Defense in depth
Defense in depth is the security principle of layering multiple independent controls so that a failure in any one doesn't expose the system — input validation plus parameterised queries plus least-privilege database access plus output encoding plus a WAF. Each layer catches what others miss; no single layer is the only line of defence.
The pattern is borrowed from military doctrine and is the basis of every serious security architecture. The discipline: assume each layer will fail eventually, and design so that any single failure doesn't compromise the system. The trap is the inverse: layers that share assumptions (all four reject the same character sets but none reject the fifth) provide no incremental protection. Healthy defence-in-depth has heterogeneous controls — different vendors, different layers, different validation approaches — so an attacker's bypass of one isn't likely to bypass the others.
Related terms
- Zero trust architecture
Zero trust is the security model that assumes no implicit trust based on network location — every request, internal or external, must be authenticated, authorised, and continuously verified.
- Principle of least privilege
The principle of least privilege is the security rule that every user, process, and system should have only the minimum permissions needed to do its job — no extra access 'just in case'.
- OWASP Top 10
The OWASP Top 10 is a community-curated list of the most critical web application security risks, published every 3-4 years by the Open Web Application Security Project.