Tushar Richabadas, Senior Product Marketing Manager – Applications and Cloud Security at Barracuda elaborates to Security MEA on their ‘The state of application security in 2021’ survey.
Elaborate on the most important finding in ‘The state of application security in 2021’ survey.
The most important finding of the Barracuda report was that about 72% of the organisations surveyed had been breached more than once because of their web applications. This is a truly significant number, which leads us to ask, why are they getting breached so frequently.
In our efforts to uncover this, we found that today, there are many more attack vectors being exploited in application breaches. Going a step further, we also asked which vectors have led to successful breachs. The results are quite interesting as the top vector is now Bot attacks. Traditionally, the biggest attack vector has been vulnerabilities in applications things like the OWASP top 10 vulnerabilities which include injection attacks, cross-site scripting , broken authentication, and so on). These are still previlent, and responsible for 41% of breaches. Software supply chain attacks such as magecart ranked 3rd in our report, being the cause of 39% of breaches. API vulnerabilities, in their various forms now account for 31% of data breaches.
So, while just a short time ago, most of the breaches exploited traditional vulnerabilities, now you have a variety of new attack vectors. This is probably at least in part due to the changes have taken place as a result of the pandemic.
How to best avoid application vulnerability which led to successful breaches in the past year?
The traditional approach of comprehensive defence, which includes a fully configured Web Application Firewall (WAF), still holds good for traditional web vulnerabilities. There are nearly no alternatives to proper patching of vulnerabilities with well thought out security in layers to protect applications.
However, with bot attacks, and API attacks, organisations need to look for solutions that can specifically protect and defend against these types of attacks. A standard firewall or WAF will not be able to provide complete defence against these attacks, and specialist solutions, which I shall soon describe, are required.
What is your take on bot attacks and how to keep them at bay?
The modern bot is built to evade detection and behave in an almost human manner while exploiting various vulnerabilities in the application. You can have everything from Account TakeOver/Credential Stuffing attacks to Web/Price scraping bots. So, a bot protection solution is required, and one that is capable of detecting these attacks with a high percentage of accuracy and therefore success.
For example – we’ve seen that a range of bots utilize low-and-slow techniques to get past the typical rate-based defences against web scraping. We also see the same thing with application DDoS and credential stuffing bots.
Keeping bots at bay requires a bot mitigation solution that uses machine learning and crowd-sourced intelligence from the field that can identify and block the most advanced bots. This is something that we offer with Barracuda Advanced Bot Protection, where we use cloud-based Machine Learning and inputs from our Threat Intelligence network to identify and block bots with ease.
Elaborate on the top three application security challenges.
The top 3 AppSec challenges that we’ve identified are Bots, API Security, and Supply Chain Attacks.
API Security is an interesting one, because APIs are now being used everywhere, without most people even realising this. Any mobile app uses APIs in the background to function. The problem is that APIs typically have direct access to the backend, and by exploiting that, attackers can wreak quite a bit of havoc with under-protected APIs. We’ve seen a number of attacks or vulnerabilities against major organisations like T-Mobile, Uber, and AirTel over the last few years, and this is just going to get more serious over the next couple of years.
Supply Chain Attacks are typically not detectable by a WAF – they happen on the browser when it loads a third-party script that is compromised. The compromised script can then be used to cause a lot of damage, typically by stealing Personal Identifiable Information (PII) and banking data. These compromises are getting more and more sophisticated and difficult to detect. A good example is the Baka Skimmer that was discovered by Visa which went through a lot of trouble to hide any traces of itself and to avoid being detected by typical scanning tools.
According to the survey, what are the security solutions decision makers plan to deploy in the next 12 months to protect against top threats?
Bot protection, API gateways, Supply Chain Attack protections are the top solutions being deployed by our respondents. This is something that shows the actual impact of these types of attacks and the havoc they have been causing over the last few years.
API gateways may not always be used as a security solution, but given the context of our survey, we have seen that many organisations are looking at them to secure APIs.
One thing that this question shows is the fragmentation of security for applications – there are a lot of point-defence solutions that need to be stitched together to get complete application security. This has had the undesirable consequence of overloading security teams.
This is why we built Barracuda Cloud Application Protection, a platform that provides comprehensive, powerful application security that is easy to use and protects applications everywhere. It is built as a platform to provide security against web, API, bot, supply chain attacks and more, providing defenders with a single point solution against multiple application attack vectors.