Web application security in a digitally connected world

The conundrum for any organization is how to take the leap towards these new technologies that help break down barriers.

Nikhil Taneja Jan 04th 2018 A-A+

Global organizations stand on a cyber-security precipice. Emerging technologies such as blockchain, artificial intelligence (AI) and Internet of Things (IoT), along with the explosive volume of mobile, web and cloud apps creates uncharted, highly lucrative pathways to revenue generation, optimized productivity and enhanced brand value. At the same time, the speed and sophistication inherent in these technological advances exposes application vulnerabilities, security risks and skills deficiencies. These compromise sensitive company and customer data, devalue the brand and severely impact financial performance.

 

The conundrum for any organization is how to take the leap towards these new technologies that help break down barriers to consumer engagement and deliver substantial economic reward while successfully protecting corporate assets, intellectual property (IP) and personal customer information.

 

It is important to uncover other aspects such as the challenges these new technologies and rapid-fire application deployments present, ascertain how organizations in different industries identified application-layer and API vulnerabilities, measure the impact that bots have on organizations, how companies combat application-layer attacks (like those listed in the OWASP Top 10) and construct a security roadmap for today and tomorrow.

 

Also, vital to understand how the exponential number of security breaches against the application layer (such as the recent Equifax attack) would alter the financial and operational actions these companies would take.

 

Based on a survey conducted with over 600 chief information security officers (CISOs) and other security leaders across six continents, the following key findings came forth:

  • Sixty-eight percent of organizations admit low confidence in information security posture
  • Organizations often leave sensitive data under-protected. Forty-five percent report they suffered a data breach while 52 percent do not inspect traffic being transferred to and from APIs. Fifty-six percent do not have the ability to track data once it leaves the company.
  • Bot traffic represents more than half (52 percent) the amount of Internet traffic, exceeding 75 percent of the total traffic among some organizations. Forty-nine percent of all bot traffic is bad bots, yet 33 percent of organizations cannot distinguish between good and bad bots.
  • API security is often overlooked. While 60 percent both share and consume data via APIs, including personally identifiable information, usernames/passwords, payment details, medical records, etc., 52 percent don’t inspect the data that is being transferred via APIs and 51 percent don’t perform any security audits or analyze API vulnerabilities prior to integration.
  • Application-layer DDoS is a greater fear than network-level DDoS assaults. Only 33 percent feel confident they can mitigate application-layer attacks compared to 50 percent that feel confident they can protect against network-layer DDoS attacks.
  • Seven out of ten businesses (72 percent) are not fully aware of the frequent change made to in-house applications and APIs within their organizations’ software development environment.
  • Forty percent of respondents claim their organization updates applications at least once per week, posing a great challenge for organizations.
  • Everyone wants the speed and agility that continuous delivery provides but few feel they can achieve it securely. Half (49 percent) currently use the continuous delivery of application services and another 21 percent plan to adopt it within the next 12-24 months. However, 62 percent reckon it increases the attack surface and approximately half say that they don’t integrate security into their continuous delivery process.
  • Less than a year prior to the due date (May 2018) for General Data Protection Regulations (GDPR) compliance, 68 percent of organizations are not confident they will be ready to meet these requirements in time.

#1 Conundrum: The Confidence Crisis: Protecting applications against data theft and bot attacks

As the rate and number of new technologies materialize at an accelerated pace, many security professionals face the unprecedented challenge of mitigating a wide swath of threats and attacks that often are byproducts of the evolving IT landscape. Existing security strategies, plans and measures may not measure up to quickly developed malware, floods and other threats. The result is a “crisis of confidence” that can overwhelm skills, deplete budget and resources, chip away at brand equity and fracture customer/partner relationships.

 

Take the recent Equifax breach, which exposed over 145 million individuals and their personal information because of a Web application vulnerability. While there may have been governance and accountability plans in place, there may have been other actions, such as a Web Application Firewall (WAF), which could have mitigated such a massive attack had it been updated properly against known vulnerabilities. A simple question may have been: did the company have the confidence they could protect against a probability of attack or was false confidence in the “impossibility” of such an attack their strategic approach.

 

The growing prevalence of attacks is a known fact; thus, the more alarming finding is the uncertainty within these companies that they could even detect, prevent or contain these attacks, especially when it comes to emerging threats such as Layer 7 DDoS attacks. Research shows that 64 percent of financial services institutions, 62 percent of healthcare organizations and 58 percent of retailers acknowledge the difficulty in mitigating Layer 7 DDoS attacks.

