Web Application Security in a Digitally Connected World

By Nikhil Taneja | Managing Director-India, SAARC & Middle East

Global organizations stand on a cyber-security precipice. Emerging technologies such as blockchain, artificialintelligence (AI) and Internet of Things (IoT), along with the explosive volume of mobile, Web and cloud appscreates uncharted, highly lucrative pathways to revenue generation, optimized productivity and enhancedbrand value. At the same time, the speed and sophistication inherent in these technological advances exposesapplication vulnerabilities, security risks and skills deficiencies. These compromise sensitivecompany and customer data, devalue the brand and severely impact financial performance.

The conundrum for any organization is how to take the leap toward these new technologies that help breakdown the barriers to consumer engagement and deliver substantial economic reward while successfullyprotecting corporate assets, intellectual property (IP) and personal customer information.

The recent Ponem on Research surveyed over 600 chief information security officers(CISOs) and other security leaders across six continents. The intent was to uncover the challenges that these new technologies and rapid-fire application deployments are presenting, ascertain how organization in different industries identified application-layer and API vulnerabilities, measure the impact that bots are having on organizations, how companies combat application-layer attacks (like those listed in the OWASP Top 10, 2017) and construct a security road map for today and tomorrow.

Key Findings

  • Sixty-eight percent of organizations admit low confidence in information security posture. They also admit theycan’t assure 24/7/365 availability, and about two-thirds (68%) have not yet integrated security into their DevOps.
  • Forty-five percent report they suffered databreach while 52% do not inspect traffic being transferred to and from APIs. Fifty-six percent do not havethe ability to track data once it leaves the company.
  • Bot traffic represents more than half (52%) the amount of Internet traffic, exceeding 75% of the total trafficamong some organizations. Forty-nine percent of all bot traffic is bad bots, yet 33% of organizationscannot distinguish between good and bad bots.
  • API security is often overlooked. While 60% both share and consume data via APIs, including personallyidentifiable information, usernames/passwords, payment details, medical records, etc., 52% don’t inspectthe data that is being transferred via APIs and 51% don’t perform any security audits or analyze APIvulnerabilities prior to integration.
  • Application-layer DDoS is a greater fear than network-level DDoS assaults. Only 33% feel confident theycan mitigate application-layer attacks compared to 50% that feel confident they can protect againstnetwork-layer DDoS attacks.
  • Seven out of ten businesses (72%) are not fully aware of the frequent change made to in-houseapplications and APIs within their organizations’ software development environment.
  • Forty percent of respondents claim their organization updates applications at least once per week, posinga great challenge for organizations.
  • Everyone wants the speed and agility that continuous delivery provides but few feel they can achieveit securely. Half (49%) currently use the continuous delivery of application services and another 21%plan to adopt it within the next 12-24 months. However, 62% reckon it increases the attack surface andapproximately half say that they don’t integrate security into their continuous delivery process.
  • About 68% of organizations are not confident they will be ready to meet General Data Protection Regulations (GDPR) compliance requirements in time.

CONUNDRUM #1; The Confidence Crisis: Protecting Applications Against Data Theft and Bot Attacks

As the rate and number of new technologies materialize at an accelerated pace, many security professionals face the unprecedented challenge of mitigating a wide swath of threats and attacks that often are byproducts of the evolving IT landscape.Existing security strategies plans and measures may not measure up to quickly developed malware,floods and other threats. The result is a “crisis of confidence” that can overwhelm skills, deplete budget and resources, chip away at brand equity and fracture customer/partner relationship.

The recent Equifax breach exposed over 145 million individuals and their personalinformation because of a Web applicationvulnerability. While there may have been governanceand accountability plans in place, there may havebeen other actions, such as a Web ApplicationFirewall (WAF), which could have mitigated such amassive attack had it been updated properly againstknown vulnerabilities. A simple question may havebeen: did the company have the confidence theycould protect against a probability of attack or wasfalse confidence in the “impossibility” of such anattack their strategic approach?

Bot Attacks:
Automated attack programs, such as ‘bad’ bots, are the main force behind the majority of the attack landscape today. In fact, bots conduct more than half of all Internet traffic flow. For some organizations, bots represent more than 75% of their total traffic. This is a significant finding considering only one in three (33%)organizations cannot distinguish between good bots and bad ones. Good bots serve critical functions, such as price aggregates to customer service chat bots and search engine spiders. However, for every good bot in the world, there is a bad bot wreaking havoc.

Bots make traditional attack vectors more effective, faster and larger than anything humans can accomplishon their own.

Data Leakage: The greatest fear

  • Forty-five percent of respondent’s report that they suffered a data breach, including 45% in the financial services sector, 45% in retail and 46% in healthcare.
  • More than 60% are not confident that they can quickly detect application-layer attacks, including 59% in financial services, 67% in retail and 67% in healthcare.
  • More than 60% are not confident that their organizations are protected against application-layer attacks, including 52% in financial services, 61% in retail and 63% in healthcare.
  • More than 70% are not confident their organization can protect itself against an application-layer DDoSattack, including 66% in financial services, 68% in retail and 70% in healthcare
  • Nearly 60% of respondents do not track sensitive data they share with third parties once the data leaves the corporate network

CONUNDRUM #2: The Continuous, Delivery Security Challenge

Organizations are looking for ways to optimize the deployment of application services. Many try to fully automate the cycle of application development, QA, testing, modifying and deploying in staging, and the production environment in what is known as continuous delivery. A successful continuous delivery implementation can yield a competitive edge and save operational expenses. For some of the more dynamic application services, the fast pace is critical as they are required to deploy multiple versions into production per day. The challenge, on the other hand, is to ensure accurate application security throughout the process,as almost two-thirds (62%) believe it increases the attack surface.

Research shows that continuous delivery is high priority for many organizations with half of respondents currently using this approach and another 20% planning to do so within the next two years.Because continuous delivery requires accelerating the pace of application development, changes, fixes, etc.,there are inherent exposure points that hamper risk and threat mitigation. Even with sustainable and secure methodologies and processes in place, the new exponential growth in digital touch points (Web, cloud, mobile)coupled with applications being developed by both IT and lines of business, may result in major security schisms that spell disaster without automated code reviews and security practices in place. This is especially problematic when business lines do not implement automated testing tools and protocols.

Research also indicates security executives and other experts understand the impact continuous deliveryis having on their organizations. While sixty-two percent believe continuous delivery increases theattacksurface, risks and vulnerabilities, only 25% are confident that security is integrated with continuous delivery ofin-house, Web or cloud.

CONUNDRUM #3: GDPR Preparedness Effect

Organizations around the world that do business in or with the European Union (EU) will need to meet stricter data privacy laws with the GDPR having taken effect in May, 2018. Any organization that offers goods or services to EU residents, monitors personal behavior or processes or handles personal data of EU residents will be impacted by this law. Those who do not abide by the regulation will be subject to hefty fines. This is a particular challenge for large multi-national corporations that do business in the EU as well as companies that may be headquartered there.

Research shows that over 25% expect to change their processes significantly due to GDPR while more than half expect to make just some changes. Retailers and financial services enterprises may face the most hurdles regarding GDPR as over 60% of retailers and nearly 50% of financial services firms currently collect customer data for profiling and personalized marketing, yet only 17% of each group type states they will be in compliance with GDPR by the effective date.