Web Application Security Trends
Not a brief silent moment in web application security trends last year. There was so much noise over alleged and confirmed hacking episodes. Enterprises, startups, and digital empires were dragged to controversies, largely because of the impact they had on the lives of customers.
So now, what does the coming year have in store for businesses? Was 2015 just a prologue of what is coming? Indusface Research brings you the top expected web application security trends for this year.
Data or transaction compromises will pull the bad press
There is no way to control, manipulate, or stop information in a connected world. Customers are getting smarter about their choices and know what and when to trust. It doesn’t mean that they do not want to do business online, they simply seek safer choices that they feel confident with.
“ Security strategy will shift from responding to preventing. New age businesses will have to balance security with pace of their growth.”
Ashish Tandon, CHAIRMAN AND CEO, INDUSFACE.
There was a time in the 90s when selling something online was a long shot, fast-forward it to 2015, customers happily spent $1, 471 billion online. It’s clear that people will be purchasing over the internet one way or the other as long as they feel safe with the seller. Managing threats is the best way of doing that.
Ashley Madison had to fire their CEO followed by a series of critical internal posts. TalkTalk stock tanked by 10% when hacking news broke out. It’s clear. Companies cannot bury data breaches anymore. In fact, Australia is already considering mandatory data breach disclosures for companies turning over more than $3 million, a trend that other countries are expected to pick.
Web application security on the cloud will be essential
Web applications are the backbone of new-age companies. They create and customize applications to perform every kind of business operation from enabling a better shopping experience to making payments easier. Cloud is a huge part of the process. Here are two pieces of stats to support that.
- 82% of enterprises had a hybrid cloud strategy for their applications in 2015. It was 74% in 2014.
- More and more companies want to try out the cloud. AWS adoption for cloud usage was 57% and 12% for Azure in 2015.
These figures tell us that cloud adoption is increasing and AWS (with better security partners) has a larger market share. It’s kind of obvious. With more dependability, resource availability, and cost-efficiency, companies prefer the cloud to build and host their applications.
However, the pace of progress is not necessarily matched with security precautions. With frequent changes and cloud infrastructure, the security lapse risks are much greater. Unfortunately, most still do not explore advanced security options other than basic cloud infrastructure. They need to take initiative and responsibility for web application security in the cloud.
More attacks on Personally Identifiable Information (PII)
What’s the problem if hackers get their hands on some email addresses and passwords? What can they possibly do with names and addresses? While it might not look like much in pieces, Personally Indefinable Information (PII) is a growing underground market. Attackers create entire portfolios with whatever information they can get on a person and use it for identity fraud. These attacks include fake shopping orders, stealing more information, changing passwords, and creating the ground for larger attacks in the future.
Here’s how these attacks work. In one of the data breaches, hackers get hands-on the name, phone number, and email address for Frank. It’s definitely not financially threatening at this level. Now in one of the other hacking incidents, on another company, by another group of hackers, credit card details of Frank go out. Again they cannot do anything about it without the secured PIN and OTP verification.
Now when these pieces of information are out in the underground market for sale, they are synced together to get what looks like enough information to steal. That is the level of sophistication in attacks and that is why customers today are not comfortable with any level of a privacy breach. Companies respecting this and conveying their security status to customers are more likely to garner trust and grow.
Application layer distributed denial-of-service (DDoS) will continue as an epidemic
For attackers, rival companies, and disgruntled employees, nothing comes easier than DDoS attacks. They can always hire bots to send traffic flood to the specific website until it crashes. If you still think that DDoS is not that serious, we have some stats to prove otherwise.
- Over 2000 DDoS attacks happen daily.
- About 33% of the time, websites are down due to DDoS attacks.
- Just for $150, you can buy a DDoS attack that will last for 7 days.
“ Application layer DDoS is one of the major risks that digital businesses face today. They cannot afford to investigate and fix issues after a shutdown of a service happens.”
Venkatesh Sundar, CHIEF TECHNOLOGY OFFICER, INDUSFACE.
When it’s easier, everyone does it. Then applications are critical to key business processes, it gets mandatory to block such zombie requests at the right time. Protection gets even more difficult with certain types of attacks that can bring applications down even with relatively lower traffic rates, which also makes it difficult to spot an attack pattern earlier and block it.
Half Secured Is Half Not
Dependency on traditional ways to secure applications has to evolve in the coming months. Organizations will have to evaluate their web application risks more proactively to ensure complete protection. Technology that simply finds problems or blocks them is insufficient, to begin with.
Indusface suggests Total Application Security moving ahead this year. A security cycle of detect-protect-monitor is mandatory for the following reasons:
- Detection with web application scanning finds out existing vulnerabilities in the application framework. Since applications change frequently, they should be scanned frequently or continuously.
- Protection with web application scanning ensures that accurate virtual patching blocks attacks. It goes hand in hand with detection too. As new issues are found, WAF can be updated to block attacks exploiting those issues too.
- The monitor is an integral part of the whole process. When vulnerability, attack, and traffic data is put together, it not only allows making detection and protection better but also ensures the accuracy of the whole process.
In a nutshell, detect, protect, or monitor cannot succeed as a standalone security tech. These three processes have to be tuned and synchronized to complement each other, as they do in Total Application Security.