Ref: Wikipedia - Defence in depth
Likewise, in information security or Information Assurance defence in depth represents the use of multiple computer security techniques to help mitigate the risk of one component of the defence being compromised or circumvented. An example could be anti-virus software installed on individual workstations when there is already virus protection on the firewalls and servers within the same environment. Different security products from multiple vendors may be deployed to defend different potential vectors within the network, helping prevent a shortfall in any one defence leading to a wider failure; also
DotNetNuke practices a defence in depth process to ensure that common internet security issues are mitigated. Examples of this include:
- Viewstateuserkey - DotNetNuke applies this setting to help you prevent attacks on your application from malicious users. It does this by allowing you to assign an identifier to the view-state variable for individual users so that they cannot use the variable to generate an attack. Further details can be read here
- viewStateEncryptionMode - this value is set to Always by DotNetNuke. Whilst this adds a small overhead to each page request, this does mean that users cannot decode the viewstate and inspect the details (many modules use viewstate to store temporary copies of sensitive information). This value, in concert with enableViewStateMac being set to true, also means that viewstate entries cannot be hacked or spoofed.
Secure user and password managementSecurity - reducing attack surface
- DotNetNuke itself and all the core modules exclusively use stored procedures which means that SQL Injection is not an issue. Note: the core reports module does allow for dynamic sql so care should be taken with it - other third party grid/reports modules may also use dynamic sql so should be carefully evaluated.