The 2020-2021 State of Web Application Security Report is out from cybersecurity vendor Radware, and it paints a grim picture of security over the past 12 months and a similarly bleak view for the rest of 2021.
Among the findings Radware uncovered in its survey of 205 IT security decision-makers are such startling statistics as 98% of respondents saying their apps were subject to an attack in 2020, 92% of organizations are excluding security teams from CI/CD workflows, only 36% of mobile applications have integrated security into their development, and only 27% completely trust the security of their public cloud platforms despite 70% of apps being hosted in the cloud.
In short, there’s a lot going wrong in the world of web apps, with Radware describing apps as being “needlessly at risk” thanks to the rapidly accelerating pace of digital transformation without the necessary security planning that goes with it.
SEE: Identity theft protection policy (TechRepublic Premium)
2020 was a year of forced change, with many organizations having to move locally hosted apps and in-office software into the cloud due to COVID-19 lockdowns and work-from-home restrictions. As a result, the report said, “the increased use of mobile apps for private and business matters created even more exposure points for bad actors to target.” With little to no time to plan properly for pandemic-related increases in web app attack surfaces, 2021 will be a year in which companies need to quickly correct course to avoid costly and unnecessary security breaches.
Radware pulled five key findings out of its report that are essential to address in 2021. Security teams and IT leadership should take a moment to pause, reflect on how these may affect them, and take proactive steps to ensure a secure year.
APIs are becoming a threat
“There is a growing dependence on, and increased reliance on, web-enabled applications in the form of APIs,” the report said. It predicts API abuses to be the most frequent attack vector in the future, which spells bad news for lots of organizations.
Fifty-five percent of respondents said their organizations experienced a DoS attack against their APIs at least once a month, 49% experience an injection attack in the same timeframe, and 42% are targeted with an element or attribute manipulation attack over a month as well.
With so many apps using APIs, and so many APIs processing sensitive information, it’s time to patch critical holes before API attacks become worse.
Bot attacks can catch you unaware
Only 24% of respondents said their organization has a dedicated way to distinguish between human and bot traffic, and a mere 39% are confident that they understand how bad bots operate.
A lack of knowledge regarding malicious bots has the potential to catch enterprises unaware, the report said, and with 82% of respondents saying they’ve faced a bot attack there’s little reason to ignore, or not learn about, this threat.
Mobile apps are even less secure than web apps
As stated above, only 36% of mobile applications have security integrated into their development process. A full 22% have minimal or no security, and 42% leave security to third-party “bolt-on” code.
“until mobile apps security is treated seriously, we expect to see more—and more serious—incidents that use the mobile channel for attacks. That in turn will likely put more pressure on enterprises to secure mobile apps and not leave consumer data exposed to hackers,” Radware said.
Security staff need to be primary decision-makers
With 43% of companies saying that security shouldn’t interrupt the release cycle, “the very people responsible for security have little control over how apps are developed,” the report concludes. In addition, 89% of organizations said that security staff don’t even have control of the budget for security solutions.
SEE: Social engineering: A cheat sheet for business professionals (free PDF) (TechRepublic)
Being forced to secure apps “as-is” is a recipe for disaster, especially with the current pace of digital transformation. Security staff, the report said, takes a back seat to the IT team in nine out of ten organizations “despite the threats outlined in the report.”
Expect DDoS attacks to hit you
One third of respondents said they were subject to weekly DDoS attacks in 2020, and 5% said they faced them daily. DDoS attacks were the most commonly reported by respondents, and various 2021 security predictions put DDoS attacks at the top of the list for the next 12 months as well.
Don’t expect to end the year without facing a DDoS attack: Be prepared for the eventuality that you could easily be in the 89% of respondents who said they faced at least one in 2020.