Defense in Depth

19 September 2023

Developing systems that expose sensitive information on the internet requires us as developers and architects to think about security at all times. The classic model with only a strong perimeter defense is no longer suitable for modern architecture.

As a result of this our role has changed, and we need to shoulder a larger responsibility for the security of the applications and services we develop.

With the contents gathered on this page we describe what you need in order to build a system that is secure by design, with security controls in multiple layers according to the principles of defense in depth, least privilege and zero trust.

The contents are based on Omegapoint’s collective experience building, operating, defending and (ethically) attacking systems and organizations.

Perimeter defense vs. Defense in depth

We recommend starting with the article on Secure Architecture which gives an overview of how these principles affect our architecture. It also sets the context for our seven part article series covering the following topics.

Secure Architecture 1: Identity modelling 2: Claims-based access control 3: Clients and sessions 4: Secure APIs 5: Infrastructure and data storage 6: Web browsers 7: Summary

Further in-depth material based on the article series with code examples can be found here.

Secure APIs by design Test driven application security

These articles are accompanied by implementations in Java and .NET. Source code repositories are available on Github at:

Defense in depth .NET Defense in depth Java