 

Bot Attacks

Automated attack programs, such as ‘bad’ bots, are the main force behind the majority of the attack landscape today. In fact, bots conduct more than half of all Internet traffic flow. For some organizations, bots represent more than 75 percent of their total traffic. This is a significant finding considering only one in three (33 percent) organizations cannot distinguish between good bots and bad ones. Good bots serve critical functions, such as price aggregators to customer service chatbots and search engine spiders. However, for every good bot in the world, there is a bad bot wreaking havoc. Bots make traditional attack vectors more effective, faster and larger than anything humans can accomplish on their own.

 

#2 Conundrum: Continuous delivery security challenge

Organizations are looking for ways to optimize the deployment of application services. Many try to fully automate the cycle of application development, QA, testing, modifying and deploying in staging, and the production environment in what is known as continuous delivery. A successful continuous delivery implementation can yield a competitive edge and save operational expenses. For some of the more dynamic application services, the fast pace is critical as they are required to deploy multiple versions into production per day. The challenge, on the other hand, is to ensure accurate application security throughout the process, as almost two-thirds (62 percent) believe it increases the attack surface. Continuous delivery is high priority for many organizations with half of respondents currently using this approach and another 20 percent planning to do so within the next two years.

 

Research indicated that security executives and other experts understand the impact continuous delivery is having on their organizations. While sixty-two percent believe continuous delivery increases the attack surface, risks and vulnerabilities, only 25 percent are confident that security is integrated with continuous delivery of in-house, Web or cloud.

 

#3 Conundrum: GDPR preparedness effect

Organizations around the world that do business in or with the European Union (EU) will soon need to meet stricter data privacy laws with the GDPR taking effect in May, 2018. Any organization that offers goods or services to EU residents, monitors personal behavior or processes or handles personal data of EU residents will be impacted by this law. Those who do abide by the regulation will be subject to hefty fines. This is a particular challenge for large multi-national corporations that do business in the EU as well as companies that may be headquartered there.

 

It is advised that whatever WAF solution an organization is evaluating, it covers critical security solution fundamentals - complete OWASP Top 10 vulnerabilities, effective API security, HTTP DDoS mitigation. By evaluating existing security processes, systems and security tools, and implementing application security solutions and practices that augment and enhance these capabilities, organizations will build the foundation for an application-secure infrastructure.

The author is MD, Radware India

Disclaimer: This article is published as part of the IDG Contributor Network. The views expressed in this article are solely those of the contributing authors and not of IDG Media and its editor(s).

Web application security in a digitally connected world

The conundrum for any organization is how to take the leap towards these new technologies that help break down barriers.

Nikhil Taneja

Global organizations stand on a cyber-security precipice. Emerging technologies such as blockchain, artificial intelligence (AI) and Internet of Things (IoT), along with the explosive volume of mobile, web and cloud apps creates uncharted, highly lucrative pathways to revenue generation, optimized productivity and enhanced brand value. At the same time, the speed and sophistication inherent in these technological advances exposes application vulnerabilities, security risks and skills deficiencies. These compromise sensitive company and customer data, devalue the brand and severely impact financial performance.

 

The conundrum for any organization is how to take the leap towards these new technologies that help break down barriers to consumer engagement and deliver substantial economic reward while successfully protecting corporate assets, intellectual property (IP) and personal customer information.

 

It is important to uncover other aspects such as the challenges these new technologies and rapid-fire application deployments present, ascertain how organizations in different industries identified application-layer and API vulnerabilities, measure the impact that bots have on organizations, how companies combat application-layer attacks (like those listed in the OWASP Top 10) and construct a security roadmap for today and tomorrow.

 

Also, vital to understand how the exponential number of security breaches against the application layer (such as the recent Equifax attack) would alter the financial and operational actions these companies would take.

 

Based on a survey conducted with over 600 chief information security officers (CISOs) and other security leaders across six continents, the following key findings came forth:

  • Sixty-eight percent of organizations admit low confidence in information security posture
  • Organizations often leave sensitive data under-protected. Forty-five percent report they suffered a data breach while 52 percent do not inspect traffic being transferred to and from APIs. Fifty-six percent do not have the ability to track data once it leaves the company.
  • Bot traffic represents more than half (52 percent) the amount of Internet traffic, exceeding 75 percent of the total traffic among some organizations. Forty-nine percent of all bot traffic is bad bots, yet 33 percent of organizations cannot distinguish between good and bad bots.
  • API security is often overlooked. While 60 percent both share and consume data via APIs, including personally identifiable information, usernames/passwords, payment details, medical records, etc., 52 percent don’t inspect the data that is being transferred via APIs and 51 percent don’t perform any security audits or analyze API vulnerabilities prior to integration.
  • Application-layer DDoS is a greater fear than network-level DDoS assaults. Only 33 percent feel confident they can mitigate application-layer attacks compared to 50 percent that feel confident they can protect against network-layer DDoS attacks.
  • Seven out of ten businesses (72 percent) are not fully aware of the frequent change made to in-house applications and APIs within their organizations’ software development environment.
  • Forty percent of respondents claim their organization updates applications at least once per week, posing a great challenge for organizations.
  • Everyone wants the speed and agility that continuous delivery provides but few feel they can achieve it securely. Half (49 percent) currently use the continuous delivery of application services and another 21 percent plan to adopt it within the next 12-24 months. However, 62 percent reckon it increases the attack surface and approximately half say that they don’t integrate security into their continuous delivery process.
  • Less than a year prior to the due date (May 2018) for General Data Protection Regulations (GDPR) compliance, 68 percent of organizations are not confident they will be ready to meet these requirements in time.

