In this article, we will discuss my all-time-favorite security topic: Defense-in-Depth.
Encountering the secure design principle while studying for a certification was the first time I knew a topic beforehand. I often discussed the idea that good security is layered security. This was a major point in my arguments at work and elsewhere when questioned about the need for multiple security measures. In the work environment, the focus was on the necessity of security in every software development cycle. Fortunately, the need to argue is decreasing as we can simply check security news to see the importance of securing software, its dependencies, the operating system, and even the tools used for deployment and maintenance. It may be necessary to add another layer of security to the tools used to ensure security.
In a surveillance state, layers of security watchers are added at different zones like a citizen’s work, child’s school, hospital, and other government institutions. These layers of surveillance are also in place for the people who conduct the surveillance. In contrast with software, this surveillance is meant for the greater good of the end user.
Back to our topic, defense in depth is actually that, adding multiple layers of protection, ensuring that if a layer is breached, a subsequent layer will provide protection.
How many layers are needed? As always, it depends.
Defense-in-depth’s value lies in its military origins: successive barriers slow attackers, ensuring a fallback if one is compromised.
Software Defense-In-Depth
The first layer of security should focus on the environment that the client accesses first. This layer should include DDoS protection and automated intruder scanning, like web firewalls for web software. For regular software, we rely on the client’s security measures, such as updating their operating system, using antivirus, firewall, and other anti-malware tools to ensure system health.
The next layers should be to protect software against external attacks. Input validation is usually the entry point into any software, so it should be considered having a layer of security added here as well.
This security principles comes with two core concepts:
Security Zone
The concept of security zones is common in various security departments as physical, network, and software security. This layered defense might be difficult to envision as the system’s structure determines how the security zones should be set up. The number of zones required depends on the specific situation.
Diversity of Defense
This is another common sense discussion in the defense-in-depth principle. And we highlight the importance of security controls implemented or positioned at various layers of defense. And this can extend to physical areas and having defense in the digital realm.
Photo by Evgeniy Surzhan on Unsplash.
