Defence in DepthInformation security generally refers to defending information from unauthorized access, use, disclosure, disruption, modification or deletion from threats. Organizations are constantly facing threats that exist both externally as well as internally — be they from nation states, political activists, corporate competitors or even disgruntled employees.

Defending an organization from these threats is hard because it requires a significant amount of effort, insight and investment. It’s also difficult for non-technical users to appreciate its importance; that is, until a security breach cripples or even destroys even the most carefully constructed organization. To such an extent, it is important to understand the concept of defence in depth when tasked with defending an organization from threats.

It is critical to understand that security is always “best effort”. No system can ever be 100% secure because factors outside of the designers’ control might introduce vulnerabilities. An example of this is the use of software that contains 0-day bugs — undisclosed and uncorrected application vulnerabilities that could be exploited by an attacker.

Defence in depth is a principle of adding security in layers in order to increase the security posture of a system as a whole. In other words, if an attack causes one security mechanism to fail, the other measures in place take arms to further deter and even prevent an attack.

Comprehensive strategies for applying the defence in depth principle extend well beyond technology and fall into the realm of the physical. These can take the form of appropriate policies and procedures being set up, training and awareness, physical and personnel security, as well as risk assessments and procedures to detect and respond to attacks in time. These measures, crucial though they might be, are only but physical measures to preventing what is ostensibly an information security problem.

This is the start of a series of articles that will focus on how defence in depth principles could apply to web applications and the network infrastructure they operate within. This six part series will also offer a number of pointers (that is by no means exhaustive) which can be used to improve the security of web applications.


Ian Muscat

Ian Muscat used to be a technical resource and speaker for Acunetix. More recently, his work centers around cloud security and phishing simulation.