What does defense in depth mean in software security, and what is a practical example?

Defense in depth means using multiple, independent security controls across different layers of a system so that if one control fails or is bypassed, others still protect the asset. A practical example is a web service that combines network segmentation and a firewall with a web application firewall, plus strong application security practices and authentication controls. At the network level, segmentation and a firewall limit what can reach the service; at the application level, input validation, secure session management, and least-privilege access reduce the impact of any flaw; data is protected with encryption in transit and at rest; multi-factor authentication and role-based access control prevent unauthorized use; and continuous logging, monitoring, and an incident response plan help detect and respond to breaches. This layered approach is more robust than security by obfuscation, a single firewall, or relying solely on the perimeter, because it reduces risk even when one line of defense is compromised.