A Ponemon survey, conducted as part of F5 Lab’s wider 2018 Application Protection Report, has found that businesses worldwide are struggling to understand, optimise and protect their ever-expanding application environments.
“Applications have always been the Achilles’ Heel of organisations. Today, almost every company, organisation or government use the web, mobile and IoT applications to process business-critical data, including PII, financial and health records, and even elections’ data. Attackers don’t need to run sophisticated APTs leveraging chained exploitation of 0-days to get into internal networks anymore,” comments High-Tech Bridge‘s CEO, Ilia Kolochenko.
‘DDoS is the most painful attack’
“It may be sufficient to use a trivial SQL injection on a forgotten subdomain to get access to the main database of a company or governmental agency. While unprotected cloud storage, such as Amazon S3 buckets, is a new golden mine for cybercriminals.”
The survey revealed that DDoS is the most painful attack method for organisations. Breach of confidential data came second with 7%, followed closely by application tampering and the loss of personally identifiable information of customers, consumers and employees.
“Worse, in light of the overall complexity of cybersecurity management and a shortage of qualified personnel, most of the companies fail to detect such incidents in a timely manner. Shadow and legacy applications also pose a huge problem, exacerbating the risks,” Kolochenko continues.
“At High-Tech Bridge, we see that over 80% or large organisations and companies are not aware of at least one vulnerable application that contains, or provides access to, critical business data including trade secrets, intellectual property and customer records. Another problem is that even a teen can exploit most of the web application vulnerabilities. Today, one can easily make money without any advanced skills or substantial efforts exploiting the negligence and forgetfulness of IT teams, leaving application doors open.”
Furthermore, the lack of skilled or expert personnel for security cited as a main barrier in the F5 Ponemon security survey. According to the survey, it will only continue to get worse for application defenders.
Continuous security monitoring
With the average organisation using 765 different web applications, the outsourcing of application security is expected to grow, whether that means security functions such as anti-DDoS or web application security monitoring or moving to hosted platforms that provide security services as part of their offering. Outsourcing will require matching your specific security requirements to the outsourcer’s capabilities, focus, and experience in application security.
“Application security strategy should start with holistic and comprehensive application discovery and inventory. You cannot protect what you don’t know. Once you have all your applications identified, try to reduce the external attackable surface as much as practical: remove applications from the Internet if there is no need to access them from the outside, or alternatively add 2FA and strong authentication. This will eliminate the vast majority of application risks,” adds Kolenchko.
Kolenchko also notes that for remaining apps, testers should use continuous security monitoring and testing with agile remediation while keeping in mind that in 2018 application security is a 24/7 process, not a quarterly web app scan in the sake of PCI compliance.
Written by Leah Alger