Defense in Depth

Defense in depth is a security strategy that employs multiple layers of defensive controls throughout an IT system. The concept comes from military strategy: rather than relying on a single fortification, defenses are arranged in layers so that an attacker who breaches one layer faces additional barriers.

In web application security, defense in depth includes: network layer controls (firewalls, WAFs, DDoS protection), application layer controls (input validation, output encoding, CSRF tokens), authentication and authorization (MFA, RBAC, session management), data layer controls (encryption, access controls, backup), and monitoring (logging, alerting, incident response).

The value of defense in depth is resilience — no single vulnerability leads to complete compromise. Even if an attacker bypasses your WAF, application-level input validation catches the payload. Even if validation fails, least-privilege database permissions limit the impact.

How APVISO tests for this: APVISO tests each layer of your defense independently and in combination. The AI agents identify where individual controls fail and where the absence of defense-in-depth means a single vulnerability can be exploited to full impact, helping you prioritize layering improvements.