Assume Every Application is an On-Premises Application

Assume Every Application is an On-Premises Application

We feel the need to label applications as either on-premises or cloud. We try to assure ourselves that an application categorized as on-premises will not send or receive data over a public network, and an application categorized as cloud will not install client resources. 

The Silent Reality

However, the reality is that most applications categorized as cloud require resources to be installed on the client, and sometimes install those resources silently. This is usually because browsers and HTML aren’t powerful enough to drive the complexity required by those applications.

Therefore, applications categorized as cloud sometimes require native browser plugins, agents, or beacons. Sometimes they require native applications that supplement the browser client, like update utilities, upload utilities, etc. Sometimes the only client is a native application, as is the case with mobile apps.

Installing any of these requires explicit action on the part of IT or the user, but are often overlooked as requirements because the application is categorized as “cloud.”

Security, Compliance Risks in Web Services in Open Source

Client Side Resources

Cookies, web storage, and JavaScript are examples of client side resources installed without explicit IT or user action. Web storage is becoming more prevalent and harder to manage. It started with local shared objects (aka Flash cookies) and it continues to expand via standards like IndexedDB and proprietary client-side storage methods used by Internet service providers.

So if prevention or knowledge of an application’s required client-side installations is important to you, you need to do a technical analysis of what is and what is not installed; don’t rely on marketing materials and naïve categorizations. In the absence of such an analysis, assume every application you use requires some type of client-side installation.

This post was originally published on the Stairstep Consulting blog.


David Znidarsic is the founder and president of Stairstep Consulting, where he provides intellectual property consultation services ranging from IP forensics, M&A diligence, information security management, open source usage management, and license management. Learn more about David and Stairstep Consulting at





Sorry we missed you! We close comments for older posts, but we still want to hear from you. Tweet @black_duck_sw to continue the discussion.


What Job Are You "Hiring" Open Source Software Authors to Do?

| Oct 23, 2017

In the book “Competing Against Luck,” Clayton Christiansen states that when a customer buys a product, they have “hired” that product to do a job (and by association, hired that product’s author to do a job). He speaks of this in the context of commercial products, like when you buy tangible

| MORE >

Web APIs are the New Open Source Software

| Oct 10, 2017

If you are relaxing because you have your open source usage under control, beware. There is another increasingly common type of ungoverned third-party code that your engineers are using in your products: Web APIs. There are many Web APIs published that, like open source software, are free of

| MORE >