[Spearchucker]

"It's best to focus on the end points and beef up security there"

Not the way I'd do it. Defence in depth means securing everything. Starting with the perimeter, working inwards to individual apps - on both clients and servers. Every resource needs to be secured. That means spending cash, and the amount of cash that should be spent should be proportionate to the value of the asset being protected. If you have a server application or service, put an application firewall in front of it, so that both internal and external access goes through it. Don't just write a threat model, document the threat tree. Don't trust your employees, your software, hardware or building security. And don't trust the bosses either.

It's analogous to having a bodyguard. If you're in the bedroom and leave your bodyguard in the kitchen for a private conversation, the bodyguard and his big six gun are going to be of absolutely zero use when ninjas come crashing through the bedroom window.

[lifeisstillgood]

To run with your analogy a bit I occassionally see CEO types with "bodyguards". Because the kidnapping attempt is theoretical and not happened for ten years the bodyguard is carrying the luggage or opening the doors or answering the phone.

The analogy is fairly clear - you can spend the money on security in depth. But humans tend to use those in segments for other things eventually. Banks hav been around long enough that all their bodyguards are now bellboys.

[patcheudor]

The problem is, most organizations start at the network rather than focusing on the application tier. In the development of applications, they should be designed to work safely within a very hostile environment. Far too often they are not.