Wrapping Up

Application security affects life and livelihood. It’s another area where we need to consider both the component-level behavior and the behavior of the system as a whole. Two secure components don’t necessarily mix to make a secure system.

The most common target of value is user data, especially credit card information. Even if you don’t handle credit cards, you might not be off the hook. Industrial espionage is real and it can sometimes look as harmless as the location of a shipment of tasty pecans.

Beware the pie crust defense. Internal APIs need to be protected with good authentication and authorization. It’s also vital to encrypt data on the wire, even inside an organization. There’s no such thing as a secure perimeter today. Bitter experience shows that breaches can be present for a long time before detection, more than enough for an attacker to devise recipes to get at that sweet user data.

Full treatment of application security is way beyond the scope of this book. The topics covered in this chapter earned their place by sitting in the intersection of software architecture, operations, and security. Consider this a starting point in a journey. Follow the trail from here into the rich and scary world of CVEs,^[72] CWEs,^[73] and CERTs.^[74]

This finishes our slow zoom out from the physical substrate—copper, silicon, and iron oxide—all the way to systemic considerations. In the next part, we will look at the moment of truth: deployment!