home / skills / doanchienthangdev / omgkit / defense-in-depth

defense-in-depth skill

safe

/plugin/skills/methodology/defense-in-depth

This skill helps you design layered security architectures across perimeter, network, application, data, and identity to reduce risk and prevent single points

npx playbooks add skill doanchienthangdev/omgkit --skill defense-in-depth

Review the files below or copy the command above to add this skill to your agents.

Files (1)

SKILL.md

3.7 KB

---
name: implementing-defense-in-depth
description: AI agent designs layered security architecture with multiple independent protective barriers ensuring no single point of failure. Use when building security systems, reviewing architecture, or hardening applications.
---

# Implementing Defense in Depth

## Quick Start

1. **Perimeter** - WAF, DDoS protection, rate limiting, IP filtering
2. **Network** - VPC, security groups, mTLS, network policies
3. **Application** - Input validation, output encoding, CSRF, CSP
4. **Data** - Encryption at rest/transit, access control, classification
5. **Identity** - MFA, least privilege, session management
6. **Monitoring** - Logging, alerting, anomaly detection across all layers

## Features

| Feature | Description | Guide |
|---------|-------------|-------|
| Layered Protection | 5+ independent security barriers | Each layer catches what others miss |
| Perimeter Security | First line of defense | WAF rules, rate limits, DDoS protection |
| Network Isolation | Segment and protect internal comms | VPC subnets, security groups, mTLS |
| Application Security | Secure code and request handling | Validate input, encode output, CSP headers |
| Data Protection | Protect data at rest and in transit | AES-256-GCM, field-level encryption |
| Identity Security | Authentication and authorization | MFA, RBAC, secure sessions |

## Common Patterns

```
# Security Layers Architecture
+--------------------------------------------------+
| LAYER 1: PERIMETER                               |
| WAF | DDoS | Rate Limiting | IP Filtering        |
+--------------------------------------------------+
    |
    v
+--------------------------------------------------+
| LAYER 2: NETWORK                                 |
| VPC | Security Groups | TLS Everywhere           |
+--------------------------------------------------+
    |
    v
+--------------------------------------------------+
| LAYER 3: APPLICATION                             |
| Input Validation | Output Encoding | CSRF | CSP  |
+--------------------------------------------------+
    |
    v
+--------------------------------------------------+
| LAYER 4: DATA                                    |
| Encryption at Rest | Encryption in Transit       |
+--------------------------------------------------+
    |
    v
+--------------------------------------------------+
| LAYER 5: IDENTITY                                |
| MFA | Least Privilege | Session Management       |
+--------------------------------------------------+

CROSS-CUTTING: Logging | Alerting | Anomaly Detection
```

```
# Network Security Groups (Example)
loadBalancer:
  inbound:  [443 from 0.0.0.0/0]
  outbound: [8080 to application-sg]

application:
  inbound:  [8080 from load-balancer-sg]
  outbound: [5432 to database-sg, 443 to external]

database:
  inbound:  [5432 from application-sg]
  outbound: [] # No outbound
```

## Best Practices

| Do | Avoid |
|----|-------|
| Implement all layers - each provides unique protection | Relying on a single security layer |
| Fail securely - deny access when in doubt | Trusting user input at any layer |
| Log security events for detection/forensics | Exposing detailed error messages |
| Rotate credentials regularly | Storing secrets in code |
| Validate all inputs at every layer | Skipping security in development |
| Encrypt sensitive data at rest and in transit | Assuming internal traffic is safe |
| Use least privilege for all access | Disabling security for "convenience" |
| Test security controls regularly | Ignoring security alerts |

## Related Skills

- `applying-owasp-security` - OWASP security guidelines
- `implementing-oauth` - OAuth authentication flows
- `implementing-better-auth` - Modern auth patterns
- `verifying-before-completion` - Security verification checklists

Overview

This skill designs a defense-in-depth security architecture that layers independent protective controls so no single failure compromises the system. It focuses on perimeter, network, application, data, identity, and monitoring layers to create redundant, complementary defenses. Use it to build, review, or harden systems with practical, actionable controls and patterns.

How this skill works

The skill inspects each security layer and recommends concrete controls: WAF and DDoS protections at the perimeter; VPC segmentation, security groups, and mTLS for network isolation; input validation, output encoding, CSP and CSRF mitigations for applications; strong encryption and access controls for data; and MFA, least-privilege, and secure session management for identity. It also enforces cross-cutting observability with logging, alerting, and anomaly detection so gaps are detected and investigated quickly.

When to use it

Designing a new cloud-native application architecture and security baseline
Conducting an architecture review or threat modeling session
Hardening an existing service after a security incident or audit
Implementing regulatory or compliance controls around data protection
Operationalizing monitoring and response across multiple layers

Best practices

Implement all layers — each layer catches different failure modes
Fail securely: default-deny for services and fail closed for controls
Enforce least privilege for identities and rotate credentials regularly
Validate inputs and encode outputs at the application layer consistently
Encrypt sensitive data at rest and in transit, use field-level encryption where needed
Centralize logs and alerts and tune anomaly detection to reduce noise

Example use cases

Create a layered design for a public web API: WAF + rate limits, private subnets, app validation, DB encryption, and MFA for admin consoles
Review network security groups and propose segmentation rules to eliminate east-west exposure
Harden a legacy application by adding perimeter rate limiting, input validation, and strict CSP headers
Design data protection for sensitive fields using AES-256-GCM and access controls tied to RBAC
Set up cross-layer monitoring: aggregate logs, define alerts for abnormal traffic, and deploy behavior-based detection

FAQ

How do layers interact during an incident?

Layers provide overlapping protections so if one control fails others can detect or block the attack; logs from multiple layers help reconstruct the event and guide response.

Can I skip layers for smaller projects?

No single layer is sufficient; scale controls to project size but maintain at least minimal protections across perimeter, network, application, data, identity, and monitoring.