Security Principle – Defense in Depth
Security is one of the most important quality factors in the software world. It brings the trust from the customer and enables the business continuity by ensuring confidentiality, integrity, and availability.
Defense in Depth is one of the core principles from the Microsoft Secure development lifecycle(SDL) and the word came from Military operations. As this sentence express, we need to ensure the security from all tiers and layers of an application/product. Sometimes people tend to generalize security protection with a firewall, imagine if the firewall is breached and no other protections are available then all applications under this firewall can be compromised with security.
The following diagram depicts the possible tiers and layers of an application and security techniques for each level.
1. Client Tier
This is the end-user tier where the actual application used through the browser or mobile app or other clients. We can use the some of the following security techniques at this tier,
- Use SSL/Client Certificates
- Use Secure Cookie/Localstorage
- Data Encryption/Encoding/Hash
- Input/file format(in case of using the files) Validation
- Secure Session
- Anti-forgery Token
2. Proxy/CDN
It is an optional tier and sits in front of our firewall/application server and it hides our firewall/application servers from the outside world. Normally, this layer provides the additional security protection and performance improvement. There are some very popular proxy server providers out there in the market(Cloudflare, Nginix, Akamai, etc) and these services provide the following security protections,
- DDOS
- IP Security
- Web Application Firewall(WAF)
- SSL
- Crawler Agent Blocking
- Rate limit of incoming requests
3. Firewall/Loadbalancer
In general, this is the entry point for an organization network. Load balancer need not be a separate entity and nowadays most of the firewall supports the load balancing feature as well. This tier provides the following security protections,
- DDOS
- IP Security
- Web Application Firewall(WAF)
- Rate limit of incoming requests
4. WebServer Server
In this tier, we have two sub-tiers and those are web server and application tier. We can use the following security techniques on these tiers,
Web Server:
- Privileges
- Directory browsing
- Web Application Firewall
- Rate Limit
- Crawler Agent Blocking
- SSL Binding
- Input Validation
Application:
- Authentication
- Authorization
- Input validation
- Encoding
- Encryption
5.Data Tier
In this tier, we can apply the following security protections,
- Authentication
- Privileges
- Data validation
- Password Hashing
- Encryption
It is not necessary to use all security protections at all level. Depending on your infrastructure and application scenario, you can enable one or more security protections on each level and keep in mind never ever rely on single tier/layer security.