The past year in web app cybersecurity was anything but calm, and if predictions on the coming year from PerimeterX CTO Ido Safruti are accurate, it’s going to be another year of struggles to protect web apps.
Safruti predicts a 2022 in which custom-tailored malware, bot attacks and post-login fraud spike, causing leaders to finally confront the reality of online fraud: It varies greatly, is becoming more selective in its targets and is present everywhere from before login to well after a username and password are entered. “Because of this, we believe 2022 will be the year of comprehensive account protection,” Safruti said.
SEE: Password breach: Why pop culture and passwords don’t mix (free PDF) (TechRepublic)
By “comprehensive account protection,” Safruti means security that goes beyond old-fashioned perimeter or castle-and-moat identity verification. “It means approaching security from a perspective of the user’s account integrity and providing multiple tiers of protection throughout the application journey and the account lifecycle,” Safruti said. Think zero trust and other forms of identity verification that track behavior and log actions to look for suspicious behavior.
Safruti and PerimeterX make the following five predictions for web app security in 2022, and the complete picture looks like one in which a security storm with limited solutions is on the horizon.
In case you’re curious as to whether or not these predictions are reliable, Safruti points to his report card for last year’s predictions. Three of the five, that cybercrime communities would get stronger, GraphQL would become a security risk and that flash sales would be dominated by bots, were scored as correct. DevSecOps going mainstream was rated as “hard to call,” and the idea that buy-online-pickup-in-store would be a large new type of fraud was labeled false.
Expect supply chain attack prevention to become more important
Nobelium, the group behind the SolarWinds attack, has already resurfaced to attack additional targets using similar methods, themselves supply chain attacks leveraging weaknesses in third-party software. Combined with ever-tightening data protection regulations, Safruti predicts a year in which businesses start to treat weaknesses in down-chain suppliers as a serious liability issue instead of just a cost of doing business.
“92% of website decision makers lack complete visibility into their software supply chains. Getting this visibility will be a top priority for companies aiming to prevent a major data breach and avoid massive regulatory fines in 2022 and beyond,” Safruti said.
Custom malware will hit more than 50% of the 100 largest marketplaces
The fact that malware can be found on the internet for sale and ready to be customized, sold and supported by its developers is well known, and as time goes on the developers of said malware only become capable of more custom tuning to make their malware more effective.
Commodified attack tools are cheap, and free videos are available online that help budding cybercriminals learn to use their tools, Safruti said. “We are witnessing the rise of a “Crime as a Service” (CaaS) ecosystem, which fuels an uptick in custom malware that targets specific applications or websites. With its low barrier to entry and high potential to yield results, custom malware will become a more popular attack vector in 2022,” Safruti said.
The post-login environment will start getting security attention
We’re living with our feet in two security worlds: The old one, which relied on logging in to verify identity, and the new one in which a username and password are nowhere near secure enough to rely on to verify a person is who they say they are. Even multi-factor authentication only adds to perimeter security, making it beneficial but not a permanent solution.
“In 2022, we expect online businesses to adopt solutions that address this issue. Understanding if a user is indeed who they say they are — and if their post-login activity is legitimate — will be key to maintaining accounts’ integrity,” Safruti said.
Fraud will cause a major company to lose value this year
“In the past, many companies have brushed off fraud as just a cost of doing business,” Safruti said. That isn’t the case anymore, as he predicts overall fraud against online businesses to increase to the point where it has a material impact on a company.
SEE: Google Chrome: Security and UI tips you need to know (TechRepublic Premium)
“Recent research has shown that bad bots negatively impact 75% to 80% of operational costs for online retailers, which translates to between 18% and 23% of net revenue. When fraud translates to a few pennies’ impact on earnings per share (EPS), it will act as a wake up call for businesses to become more proactive,” Safruti said.
At least one big retailer will ditch the password
There are a lot of credentials available for sale on the dark web. As one example, Safruti points to a 1.2TB database released in June 2021 that contained information from over 3.2 million Windows computers, including over 400 million valid web login cookies.
“Because stolen credentials are so widely available, getting usernames and passwords is no longer a deterrent to cybercrime — so businesses need to rethink their fraud prevention strategy,” Safruti said. He predicts that 2022 will be the year that one or more large consumer-facing businesses will “eliminate the need for credentials altogether by adopting stronger solutions that do not rely on credentials only.”