In an IT organization, you have Layered Security which is layers of controls within your system. Think of it as an onion with multiple layers. At each layer, the controls prevent attackers from getting to the core.
Building an application, you will also need these same types of layers of control. As a Web Application developer, I build layers of controls into applications, for example; the development application layers for security I would include are:
- The end-user layer: Write front-end code JS to sanitize strings and data, and validation where needed
- Adding Authentication using Multi Factor-Auth (MFA)
- Back-end controller authenitcaiton
- Including a signed SSL certificates which encrypt packets HTTPS request
- Limit Apps to assigned IPs
- In your HTTP request headers, set web security headers to prevent a particular request from reaching the servers
- Setting cookies timeout and log out of sessions.
- Use a Load Balacner(LBs) to confirm/block traffic from sources or regions
- Web Servers/DB configured with appropriate users and permissions.
These would be considered your bare minimum for applications security; however, depending on the application’s controls, more layers may need to be added to meet regulatory or compliance needs.
Regardless, all the layers, the weakest link will always be the human factor involved because these technologies require many configurations and understanding of the underlying technology.