Juicy Shop
Defense in Depth & the Secure SDLC
No single control is perfect. Learn to layer defences, bake security into the development lifecycle, and use platform features — CSP, headers, dependency scanning, logging — so that one failure does not become a breach.
Why layer controls
Defense in depth assumes any one control can fail or be bypassed. Instead of relying solely on input validation, you stack independent controls so an attacker must defeat all of them. If output encoding is missed somewhere, a Content-Security-Policy can still block the script; if an authorisation check is forgotten, a least-privilege database account limits the damage.
Security headers and CSP
Modern browsers enforce policies you declare via HTTP headers. Content-Security-Policy restricts where scripts, styles, and connections may come from and can forbid inline scripts — a strong second line against XSS. Strict-Transport-Security forces HTTPS, X-Content-Type-Options stops MIME sniffing, and cookies should be httpOnly, Secure, and SameSite to resist theft and CSRF.
Shift security left in the SDLC
The cheapest bug to fix is the one caught early. Threat-model new features during design (OWASP A04 is about insecure design, not just insecure code). Add static analysis (SAST) and linters to CI, scan dependencies for known CVEs, run secret scanning, and write security regression tests — like the find-it/fix-it exercises here — so fixed bugs stay fixed.
Assume breach: monitor and respond
Log security-relevant events (authentication, authorisation failures, input validation rejections) without logging secrets, and alert on anomalies. Have an incident response plan. The goal is not just prevention but fast detection and recovery, because a determined attacker will eventually find a gap.
Key takeaways
- Layer independent controls so one failure is not a breach.
- Use platform defences: CSP, HSTS, secure cookie flags, security headers.
- Shift left — threat model, scan dependencies, and add security tests to CI.
- Assume breach: log, monitor, and rehearse incident response.