The Security Depth is inversely proportional to the Weakest link in an n – Tier Architecture
The Below Diagram shows a n Tier Architecture. To explain the data traversing between the layers, the diagram shows that data travels from presentation Layer to Business Logic Layer to Data Access layer. Our minds usually sees what it’s trained to see.
http://en.wikipedia.org/wiki/Image:Overview_of_a_three-tier_application.png

From the above diagram it’s obvious that if Security is heavy and 100% in Presentation Layer, then no data can traverse to next Layer and hence the system is absolutely Secure. Alternatively if the Database has heavy Security protocols, though Request gets passed from Business Layer it gets restricted in Database Layer. Hence the Data Traversing is Serial.
This is absolutely true and our minds are trained to think that the same serial access is provided to Security. Data needs to pass through 3 doors, and hence, “Security in one door is good enough.”
Alas when it come Security it behaves likes 3 parallel doors and not 3 Serial Doors.
1) Weak Presentation Layer but strong Business and Database layers – Let’s assume that Presentation Layer allows to User to mask himself as Administrator, then the User enters through the remaining 2 doors as Admin. E.g. URL sending userID with base64 encryption. Encrypt Admin UserName with base 64 and send it across to gain access. Pretty simple, but happening in most projects
2) Weak Business Layer – Most applications use IIS if MS technology is used. In IIS for sites, we usually use Network Authentication or we Give Application Pool with Standard User. Most Cases this Standard User is Super user to let communication happen via WebServices. If user gets restricted in Presentation Layer but masks in Application Layer, the layer gives complete Access to DB
3) Weak DB Layer – If no Logic is employed in DB or in Sprocs to check Authentication but give data for any Valid request, you can still sneak information.
Thus when it comes to Security it’s not 3 Serial Doors but 3 Parallel Doors. J

Note for the Week: Never trust Client Side Request or Web request.