A-005 - Application Security

Purpose

Ensure that applications and exposed services are designed, configured and maintained in a way that reduces the risk of compromise, data exposure or misuse.

Asset Type

Business Capability

Description

Covers the security of web applications, APIs and service-level logic within the Scheol environment
Includes authentication mechanisms, input handling, configuration security and exposure management

At the current stage:

applications are deployed with basic hardening measures
no formal secure development lifecycle is in place
protection against common web vulnerabilities is limited
no dedicated Web Application Firewall (WAF) is deployed

Security posture varies depending on the application and hosting context.

Criticality

High

Application compromise can lead to:

unauthorized data access
remote code execution
lateral movement into the infrastructure

Sensitivity

Sensitive

Applications may process:

user data
business-related data (e.g. ERP)
authentication and session information

Exposure Level

Exposed

Applications hosted in Heaven are publicly accessible over HTTP/HTTPS. They represent a primary entry point into the environment.

Trust Zone

Hybrid
Heaven → exposed applications (primary attack surface)
Hell → internal services and future application components

Dependencies

Infrastructure Hosting (runtime environment)
Network Security & Segmentation (exposure control)
Identity & Access Management (authentication mechanisms)
Reverse proxy layer (traffic routing)
Database systems (data storage)

Relationships

Monitoring & Detection (application logs and events)
Administrative Access (application management)
Backup & Recovery (application data protection)
Documentation & Governance (security posture and traceability)

Security Position (Architecture Context)

Primary external attack surface
Entry point for most realistic threat scenarios

Key roles:

processes external inputs
exposes services to untrusted environments
interacts with sensitive data and backend systems

Current structural weaknesses:

absence of WAF or application-layer filtering
limited protection against common web vulnerabilities (e.g. injection, XSS)
lack of standardized hardening across applications
co-location of services increasing blast radius in case of compromise

Existing Protective Measures

basic application configuration hardening
restricted administrative access
use of HTTPS via reverse proxy
separation of user and administrative accounts where applicable

Limitations:

no centralized application security controls
no systematic vulnerability management process
no automated security testing (SAST/DAST)
no application-layer monitoring or alerting

Owner / Responsibility

Security Role (Sec)

Notes

Application Security is a key exposure point in the Scheol Security Lab, especially for services hosted in Heaven.

Current implementation is functional but limited, reflecting an early-stage security posture.

Planned improvements include:

introduction of a Web Application Firewall (WAF)
better isolation between applications and services
improved configuration hardening standards
integration of application-level logging and monitoring
progressive introduction of secure development and deployment practices

This asset is central to reducing external attack surface and improving overall resilience.

Purpose​

Asset Type​

Description​

Criticality​

Sensitivity​

Exposure Level​

Trust Zone​

Dependencies​

Relationships​

Security Position (Architecture Context)​

Existing Protective Measures​

Owner / Responsibility​

Notes​