Implementing Defense in Depth
Quick Start
-
Perimeter - WAF, DDoS protection, rate limiting, IP filtering
-
Network - VPC, security groups, mTLS, network policies
-
Application - Input validation, output encoding, CSRF, CSP
-
Data - Encryption at rest/transit, access control, classification
-
Identity - MFA, least privilege, session management
-
Monitoring - Logging, alerting, anomaly detection across all layers
Features
Feature Description Guide
Layered Protection 5+ independent security barriers Each layer catches what others miss
Perimeter Security First line of defense WAF rules, rate limits, DDoS protection
Network Isolation Segment and protect internal comms VPC subnets, security groups, mTLS
Application Security Secure code and request handling Validate input, encode output, CSP headers
Data Protection Protect data at rest and in transit AES-256-GCM, field-level encryption
Identity Security Authentication and authorization MFA, RBAC, secure sessions
Common Patterns
Security Layers Architecture
+--------------------------------------------------+ | LAYER 1: PERIMETER | | WAF | DDoS | Rate Limiting | IP Filtering | +--------------------------------------------------+ | v +--------------------------------------------------+ | LAYER 2: NETWORK | | VPC | Security Groups | TLS Everywhere | +--------------------------------------------------+ | v +--------------------------------------------------+ | LAYER 3: APPLICATION | | Input Validation | Output Encoding | CSRF | CSP | +--------------------------------------------------+ | v +--------------------------------------------------+ | LAYER 4: DATA | | Encryption at Rest | Encryption in Transit | +--------------------------------------------------+ | v +--------------------------------------------------+ | LAYER 5: IDENTITY | | MFA | Least Privilege | Session Management | +--------------------------------------------------+
CROSS-CUTTING: Logging | Alerting | Anomaly Detection
Network Security Groups (Example)
loadBalancer: inbound: [443 from 0.0.0.0/0] outbound: [8080 to application-sg]
application: inbound: [8080 from load-balancer-sg] outbound: [5432 to database-sg, 443 to external]
database: inbound: [5432 from application-sg] outbound: [] # No outbound
Best Practices
Do Avoid
Implement all layers - each provides unique protection Relying on a single security layer
Fail securely - deny access when in doubt Trusting user input at any layer
Log security events for detection/forensics Exposing detailed error messages
Rotate credentials regularly Storing secrets in code
Validate all inputs at every layer Skipping security in development
Encrypt sensitive data at rest and in transit Assuming internal traffic is safe
Use least privilege for all access Disabling security for "convenience"
Test security controls regularly Ignoring security alerts
Related Skills
-
applying-owasp-security
-
OWASP security guidelines
-
implementing-oauth
-
OAuth authentication flows
-
implementing-better-auth
-
Modern auth patterns
-
verifying-before-completion
-
Security verification checklists