Applications Needlessly at Risk for Cyber Attacks Following 2020 Accelerated Cloud Migration
Radware® (NASDAQ: RDWR), a leading provider of cyber security and application delivery solutions, today released its 2020-2021 State of Web Application Security Report.
The report revealed that global organizations are struggling to maintain consistent application security across multiple platforms, and they are also losing visibility with the emergence of new architectures and the adoption of Application Program Interfaces (APIs). A major factor in these challenges was the need to adjust rapidly to a new remote working and customer engagement model that resulted from the pandemic, leaving decision makers little or no time to conduct adequate security planning.
According to Michael Osterman of Osterman Research, “With 2020’s rapid cloud migration, we were surprised to see the pervasiveness across organizations of dangerous levels of insecurity in mobile and cloud-based apps, as well as APIs.”
“With more than 70% of respondents reporting that their production apps have already left the data center, ensuring the security and integrity of these data and applications is becoming more challenging, particularly in multi-cloud environments,” said Gabi Malka, Chief Operating Officer for Radware. “This migration, in combination with an increased reliance on APIs and the addition of unsecured mobile apps, has been a boon to criminals, leaving them ahead on the cyber security curve. While respondents who have already moved to the public cloud and have several apps exposed to APIs seem to understand the risks, those that haven’t seem perilously complacent.”
Among specific findings in the report are the following:
API’s Are the Next Big Threat
There is a growing dependence on, and increased reliance on, web-enabled applications in the form of APIs. A wide variety of sensitive data types are processed by APIs, such as user credentials, payment information, social security numbers, etc. API abuses are expected to become the most frequent attack vector. As such, API security is the most critical hole enterprises should patch in 2021.
Nearly 40% of organizations surveyed reported that more than one-half of their applications are exposed to the internet or third-party services via APIs. Some 55% of organizations experience a DoS attack against their APIs at least monthly, 49% experience some form of injection attack at least monthly, and 42% experience an element/attribute manipulation at least monthly.
Enterprises Unprepared for Bot Traffic
Bot management is also a major concern because enterprises are not prepared to properly manage bot traffic. While web application firewalls offer important defensive capabilities to detect and prevent attacks against APIs and the like, bot management tools offer a robust defense against sophisticated bot attacks. And they give security teams a better grasp on dealing with a variety of threats and attacks.
The report revealed that only 24% of organizations have a dedicated solution to distinguish between a real user and a bot. Moreover, only 39% of those surveyed have confidence in their understanding of what’s going on with sophisticated bad bots.
Mobile Apps Far Less Secure
Mobile apps played a critical role during 2020 as most information workers were shifted to at-home work, and as most use mobile apps for entertainment, social interaction, education, and shopping. However, mobile app development is highly insecure. This is true, in part, because mobile apps are more commonly developed by third parties.
This research found that only 36% of mobile apps have security fully integrated, and a large proportion have either minimal or no security (22%). As a result, until mobile apps security is treated seriously, we expect to see more – and more serious – incidents that use the mobile channel for attacks. That in turn will likely put more pressure on enterprises to secure mobile apps and not leave consumer data exposed to hackers.
Security Staff Is Not the Prime Decision Maker
Despite the threats outlined in the report, security is not a first priority in application development practices. In approximately 90% of surveyed organizations, security staff are not the prime influencer on application development architecture nor the budget. Some 43% of companies surveyed said security should not interrupt the end-to-end automation of the release cycle. This creates a situation in which the very people responsible for security have little control over how apps are developed.
DDoS Attacks Aren’t Going Away
The most common Bot attack is Denial-of-Service, taking different shapes. Some 86% said they have experienced such an attack, with a third of them reporting weekly occurrences and 5% seeing them daily. Denial-of-service at the application layer is frequently in the form of HTTP/S floods. Nearly 60% of organizations experience an HTTP flood at least once per month or more. To read the full report, please visit https://www.radware.com/resources/complete-protection/
Radware engaged Osterman Research to conduct a survey with 205 decision makers and influencers in organizations that have a minimum of 1,000 employees. The median number of employees at the organizations surveyed was 2,200. The primary job functions of the individuals surveyed included network security, DevOps/DevSecOps, network operations and related roles, application development, application security, and various other IT and related roles. The majority of those surveyed are either in senior management or management roles. including in executive positions.
Radware® (NASDAQ: RDWR), is a global leader of cyber security and application delivery solutions for physical, cloud, and software defined data centers. Its award-winning solutions portfolio secures the digital experience by providing infrastructure, application, and corporate IT protection and availability services to enterprises globally. Radware’s solutions empower enterprise and carrier customers worldwide to adapt to market challenges quickly, maintain business continuity and achieve maximum productivity while keeping costs down. For more information, please visit www.radware.com.
Radware encourages you to join our community and follow us on: Facebook, LinkedIn, Radware Blog, Twitter, YouTube, Radware Mobile for iOS and Android.
©2021 Radware Ltd. All rights reserved. Any Radware products and solutions mentioned in this press release are protected by trademarks, patents and pending patent applications of Radware in the U.S. and other countries. For more details please see: www.radware.com/LegalNotice/. All other trademarks and names are property of their respective owners.
Safe Harbor Statement
This press release includes “forward-looking statements” within the meaning of the Private Securities Litigation Reform Act of 1995. Any statements made herein that are not statements of historical fact, including statements about Radware’s plans, outlook, beliefs or opinions, are forward-looking statements. Generally, forward-looking statements may be identified by words such as “believes,” “expects,” “anticipates,” “intends,” “estimates,” “plans,” and similar expressions or future or conditional verbs such as “will,” “should,” “would,” “may” and “could.” For example, when we say that “we expect to see more – and more serious – incidents that use the mobile channel for attacks. That in turn will likely put more pressure on enterprises to secure mobile apps and not leave consumer data exposed to hackers”, that is a forward-looking statement. Because such statements deal with future events, they are subject to various risks and uncertainties, and actual results, expressed or implied by such forward-looking statements, could differ materially from Radware’s current forecasts and estimates. Factors that could cause or contribute to such differences include, but are not limited to: the impact of global economic conditions and volatility of the market for our products; natural disasters and public health crises, such as the coronavirus disease 2019 (COVID-19) pandemic; our ability to expand our operations effectively; timely availability and customer acceptance of our new and existing solutions; intense competition in the market for cyber security and application delivery solutions and in our industry in general and changes in the competitive landscape; outages, interruptions or delays in hosting services or our internal network system; our dependence on independent distributors to sell our products; undetected defects or errors in our products or a failure of our products to protect against malicious attacks; the availability of components and manufacturing capacity; the ability of vendors to provide our hardware platforms and components for our main accessories; our ability to attract, train and retain highly qualified personnel; and other factors and risks over which we may have little or no control. This list is intended to identify only certain of the principal factors that could cause actual results to differ. For a more detailed description of the risks and uncertainties affecting Radware, refer to Radware’s Annual Report on Form 20-F, filed with the Securities and Exchange Commission (SEC) and the other risk factors discussed from time to time by Radware in reports filed with, or furnished to, the SEC. Forward-looking statements speak only as of the date on which they are made and, except as required by applicable law, Radware undertakes no commitment to revise or update any forward-looking statement in order to reflect events or circumstances after the date any such statement is made. Radware’s public filings are available from the SEC’s website at www.sec.gov or may be obtained on Radware’s website at www.radware.com.