•What is the necessity of integrating any given application with services hosted on the internet?
Generally very little, but a lot of the things in spiceworks (eg checking warranties etc) don't work well if they can't use the net.
This is a huge security screwup by spiceworks, which should have zero impact for paranoid users of it, which to be fair is going to be the majority of it's userbase. I mean, who puts total trust in any software package being 100% secure? A few years reading daily horror stories of disasters on El Reg from top tier suppliers should have put paid to that for even the newest IT bods, let alone the older paranoid cynics amongst us.
At the end of the day though, unless your firewall rules read:-
ALLOW INCOMING TRAFFIC FROM *.external to *.internal
ALLOW OUTGOING TRAFFIC FROM *.internal to *.external
Then you already looked into what the program wanted to send, decided this was ok and then set rules to allow the program to do it.
•What must be best practices regarding this sort of implementation, both at a code level and at a systems administration level?
Maybe it's just me having deep trust issues, but I consider that the outside of my network is an extremely hostile environment that will be hacked mercilessly from the second it's discovered by one of the port scans my firewall shows being run against my network on a near 24/7 basis. On that basis, I assume that *nothing* should be directly available on the internet, apart from port 25. (which on my network gets a huge number of people connecting and running directory scans for email addresses I accept, which they then send spam. This keeps the honeypot on my anti spam system busy collecting IP's which are then used against the spammers.)
As far as these applications are available then i'd say:-
Available on LAN: Yes.
Available on VPN: If business requirement.
Available on WLAN: I don't have one because we don't have a business requirement for it, but if I did then i'd say "if business requirement, and if adequately secured from public access"
Available on WAN: Hell no.
•How comfortable are any of us, really, with "hybrid cloud" applications such as Spiceworks?
Reasonably. I like spiceworks, but I don't trust it security wise. Then again, I don't trust anything security wise enough to leave it open to the WAN. Excepting the firewall, which only accepts SSLVPN logins from things with the right security certificate and connection details, the right user & pass and authentication via 2FA.