DefenseInDepth [pattern] v1.0.0

Security controls at every layer of the stack — network perimeter, transport, authentication, authorization, input validation, output encoding, and monitoring — so that compromise of any single layer does not result in full breach.

Label

Defense in Depth — Multi-Layer Security

Problem

Single-point security fails silently: a misconfigured firewall or a missed input-validation check exposes the entire system. Attackers probe every layer; defenders must protect every layer.

Solution

Apply independent, redundant controls at each architectural tier. No tier trusts the tier above or below it. Define what each layer is responsible for and verify it independently. Log failures at every boundary.

Structure

    Layer 1 — Network perimeter
      - WAF (Web Application Firewall): block SQLi / XSS signatures, geo-block if applicable
      - DDoS mitigation: Cloudflare / AWS Shield
      - Ingress rules: allow 80/443 inbound only; egress filtered per service
      - VPC / private subnets: DB and internal services unreachable from internet

    Layer 2 — Transport
      - TLS 1.2+ minimum (prefer TLS 1.3)
      - HSTS: max-age=31536000; includeSubDomains; preload
      - Certificate pinning for mobile clients (high-security apps)

    Layer 3 — Authentication
      - MFA required for all privileged accounts
      - Token expiry: access 15 min, refresh 30 days (rotated)
      - Rate limit login: 5 attempts per 10 minutes per IP+username combo
      - Credential breach check (HaveIBeenPwned API on registration/login)

    Layer 4 — Authorization
      - RBAC with least-privilege principle: default deny
      - Check ownership on every resource access: user.id === resource.ownerId
      - Separate read/write/admin scopes on API tokens

    Layer 5 — Input validation
      - Allow-list validation on every user-controlled field (see pattern-input-validation-allowlist)
      - Parameterized queries / ORM for all DB access (see anti-pattern-sql-string-concat)
      - File upload: MIME + extension + magic bytes + virus scan

    Layer 6 — Output encoding
      - HTML-encode all user content before rendering in HTML contexts
      - CSP header (see pattern-csp-strict) as second-line XSS defense
      - JSON-encode all API responses; never interpolate user data into response templates

    Layer 7 — Secrets management
      - No secrets in source code or environment files committed to git
      - Vault / AWS Secrets Manager / GCP Secret Manager with short TTL
      - Rotate secrets on suspected compromise

    Layer 8 — Monitoring & response
      - Structured security logs: auth failures, 403s, validation rejections
      - Alerting: >10 auth failures per minute → PagerDuty
      - SIEM correlation: detect lateral movement patterns
      - Incident response runbook maintained and tested quarterly
  

DefenseInDepth [pattern] v1.0.0

Security controls at every layer of the stack — network perimeter, transport, authentication, authorization, input validation, output encoding, and monitoring — so that compromise of any single layer does not result in full breach.

Label

Defense in Depth — Multi-Layer Security

Problem

Single-point security fails silently: a misconfigured firewall or a missed input-validation check exposes the entire system. Attackers probe every layer; defenders must protect every layer.

Solution

Apply independent, redundant controls at each architectural tier. No tier trusts the tier above or below it. Define what each layer is responsible for and verify it independently. Log failures at every boundary.

Structure

    Layer 1 — Network perimeter
      - WAF (Web Application Firewall): block SQLi / XSS signatures, geo-block if applicable
      - DDoS mitigation: Cloudflare / AWS Shield
      - Ingress rules: allow 80/443 inbound only; egress filtered per service
      - VPC / private subnets: DB and internal services unreachable from internet

    Layer 2 — Transport
      - TLS 1.2+ minimum (prefer TLS 1.3)
      - HSTS: max-age=31536000; includeSubDomains; preload
      - Certificate pinning for mobile clients (high-security apps)

    Layer 3 — Authentication
      - MFA required for all privileged accounts
      - Token expiry: access 15 min, refresh 30 days (rotated)
      - Rate limit login: 5 attempts per 10 minutes per IP+username combo
      - Credential breach check (HaveIBeenPwned API on registration/login)

    Layer 4 — Authorization
      - RBAC with least-privilege principle: default deny
      - Check ownership on every resource access: user.id === resource.ownerId
      - Separate read/write/admin scopes on API tokens

    Layer 5 — Input validation
      - Allow-list validation on every user-controlled field (see pattern-input-validation-allowlist)
      - Parameterized queries / ORM for all DB access (see anti-pattern-sql-string-concat)
      - File upload: MIME + extension + magic bytes + virus scan

    Layer 6 — Output encoding
      - HTML-encode all user content before rendering in HTML contexts
      - CSP header (see pattern-csp-strict) as second-line XSS defense
      - JSON-encode all API responses; never interpolate user data into response templates

    Layer 7 — Secrets management
      - No secrets in source code or environment files committed to git
      - Vault / AWS Secrets Manager / GCP Secret Manager with short TTL
      - Rotate secrets on suspected compromise

    Layer 8 — Monitoring & response
      - Structured security logs: auth failures, 403s, validation rejections
      - Alerting: >10 auth failures per minute → PagerDuty
      - SIEM correlation: detect lateral movement patterns
      - Incident response runbook maintained and tested quarterly
  

Label

Defense in Depth — Multi-Layer Security

Problem

Single-point security fails silently: a misconfigured firewall or a missed input-validation check exposes the entire system. Attackers probe every layer; defenders must protect every layer.

Solution

Apply independent, redundant controls at each architectural tier. No tier trusts the tier above or below it. Define what each layer is responsible for and verify it independently. Log failures at every boundary.

Structure

    Layer 1 — Network perimeter
      - WAF (Web Application Firewall): block SQLi / XSS signatures, geo-block if applicable
      - DDoS mitigation: Cloudflare / AWS Shield
      - Ingress rules: allow 80/443 inbound only; egress filtered per service
      - VPC / private subnets: DB and internal services unreachable from internet

    Layer 2 — Transport
      - TLS 1.2+ minimum (prefer TLS 1.3)
      - HSTS: max-age=31536000; includeSubDomains; preload
      - Certificate pinning for mobile clients (high-security apps)

    Layer 3 — Authentication
      - MFA required for all privileged accounts
      - Token expiry: access 15 min, refresh 30 days (rotated)
      - Rate limit login: 5 attempts per 10 minutes per IP+username combo
      - Credential breach check (HaveIBeenPwned API on registration/login)

    Layer 4 — Authorization
      - RBAC with least-privilege principle: default deny
      - Check ownership on every resource access: user.id === resource.ownerId
      - Separate read/write/admin scopes on API tokens

    Layer 5 — Input validation
      - Allow-list validation on every user-controlled field (see pattern-input-validation-allowlist)
      - Parameterized queries / ORM for all DB access (see anti-pattern-sql-string-concat)
      - File upload: MIME + extension + magic bytes + virus scan

    Layer 6 — Output encoding
      - HTML-encode all user content before rendering in HTML contexts
      - CSP header (see pattern-csp-strict) as second-line XSS defense
      - JSON-encode all API responses; never interpolate user data into response templates

    Layer 7 — Secrets management
      - No secrets in source code or environment files committed to git
      - Vault / AWS Secrets Manager / GCP Secret Manager with short TTL
      - Rotate secrets on suspected compromise

    Layer 8 — Monitoring & response
      - Structured security logs: auth failures, 403s, validation rejections
      - Alerting: >10 auth failures per minute → PagerDuty
      - SIEM correlation: detect lateral movement patterns
      - Incident response runbook maintained and tested quarterly