Can you define what you mean by those? Also, what platform will the “application” run on?

A system that uses direct-attach terminals, for example, with no need for “network” access (e.g., ODBC), can get along fine with just application security in almost all cases. There’s no need for any dollars to be spent on network security at all — there are no network interfaces that need to be secured.

But that’s a pretty uncommon setup nowadays.

Also, if object security is appropriately configured, it should be irrelevant if access is through “application” or “network” (however those are defined). If a user isn’t authorized to access an object, the permissions shouldn’t magically elevate because ODBC (or whatever) is an intermediate access protocol.

Also, if network interfaces are available, are you thinking in terms of operating system or related vulnerabilities that might be exploited to elevate authority? Obviously in those terms, “application security” (whatever that might be) can become totally ineffective.

I’m not at all clear on how you are thinking of the difference between the two.

Tom