Defense-in-depth, a concept which most agree with, is where multiple layers of security are protecting the crown jewels. The idea is should any layer fail, which inevitably happens, you’re still protected. Nice. In network security there are firewalls, vulnerability assessment, IDS/IPS, patch and config management, training, encryption, anti-virus, etc. each mitigating some risk. As good as they are we know these traditional solutions they’re not perfect and don’t help much in webappsec. We need to develop a new set of layers. The problem is we haven’t figured out or agreed upon which layers the modern webappsec infrastructure is supposed to have.
It’s really important that we do or at least start the dialog about what’s working and what’s not.
Here’s what we know. Security inside the SDLC eliminates flawed code, not all. Vulnerability assessments identify vulnerabilities, and miss some. WAF’s and IDS’s spot and block attacks, some will pass through. We can train ourselves to be experts in some things, but not everything. Patching and configuration protects from the known, not the unknown. Encryption protects data from prying eyes, not all the time. Sure, these solutions are not perfect, nothing is. That’s the point of implementing defense-in-depth. Maximize the strength of the available solutions and mitigate they’re weaknesses to protect the organizational assets.
Let me put this question out there… if you could implement 3 action items to protect a website, above and beyond the normal network security stuff, what would they be?