Defense in depth

Revision as of 07:19, 25 May 2008 by Cduffey346 (talk | contribs) (Added the rest of the template sections; expanded the description slightly; added a reference.)

Jump to: navigation, search

This is a principle or a set of principles. To view all principles, please see the Principle Category page.

This article is a stub. You can help OWASP by expanding it or discussing it on its Talk page.


The principle of defense in depth calls for a set of layered controls that each present unique obstacles for an attacker. Controls used in defense in depth posture enhance the resilience of an application as the failure of one control will not result in the exploitation of the system as a whole. An application using defense in depth would include controls that fit the “protect, detect, and react” paradigm. This means that the application would not just implement controls that prevent an attack from occurring, but would also be capable of detecting a successful attack and response procedures to support the recovery of the application.

With secure coding, this may take the form of tier-based validation, centralized auditing controls, and requiring users to be logged on all pages.


Vulnerable Administrative Interface

A flawed administrative interface is unlikely to be vulnerable to anonymous attack if it correctly gates access to production management networks, checks for administrative user authorization, and logs all access.

Related Vulnerabilities

Related Controls