Lesson 3: Architecture & Design

Secure design decides how well systems hold up under pressure. Think layers, least privilege, segmentation, and “never trust, always verify.”

1) Defense in Depth

Don’t bet the castle on one wall. Stack controls so a miss at one layer gets caught by another: firewall + IDS/IPS + encryption + user training. Failure becomes containment, not catastrophe.

2) Secure Network Design

  • DMZ: Park public-facing services (web, mail, DNS) off the internal LAN.
  • Segmentation: Split networks to limit blast radius and lateral movement.
  • Zero Trust: “Never trust, always verify” — every request is authenticated and authorized, everywhere.

3) Secure Application Design

  • Validate and sanitize inputs (prevent SQLi and friends).
  • Encrypt data in transit and at rest.
  • Use secure frameworks, regular code reviews, and secrets management (no hard-coded creds).

Real-World: Target 2013

Attackers entered via a third-party HVAC vendor and pivoted because segmentation was weak. Strong vendor isolation + strict access paths would have shrunk the blast radius dramatically.

Affiliate/Partner notice: Some links below are affiliate/partner links. If you purchase through them, we may earn a commission at no extra cost to you — these clicks help keep BitsSecured free.

Password manager, simplified. Unique passwords everywhere, auto-fill, secure sharing.
Try NordPass
Encrypt the connection. Safer Wi-Fi, less snooping, more privacy on the road.
Get NordVPN

1. What’s the core idea behind defense in depth?

2. A DMZ is mainly used to:

3. Which principle gives users only the access they need?

4. Which BEST describes zero trust?

5. Which attack could have been reduced at Target with better segmentation?

6. Which practice protects against SQL injection?

7. Placing web, mail, and DNS servers in a special zone refers to:

8. What does segmentation help prevent?

9. Which is a secure coding practice?

10. Which design approach treats every request as untrusted?