Defense in Depth a.k.a the Castle Approach

Imagine you are back in middle school and your new science homework is The Egg Drop Project. For those of you not familiar with it, here is a brief description: your task is to design a protective structure for an egg. Once you finished, the egg will be placed in the shuttle you created and dropped from a certain height. The egg must survive the fall without harm! Here is a hint: defense in depth.

You rush home and immediately get to work and try a few ideas. Your next few meals are scrambled eggs, boiled eggs, fried eggs, ham and …. you guessed it …EGGS! Then you take a step back and consider defense in depth. Let’s see what that is all about!

Defense in depth is essentially deploying various safeguards to make sure you are covered when one fails. Keep in mind that it is not a question of whether it fails. It will fail, it is only a question of when will it do so.

Back in the age of knights and kings, castles were built using this concept. A well-designed castle had high walls, watchtowers, a portcullis, moat and a drawbridge. If all this wasn’t enough, it also had patrolling soldiers on the walls and the fort itself was compartmentalized. Any one of the defense mechanism provided some security by itself but their clever combination made the castle the safest place to stay during warfare. Take a minute to think about how the safeguards enhance each other and how they still protect the court if one fails. This is where the phrase “castle approach” originates.

Defense in depth is one of the most fundamental concepts in the field of security. It is applied everywhere, from your physical home to your digital life. Let’s take a look!

Defense in depth in real life

A modern home has quite a few features to protect the assets and people inside. Let’s say you want to break in. Here is what you need to go through.

The first line of defense is probably some fence. Even if it is small it acts as a deterrent control. You will think twice before crossing it.

If you get through the fence, the next safeguard is a dog. Fluffy, the Bullmastiff, has a pretty good chance of stopping you. Therefore, being preventive and he also acts as a strong deterrent.

Once you get past Fluffy, your next challenge is to trick the surveillance system: infrared cameras, motion detectors, and lights. Easy so far!

The next step is opening the front door. All you got to do is pick multiple locks and you are in. Finally!

The only thing left is disabling the alarm system which triggered when you opened the front door. Once you are through with that, nothing stands between you and the gold, right?

Not quite, you soon discover the valuables are in a hidden safe, which requires multi-factor authentication, including a biometric sensor.

Sh*t, really? — Yeah really, that’s defense in depth done correctly!

Any one of these controls has a success rate of its own. The success rate is defined as the percent of burglaries stopped. Most homes do not deploy all of these and they do not need to. However when many safeguards are deployed they enhance each other and make the whole system more robust and a lot safer.

As I said, defense in depth is in your digital life as well. Think multi-factor authentication or a separate passcode for an app on your phone. There are countless examples if you look for it, it is simply essential for security.


As a software craftsman, you must master the castle approach as it will not only guide your security practices but will greatly help you in other areas as well.

Remember, no one defense is perfect you must effectively combine them to achieve the desirable state of security!