Global organisations are having to deal with continually evolving threats to their web application security, and as their network ecosystem grows, so do the threats. To compete more effectively, companies are examining how to best manage and secure applications and data. As the complexity of cloud and on-premises networks increases, new vulnerabilities are introduced that leave applications open to constant attacks.
To better understand the challenges that organisations face to protect web applications, Radware commissioned a second annual global survey of senior executives and IT professionals at companies with worldwide operations. The goal of the Radware 2018 State of Web Application Security survey was to find out how security breaches have affected respondents’ organisations in the past 12 months and the impact of application attacks on plans for cybersecurity protection measures.
The results were contradictory.
While two thirds of respondents said that hackers were able to access their networks, the vast majority of respondents (90%) said that they were certain their organisations could keep up with the growing rate of application-layer attacks, even though many did not secure APIs or felt that their WAFs were not stopping all attacks.
The stakes are getting higher
When application attacks are successful, organisations can experience many negative consequences, including loss of reputation, customer requests for compensation, churn, stock price drops and executive job losses, among other impacts. Customers expect the organisations with which they associate to protect their data. When a data breach is revealed, trust between customers and the organisation is broken. The process of repairing a company’s reputation is long and not always successful.
About half of the organisations surveyed indicated that some of their customers asked for compensation or their own reputations suffered because of application/web server attacks.
Organisations work very hard to capture and retain customers with targeted marketing programmes, service-level agreements and privacy assurances. Security breaches can cause lasting damage to customer loyalty and with the introduction of new data protection legislation such as the GDPR, can also result in substantial financial penalties.
Senior executives can also pay the price for security breaches. Across all regions surveyed, 23% of respondents reported executive firings related to application attacks. This data matches recent news about several chief executive officers of major companies losing their positions about six months after a data breach.
Radware’s survey results indicated that respondents understood that attacks were constant and evolving and their security protocols were not foolproof. At the same time, they overwhelmingly conveyed confidence in their ability to manage the growing rate of application-layer attacks.
There appears to be a false sense of security. Application threats evolve at a mind-blowing pace. Organisations that have application security tools and processes in place may be under the impression they are in control but are not keeping up with the daily barrage. Other organisations may not even know that their application services are under attack. It’s just a matter of time before a significant data breach happens.
Securing applications across the network ecosystem
As the network ecosystem grows in complexity with applications running in the cloud and businesses offering and consuming software as a service (SaaS) and relying on third-party data centres to secure data, how can organisations ensure that their applications are protected on their own networks and across multiple clouds?
1. Use it or lose it
Encryption is an accepted, proven method to secure data traveling on private and public networks. Yet this study reveals that half of the organisations suffered attacks disguised in encrypted traffic. As the information ecosystem grows, less than half of respondents use encryption when exposing data to third-party APIs.
For encryption to be effective, it must be implemented hand in hand with security controls. Audit which APIs are active in your organisation and make sure encryption is used.
70% of organisations also identified attacks against applications over IPv6, which features capabilities like end-to-end encryption and Secure Neighbor Discovery (SEND).
Make sure that data is secure at rest and in transit. Don’t rely blindly on encryption or third-party APIs or services, even from cloud providers.
2. Learn and protect
DevOps and agile development practices are great at creating new applications quickly and efficiently. More than 60% of respondents said that they used DevOps automation tools to update applications. Unfortunately, the fluidity of these environments also creates a bevy of unintended security risks. Ensure that your WAF solution can automatically detect and protect applications and APIs as they are added to the network by automatically creating new policies and procedures.
3. Minimise false positives
False positives translate to blocked users, which can result in lower conversion rates and negative impacts to a company’s reputation. Unfortunately, automated services and applications adhere to some common behaviours and make it difficult for organisations to tell a malicious user from a legitimate one. This puts companies on the defensive, sourcing all their traffic looking for imposters. Additionally, the frequent updates to applications makes it difficult for security solutions to keep up, resulting in frustrated customers who are trying to access their data or services. It’s important to keep false positives to a minimum to provide seamless customer experiences.
4. Cover your top 10 list
Industry pundits and experts at security consortiums and communities continue to categorise and identify the greatest web application security risks facing organisations. A WAF solution should provide complete coverage, including all OWASP top 10 vulnerabilities.
5. Grab the bots by their source
Bots, crawlers and spammers, using new techniques to disguise malicious traffic, can exhaust resources and scrape sensitive information from websites or cloud-based assets. A good WAF needs to sniff out these clandestine cyber assaulters. Device fingerprinting identifies, blacklists and blocks the source machines that are used for attacks regardless of the IP they hide behind. This fingerprint, a unique identification of the source, enables you to track its activity over time and make educated decisions regarding whether it is a good or bad bot.
6. Negative + positive = zero-day protection
There are many known application attack vectors and exploit kits out there, which every solution should block. Zero-day assaults swiftly exploit newly discovered vulnerabilities. Negative and positive security models that automatically detect application domains, analyse potential vulnerabilities and assign optimal protection policies are critical.
7. Protection by unification
Companies face a wide range of security challenges, such as OWASP vulnerabilities, bot management, securing APIs and protecting against DOS. A synchronised attack-mitigation system that provides secure application protection against all the above threats, across all platforms and at all times is the way to go. It provides comprehensive security and a single view of application security events for quick incident response and a minimum impact on the business.
Mike O’Malley, Vice President of Carrier Strategy and Business Development at Radware
Image Credit: Wright Studio / Shutterstock