A Radware study shows that web applications are unnecessarily vulnerable to cyber attacks. Global organizations struggle to maintain consistent application security across multiple platforms.
They also lose transparency with the emergence of new architectures and the introduction of Application Program Interfaces (APIs). These are the key findings of Radware's 2020-2021 State of Web Application Security Report study. The background to this development is the need to quickly adapt to a new model for remote work and customer contact that resulted from the pandemic. In this transition, many decision makers have had little or no time for proper security planning.
2020-2021 State of Web Application Security Report
"With more than 70 percent of respondents reporting that their production apps have already left the data center, ensuring the security and integrity of these data and applications is becoming increasingly difficult, especially in multi-cloud environments," said Gabi Malka, Chief Operating Officer Officer at Radware. “This migration, combined with increasing reliance on APIs and the adoption of unsecured mobile apps, is a boon for criminals, giving them a cybersecurity edge. While respondents who are already running multiple API-based apps on public clouds seem to understand the risks, those who aren't seem dangerously complacent.” Key findings of the Radware study are:
Mobile apps are far less secure
Mobile apps are playing a critical role right now as most information workers work from home and most use mobile apps for entertainment, social interaction, education, and shopping. However, the development of mobile apps is very insecure. This is partly due to the fact that mobile apps are more often developed by third parties.
This research found that only 36% of mobile apps have fully integrated security features, and a large proportion have either minimal or no security features (22%). As long as the security of mobile apps is not taken seriously, Radware expects more - and more serious - incidents that use the mobile channel for attacks. That in turn will likely increase the pressure on companies to secure mobile apps so as not to expose customer data to hackers.
APIs are the next big threat
The reliance on and trust in web-enabled applications in the form of APIs is increasing. A variety of sensitive data types are processed by APIs, e.g. B. Access data, payment information, etc. The security specialists at Radware expect that API abuse will become the most common attack vector. Therefore, API security is the most critical loophole that companies should address in 2021.
Almost 40% of the companies surveyed stated that more than half of their applications are connected to the Internet or third-party services via APIs. Approximately 55% of organizations experience a DoS attack against their APIs at least once a month, 49% experience some form of injection attack at least once a month, and 42% suffer from element or attribute manipulation at least once a month.
Business unprepared for bot traffic
Bot management is also a big problem because organizations are not prepared to properly manage bot traffic. While web application firewalls offer important defense functions to detect and prevent attacks on APIs and the like, bot management tools offer a robust defense against sophisticated bot attacks. They give security teams a better understanding of how to deal with a wide variety of threats and attacks.
Radware's survey found that only 24% of companies have a dedicated solution to differentiate between a real user and a bot. In addition, only 39% of respondents are confident that they understand what is happening to elaborate evil bots.
Security guards are not the main decision makers
Despite the threats presented in the report, security is not a top priority in application development. In around 90% of the companies surveyed, security officers cannot decide on the architecture of the application development or the budget. About 43% of the companies surveyed stated that the integration of security mechanisms should not interrupt the end-to-end automation of the release cycle. This leads to a situation in which the people responsible for security have little influence on the development of applications.
DDoS attacks will not go away
The most common bot attack is denial-of-service, although different forms can be found here. About 86% said they had experienced such an attack, with a third reporting weekly and 5% reporting daily occurrences. Denial of service on the application layer often takes the form of HTTP / S floods. Almost 60% of businesses experience an HTTP flood at least once a month or more.
More on this at Radware.com
About Radware Radware (NASDAQ: RDWR) is a global leader in application delivery and cybersecurity solutions for virtual, cloud and software-defined data centers. The company's award-winning portfolio secures the company-wide IT infrastructure and critical applications and ensures their availability. More than 12.500 enterprise and carrier customers worldwide benefit from Radware solutions to quickly adapt to market developments, maintain business continuity and maximize productivity at low cost.