The 2020 App Threats Landscape in Review
As more organizations place a priority on application development, production and hosting, new vulnerabilities and threats emerge. The need for a faster time to market, improved user experience and better resource utilization can influence what security protocols are implemented before an application is deployed, if at all.
In 2020, 98% of Radware survey respondents saw a wide variety of attacks on applications and web servers and expressed concern about how to protect APIs and the transfer of sensitive data.
Widely Varying Frequency of Attacks
The survey revealed the top three most frequent application and web server attacks. SQL or other injections occur monthly or more frequently for 57% of organizations, whereas attacks like cross-site request forgery (CSRF), session/cookie poisoning or protocol attacks occur far less frequently. In some cases, respondents report that they have not seen these types of attacks in their organizations.
RPA & Automated Attacks Rising, Yet Businesses Aren’t Ready to Manage Bot Traffic
While Robotic Process Automation and other good bots help accelerate productivity and business processes such as data collection and decision making, bad bots target websites, mobile apps and APIs to steal data and disrupt service.
Organizations continue to rely on conventional security solutions to assess bot traffic. Today’s sophisticated bad bots can mimic human behavior and bypass CAPTCHAs and other older technologies and heuristics.
WAF is the Most Common Tool Used to Classify Bots
Despite the limitation of these technologies in detecting sophisticated, human-like bot traffic, nearly one-half of organizations use web application firewalls (WAFs) to distinguish between real users and bots, and nearly the same proportion use IP-based detection to do so. Other techniques in use include in-session detection and termination and CAPTCHAs. The least commonly used method for distinguishing between real users and bots is a dedicated anti-bot/anti-scraping solution.
The top three types of bot attacks reported by respondents are DDoS, web scraping and account takeover. A variety of other attack types occur with some frequency, including digital fraud, denial of inventory and payment data abuse.
Exhausting Application Resources via DDoS
Eighty percent report having suffered DoS attacks against their applications. Just like DDoS attacks targeting network infrastructure, the most common technique to take an application down is by flooding it with incoming requests. Nearly three in five organizations experiences an HTTP Flood at least once per month, if not more frequently. Almost two in five experience HTTPS Floods at least this often. A variety of other DoS attacks occur with some frequency, including buffer overflows and resource depletion attacks.
APIs Process a Variety of Confidential Data Types
The survey found that a wide variety of data types are processed by APIs. In the vast majority of organizations, APIs process sensitive personal data such as email addresses, telephone numbers, addresses, user credentials, tokens, hashes, cookies and payment information. Many organizations also use APIs to process information that includes identification information about individuals, including medical records in some cases.
Most Apps Expose Sensitive Data Through APIs
Respondents indicated the vast majority of applications are exposed to the internet and/or third-party application services via APIs. While 27% of organizations have fewer than one-quarter of their apps exposed, 35% have between one-quarter and one-half of their apps exposed, and 38% have more than one-half of their apps exposed.
The lurking danger is in the challenges faced by application development teams to secure their applications in the new cloud environment where the security of data of applications running on containers is still not well understood, and while there are some tools available, no best practice has emerged yet. Fifty-seven percent of organizations are already using containerized apps yet 52% of respondents believe that the use of containers has provided no additional financial efficiency.
Substantial Concerns About the Use of APIs
The survey revealed that three in five respondents are concerned or extremely concerned about the potential for security breaches with regard to their use of APIs. A large portion of respondents are concerned about unintentional data loss, management and maintenance overhead, and overcomplexity regarding their use of APIs.
The research revealed a relationship between the level of concern about the use of APIs and the extent to which applications are exposed to the internet and/or third party applications. For example, among those who are “very concerned” about these issues, 40% of respondents have more than one-half of their applications exposed to APIs. However, among those who are only minimally concerned, none have more than one-half exposed to APIs.
API Attacks are Common
API attacks of various types are fairly common. The survey revealed that 55% of organizations experience a DoS attack against their APIs at least monthly, 48% experience some form of injection attack at least monthly and 42% experience an element/attribute manipulation at least monthly.
WAFs Are the Most Common Defense
Respondents were asked about the variety of technologies that they use to protect
their APIs At 77%, the vast majority use WAFs to protect their APIs, while 61% use API gateways and 50% use an additional cloud service. Only one in four organizations are currently using any sort of dedicated bot management tool to protect their APIs.