Defense in Depth
If you have ever toured a well‐engineered medieval castle, you have walked through a defense in depth. The ultimate goal is to keep the bad guys out. You have to cross a moat and get through the outer portcullis, and the castle itself is usually in a well‐defended place on a cliff somewhere with high walls and arrow slits in the wall for archers. Individuals who do web development should think about their processes of defense in the same manner.
The personal information and intellectual proprietary information need to be hosted in the most innermost, protected area of the castle so that if attackers get over the moat, they still have not been able to get the keys to the kingdom. There are several mechanisms you can put in place that will protect web applications. Most web applications use the authentication, session management, and access control triad to reduce their attack surface. They have interdependencies, providing overall protection. Any defect in...
