Web server patched against HTTP sploits
App exposes only predefined public functionality
Firewall blocks unwanted traffic
DB responds only to proper requests