Not a brief silent moment in web application security trends last year. There was so much noise over alleged and confirmed hacking episodes. Enterprises, startups, and digital empires were dragged to controversies, largely because of the impact they had on the lives of customers.
So now, what does the coming year have in store for businesses? Was 2015 just a prologue of what is coming? Indusface Research brings you the top expected web application security trends for this year.
There is no way to control, manipulate or stop information in a connected world. Customers are getting smarter about their choices and know what and when to trust. It doesn’t mean that they do not want to do business online, they simply seek safer choices that they feel confident with.
“ Security strategy will shift from responding to preventing. New age businesses will have to balance security with pace of their growth.”
Ashish Tandon, CHAIRMAN AND CEO, INDUSFACE.
There was a time in the 90s when selling something online was a long shot, fast-forward it to 2015, customers happily spent $1, 471 billion online. It’s clear that people will be purchasing over the internet one way or the other as long as they feel safe with the seller. Managing threats is the best way of doing that.
Ashley Madison had to fire their CEO followed by a series of critical internal posts. TalkTalk stock tanked by 10% when hacking news broke out. It’s clear. Companies cannot bury data breaches anymore. In fact, Australia is already considering mandatory data breach disclosures for companies turning over more than $3 million, a trend that other countries are expected to pick.
Web applications are the backbone of new-age companies. They create and customize applications to perform every kind of business operation from enabling better shopping experience to making payments easier. Cloud is a huge part of the process. Here are two pieces of stats to support that.
These figures tell us that cloud adoption is increasing and AWS (with better security partners) has a larger market share. It’s kind of obvious. With more dependability, resource availability, and cost-efficiency, companies prefer cloud to build and host their applications.
However, the pace of progress is not necessarily matched with security precautions. With frequent changes and cloud infrastructure, the security lapse risks are much greater. Unfortunately, most still do not explore advanced security options other basic cloud infrastructure. They need to take initiatives and responsibility on web application security in the cloud.
What’s the problem if hackers get their hands on some email addresses and passwords? What can they possibly do with names and addresses? While it might not look like much in pieces, Personally Indefinable Information (PII) is a growing underground market. Attackers create entire portfolios with whatever information they can get on a person and use it for identity frauds. These attacks include fake shopping orders, stealing more information, changing passwords, and creating the ground for larger attacks in the future.
Here’s how these attacks work. In one of the data breaches, hackers get hands-on the name, phone number and email address for Frank. It’s definitely not financially threatening at this level. Now in one of the other hacking incidents, on another company, by another group of hackers, credit card details of Frank go out. Again they cannot do anything about it without the secured PIN and OTP verification.
Now when these pieces of information are out in the underground market for sale, they are synced together to get what looks like enough information to steal. That is the level of sophistication in attacks and that is why customers today are not comfortable with any level of a privacy breach. Companies respecting this and conveying their security status to customers are more likely to garner trust and grow.
For attackers, rival companies and disgruntled employees, nothing comes easier than DDoS attacks. They can always hire bots to send traffic flood to the specific website until it crashes. If you still think that DDoS is not that serious, we have some stats to prove otherwise.
“ Application layer DDoS is one of the major risks that digital businesses face today. They cannot afford to investigate and fix issues after a shutdown of a service happens.”
Venkatesh Sundar, CHIEF TECHNOLOGY OFFICER, INDUSFACE.
When it’s easier, everyone does it. Then applications are critical to key business processes, it gets mandatory to block such zombie requests at the right time. Protection gets even more difficult with certain types of attacks that can bring applications down even with relatively lower traffic rates, which also makes it difficult to spot attack pattern earlier and block it.
Dependency on traditional ways to secure applications has to evolve in the coming months. Organizations will have to evaluate their web application risks more proactively to ensure complete protection. Technology that simply finds problems or blocks them is insufficient, to begin with.
Indusface suggests Total Application Security moving ahead in this year. A security cycle of detect-protect-monitor is mandatory for the following reasons:
In a nutshell, detect, protect or monitor cannot succeed as a standalone security tech. These three processes have to be tuned and synchronized to complement each other, as they do in Total Application Security.
Founder & Chief Marketing Officer, Indusface
Venky has played multiple roles within Indusface for the past 6 years. Prior to this, as the CTO @indusface, Venky built the product/service offering and technology team from scratch and grew it from ideation to getting initial customers with a proven/validated business model poised for scale. Before joining Indusface, Venky had 10+ years of experience in the security industry and had held various mgmt/leadership roles in Product Development, Professional Services, and Sales @Entrust.