Defence in Depth

19 September 2023

Developing systems that expose sensitive information on the internet requires us as developers and architects to think about security at all times. The classic model with only a strong perimeter defence is no longer suitable for modern architecture.

As a result of this our role has changed, and we need to shoulder a larger responsibility for the security of the applications and services we develop.

With the contents gathered on this page we describe what you need in order to build a system that is secure by design, with security controls in multiple layers according to the principles of defence in depth, least privilege and zero trust.

The contents are based on Omegapoint’s collective experience building, operating, defending and (ethically) attacking systems and organizations.

Perimeter defence vs. Defence in depth

We recommend starting with the article on Secure Architecture which gives an overview of how these principles affect our architecture. It also sets the context for our seven part article series covering the following topics.

Secure Architecture 1: Identity modelling 2: Claims-based access control 3: Clients and sessions 4: Secure APIs 5: Infrastructure and data storage 6: Web browsers 7: Summary

Further in-depth material based on the article series with code examples can be found here.

Secure APIs by design Test driven application security

These articles are accompanied by implementations in Java and .NET. Source code repositories are available on Github at:

Defence in depth .NET Defence in depth Java

Defence in depth presentations

We also do presentations based on this content at international conferences. Recordings from some of them are available online:

OAuth2/OIDC security weaknesses and pitfalls

Presented at NDC Security 2024 by Tobias Ahnoff and Pontus Hanssen.

How to f*ck up at OAuth2 while following BCPs

Presented at Security Fest 2023 by Tobias Ahnoff and Pontus Hanssen.

Test driven application security

Presented at NDC Security 2023 by Tobias Ahnoff and Martin Altenstedt.

Defence in depth as Code

Presented at NDC Oslo 2021 by Tobias Ahnoff and Martin Altenstedt.

Implement defence in depth for your Java API:s

https://www.youtube.com/watch?v=_7fFm8e8UpM

Presented at JFokus 2022 by Tobias Ahnoff and Erica Edholm.

Other media

Video recordings of additional “Defence in Depth” presentations (in Swedish) can be found at https://omegapoint.se/academy-plus.

The book “Secure by Design” https://www.manning.com/books/secure-by-design covers many of the topics on this site.