The scale and sophistication of cyber attacks have kept businesses on their toes through the entire year. Large-scale data breaches such as the Equifax web server lapse combined with worldwide scares like WannaCry have reestablished what we already know- web application security is critical.
Indusface, in its yearly report, is looking back at the data that we collected from over 10,000 applications. Our security analysts have put together the data and highlighted the key lessons so that the business owners can look at cybersecurity trends and prepare to deal with them in the year ahead.
The word ‘Botnet’ is portmanteau of ‘robot’ and ‘network’. Hackers often take control of several devices in a bid to attack web applications through spam generation, DDoS, viruses, and phishing. However, we have noticed that over the years tools like Sentry MBA have helped hackers with a list of proxies to relay the attack along with input data and inject commands into a web application.
Over one week in December 2015, cybercriminals made over 5 million login attempts at a Fortune 100 B2C website using multiple attack groups and hundreds of thousands of proxies located throughout the world.
Our labs have detected an exponential rise in such attacks this year with more than half of the attacks happening via command injection and 90% of all the attacks coming from bots. It’s a clear pattern that has emerged in 2017. Hackers program bots to inject scrupulous commands. Such attacks will only rise in 2018, and protection against these is paramount.
Our Signature Development team found out that out of 10,000 applications, 65 days was the average time to fix a vulnerability across all sectors. Imagine an attacker with over two months’ times to figure out breaching ways. All while the vulnerability is open to being exploited.
While the BFSI sector is doing marginally better, there is still a lot to cover for web applications across all sectors.
Some security loopholes are exclusive to your business. These are business logic vulnerabilities that arise due to logical flaws in the business function or flow. Since no automated tool will know about your business’ flow, they will not detect these vulnerabilities either.
New-age business application change frequently. Calculating security repercussions of these changes isn’t a job for tools. Ideally, it should combine frequent automated testing with manual penetration testing by security experts who understand cracking methodologies that go far beyond OWASP Top 10.
Zero-Day attacks exploit undisclosed vulnerabilities that are unknown to application vendors or developers. Simply put, zero-day is a nightmare for security professionals. They cannot protect web applications until developers update the code. The vulnerability is wide open for exploit attempts, and security during the patch development period is what most new-age business CISO/CIOs look for.
Last year, AppTrana WAF instantly protected more than 85% of vulnerabilities from Day 0. None of the 10,000+ applications that we protect had to worry about breaches from this 85% of vulnerabilities even on Day 0. For the remaining vulnerabilities, we created and deployed bespoke rules for protection.
In 2018, as more attackers use robots to look for exploitable applications after the announcement of a vulnerability, we expect CIO/CISOs and developers to look at more scalable and instant options (such as WAF) over traditional code patching.
Efficient application security programs should rapidly detect, resolve, and prevent security threats before they spiral out of control and negatively impact your business. Attackers now have bots at their disposal to disrupt any online service in seconds. Security professionals will have to get smarter in order to identify and prevent such attempts.
Founder & Chief Marketing Officer, Indusface
Venky has played multiple roles within Indusface for the past 6 years. He was instrumental in building the product/service and technology team from scratch and grew it from ideation to getting initial customers with a proven/validated business model poised for scale. He has proven experience (10+ years) in the security industry and has held various mgmt/leadership roles in Product Development, Professional Services, and Sales during his time at Entrust Data card.