#1 Conundrum: The Confidence Crisis: Protecting applications against data theft and bot attacks

As the rate and number of new technologies materialize at an accelerated pace, many security professionals face the unprecedented challenge of mitigating a wide swath of threats and attacks that often are byproducts of the evolving IT landscape. Existing security strategies, plans and measures may not measure up to quickly developed malware, floods and other threats. The result is a “crisis of confidence” that can overwhelm skills, deplete budget and resources, chip away at brand equity and fracture customer/partner relationships.

 

Take the recent Equifax breach, which exposed over 145 million individuals and their personal information because of a Web application vulnerability. While there may have been governance and accountability plans in place, there may have been other actions, such as a Web Application Firewall (WAF), which could have mitigated such a massive attack had it been updated properly against known vulnerabilities. A simple question may have been: did the company have the confidence they could protect against a probability of attack or was false confidence in the “impossibility” of such an attack their strategic approach.

 

The growing prevalence of attacks is a known fact; thus, the more alarming finding is the uncertainty within these companies that they could even detect, prevent or contain these attacks, especially when it comes to emerging threats such as Layer 7 DDoS attacks. Research shows that 64 percent of financial services institutions, 62 percent of healthcare organizations and 58 percent of retailers acknowledge the difficulty in mitigating Layer 7 DDoS attacks.

 

Bot Attacks

Automated attack programs, such as ‘bad’ bots, are the main force behind the majority of the attack landscape today. In fact, bots conduct more than half of all Internet traffic flow. For some organizations, bots represent more than 75 percent of their total traffic. This is a significant finding considering only one in three (33 percent) organizations cannot distinguish between good bots and bad ones. Good bots serve critical functions, such as price aggregators to customer service chatbots and search engine spiders. However, for every good bot in the world, there is a bad bot wreaking havoc. Bots make traditional attack vectors more effective, faster and larger than anything humans can accomplish on their own.

 

#2 Conundrum: Continuous delivery security challenge

Organizations are looking for ways to optimize the deployment of application services. Many try to fully automate the cycle of application development, QA, testing, modifying and deploying in staging, and the production environment in what is known as continuous delivery. A successful continuous delivery implementation can yield a competitive edge and save operational expenses. For some of the more dynamic application services, the fast pace is critical as they are required to deploy multiple versions into production per day. The challenge, on the other hand, is to ensure accurate application security throughout the process, as almost two-thirds (62 percent) believe it increases the attack surface. Continuous delivery is high priority for many organizations with half of respondents currently using this approach and another 20 percent planning to do so within the next two years.

 

Research indicated that security executives and other experts understand the impact continuous delivery is having on their organizations. While sixty-two percent believe continuous delivery increases the attack surface, risks and vulnerabilities, only 25 percent are confident that security is integrated with continuous delivery of in-house, Web or cloud.

 

#3 Conundrum: GDPR preparedness effect

Organizations around the world that do business in or with the European Union (EU) will soon need to meet stricter data privacy laws with the GDPR taking effect in May, 2018. Any organization that offers goods or services to EU residents, monitors personal behavior or processes or handles personal data of EU residents will be impacted by this law. Those who do abide by the regulation will be subject to hefty fines. This is a particular challenge for large multi-national corporations that do business in the EU as well as companies that may be headquartered there.

 

It is advised that whatever WAF solution an organization is evaluating, it covers critical security solution fundamentals - complete OWASP Top 10 vulnerabilities, effective API security, HTTP DDoS mitigation. By evaluating existing security processes, systems and security tools, and implementing application security solutions and practices that augment and enhance these capabilities, organizations will build the foundation for an application-secure infrastructure.

The author is MD, Radware India

Disclaimer: This article is published as part of the IDG Contributor Network. The views expressed in this article are solely those of the contributing authors and not of IDG Media and its editor(s).