No one questions the need to secure applications today, we just argue over how we should do it. Let's take a break for a minute from that debate to ensure that we don't get so focused on layer 7 (application) that we forget about the rest of the stack and the importance of securing it as well.

Just as a chain is only as strong as its weakest link, an application is only as secured as its most vulnerable layer in the stack. If your application is well secured, but the network layer (IP) is wide open, you're at risk.

SANS Internet Storm Center has some interesting stats on the "survival" time of a Windows-based server on the public internet. The "survival" time is the time it takes for an unpatched Windows server to be p0wned once it's publicly accessible.

Now no reasonable administrator is going to put an unpatched, unprotected server running any operating system on the public Internet, so this information isn't as interesting as it first sounds. What is exceedingly interesting, however, is the list of "ports" and applications that are attacked when a system is available for public access. The list contains both what we would consider "applications" as well as protocols up and down the TCP/IP stack. It includes protocols from layer 4 to layer 7 such as: FTP, HTTP, DNS, MSSQL, and NetBIOS.

What this simple exercise should teach us is that it's not enough to just be concerned with application security just at the application layer; it's imperative that we consider all layers of the stack when we're trying to secure an application and ensure that layer 2, 3, and 4 is just as secure as layer 7. As the recent DNS vulnerability discovered by Dan Kaminsky proved, it's just as important to be concerned about protocols and their security as it is the application and its (lack of) security.

That means securing the platforms on which applications are deployed as well as application delivery solutions through which they are delivered and the routers and switches which ultimately route the data in and out of the data center. Every link in the chain must be secured, and that means vertically (platform and OS) as well as horizontally (network path). Just as you wouldn't consider putting an unpatched server in public reach, you probably wouldn't consider putting putting up a patched server without the protection of a firewall.

But we also need to consider the rest of the horizontal and the vertical chains that protect our applications to ensure that they are all properly hardened. So the question, "Which do you need?" is fairly easily answered. "You need both."

Leaving even one weak link in either direction is likely to result in your organization becoming yet another statistic.