warning icon QCon New York 2020 has been canceled. See our current virtual and in-person events.
You are viewing content from a past/completed QCon -

Presentation: Defense in Depth: In Depth

Track: Real World Security

Location: Majestic Complex, 6th fl.

Duration: 1:40pm - 2:30pm

Day of week: Friday

Slides: Download Slides

Level: Intermediate

Persona: Architect, Developer, Security Professional

This presentation is now available to view on InfoQ.com

Watch video

What You’ll Learn

  • Hear a holistic approach to thinking about the security posture of a system that stresses technology, people, and processes.

  • Learn patterns and anti-patterns of apply defense in depth to a software system.

  • Understand different ways of thinking about the defense of your system.


Hindsight is often 20/20 for security vulnerabilities, and it is too easy to point fingers and cast blame when a security incident occurs. However, working to prevent a security compromise can feel like an unparalleled challenge, where no amount of planning can cover or foresee every point of failure that could lead to a devastating compromise.

While preventing security vulnerabilities can seem like a daunting task, practicing defense in depth is a useful place to start with. As attacks often leverage a chain of compromises, it can be nearly impossible to test for every failure case. Instead, developers, teams, and organizations can layer security techniques and practices to achieve an outcome where a single (or even multiple) vulnerabilities still limit what an attacker can ultimately achieve.

In this talk, we'll look at what defense in depth means from a variety of roles and perspectives- from developers practicing defensive coding to minimize common code vulnerabilities, to architects designing secure systems beyond just the perimeter, to building secure products for users who can't remember a 50-character password. We'll see how defense in depth can help organizations prevent unforeseen attacks and limit damage when compromises do occur.


What will this talk cover?


We'll essentially be looking at the different layers at which security can be compromised. So those layers are ranging from the codebase to architecture to the product. Basically, I'll be looking at where holes happen in between those layers.

The talk is segmented it into the different areas where you might try to apply security. The point of the talk isn't to try to say how to do security, it's more to point out this is where a defense in depth mindset applies at these different layers and anti-patterns that I've seen and patterns that that could be applied.

What I've learned about security is there's no one way to do it, but there's a lot of ways to get it wrong. So it's really just trying to get people in the mindset of taking a holistic approach to security. The whole overall message is you need to be thinking about security at these different points. Even if you get something wrong, by using this thorough approach you’ll be in much better shape from a security standpoint.


When you talk about layers, I normally think of things like frontend, middle (or service tier) and data tier. Can you elaborate on what you mean by layers?


The current layers I plan to discuss are code, architecture, product, and team. These are the different ways that I tend to think about security. You could think about security in terms of the architecture, but the point I’m trying to get across is that (when you’re doing security) if you’re just thinking about just the technical architecture, you’re missing things. There’s always like a patchwork of security requirements and things get missed when they're applied from a specific lens. I think the layers lets you look at things holistically.


Can you give me an example of a pattern or anti-pattern you might discuss?


One pattern that I look at the product level is when you’re collecting data, don’t collect all of the data. Basically, looking at defense in depth as a way of minimizing risk. As an architect, you might be thinking of Defense in Depth as egress and ingress controls. Where your product might be collecting all of the data and that’s a huge risk anyway.

Another anti-pattern is at the team level. It’s where you have a rockstar or someone who is writing all the code and no one else on the team understands what’s being put into the code base. In that antipattern, you don’t have other people on the team really understanding what’s going into the product. Again, that’s a risk.

These two examples are really interesting because if you're a security professional you might be paying attention to one of those problems, but you might not be paying attention to them both. You wouldn’t necessarily think about it being a security problem, yet both introduce a security risk.


We talk about security from an offensive and defensive angle. Is this talk a defensive talk?


Yes, this talk is a defensive talk. So if you’re someone who is building a product, this talk is talking about what are some of the proactive decisions you should be making rather than post-compromise actions to recover from an attack.


What do you feel is the most important trend in software today?


In addition to my current work at HashiCorp, I’m also a core Tor developer. So I think it’s interesting to see some of the things that have led to the massive data breaches as lessons we can learn from the privacy movement.

If you think of a lot of the data breaches that have a happened, much of the harm came from data that wasn’t necessary to collect. Companies have things like data lakes that are really scary because you put all your valuable assets in one place. I think an important trend that we can learn from is to think about some things that have made privacy protecting tech successfully. Things like making sure you are not collecting data that is risky or something that (if attacked and collected) would harm the user overall.

I think GDPR is a great step in that direction. I think we’re going to see more enterprises, for example, paying attention to things like end-to-end encryption.

Speaker: Chelsea Komlo

Software Engineer @HashiCorp

Chelsea Komlo is a software/security engineer with a focus on distributed systems, open source software, and applied cryptography. She has worked across a variety of open source projects, and is a core Tor developer. Chelsea has lead cross-functional and cross-regional security initiatives and held trainings in both English and Spanish on operational security and privacy issues. Chelsea currently works at HashiCorp and is part of a team developing an open-source distributed scheduler.

Find Chelsea Komlo at