above – there are also administrative controls, technical controls, and physical controls. Technical controls come down to the technical stuff discussed above, physical controls can come down to physical security of your office perimeter (having security personnel near the entrance to the office building, etc.), and administrative controls are mostly based on policy and procedures. This can mean giving information only to those who absolutely need to know it, ensuring that guidelines defining personnel or business practices are created in accordance with an organization’s security goals and they remain the same. A proper defense-intensive strategy allows our security practices to “slip” – even if one of them is not in place or fails, the presence of the others is enough to guarantee a good security posture. Say, if our WAF fails and we have services like BreachDirectory that protect our organization from identity theft attacks, we’ll be in good hands no matter what – see it all goes so well together How does it work?

Defense in depth into the future

Some security experts say that in-depth defense is also a necessity for the future – as threats posed to web applications are only believed to increase, we can assume that future defense-intensive practices will become more and more relevant. Will be In the future, we may have not only physical and web application security protections, but also remote and home-office security installments (as remote work is the new normal and as more and more people start working remotely). let’s do, we can start to see some home-office security stuff hitting the market), etc.

Whether or not we will see these types of tools, however, obviously depends on how things play out in the future and the potential market demand, but we can be almost sure that the intensive strategies employed now will include defense similar 10 or even more. That won’t happen 5 years down the line.


Defense-in-Depth is a great tool to increase the security posture of any organization and application alike – employing some of the strategies outlined in this article will ensure that both your application and the organization face any threat. ready to do. We hope that the information contained in this article was informative and that you will make good use of it when protecting your organization or web application from internal and external threats – by running a search through BreachDirectory to ensure your employees are protected Make sure their information isn’t even involved in any data breach, and until next time!

Leave a Comment