Applications are everywhere, from datacentres to smart phones. Remote working has increased the need for more applications to be exposed to the cloud. Application growth is insatiable. However, Applications are regularly breached – so how do you go about protecting them? Having an understanding to what the threat vectors are is incredibly important in starting to figure out how to wrap your head around AppSec and start protecting your applications.
Application security has evolved considerably through 2021. Traditionally, it has always been a major consideration for areas potentially exposed to attack. But working from home has rapidly increased this source CIF.
And they are certainly not going away – rather they are growing in capabilities. Add in the fact that 28% of breaches are caused by human error and it is clear that now more than ever we need to make sure no door is left open.
Recent research data shows that out of 750 Global customers, 72% said their organisation had suffered at least one security breach from an application vulnerability in the past year, with nearly 40% experiencing more than one.
Organisations are moving to an API-first development model as APIs make the development of new versions of applications significantly faster. But therein lies another exposure point. Extending the visibility of these applications creates a whole new attack surface. And if you include Single Page Applications, it’s more than enough to keep you on your toes.
72% said their organisation had suffered at least one security breach from an application vulnerability in the past year
There are no humans involved in B2B end point checking, it’s all done by APIs and are all areas of potential threat. Why? Think about it, APIs by nature expose, the application’s logic, the user’s credentials and tokens and all kinds of personal information. All of this is done at cloud speeds and initiated and served to your phone!
An API based application is significantly more exposed than a traditional web-based app because of the deliberate way it is deployed, allowing direct access to a host of sensitive data.
Organisations love APIs but find it hard for security to keep up. BOTS are in place, ready to jump on unsecured APIs, 24 x 7. Once there, they have access to customer data or employee information that they can compromise however they see fit.
APIs by nature expose, the application’s logic, the user’s credentials and tokens and all kinds of personal information
There are plenty of examples of test APIs being deployed with direct access to production data with absolutely no security in place. Facebook’s 2018 breach is a case in point but an encouraging statistic from the research showed that 75% say that whilst APIs present security challenges, they are now recognising the risks, which is a positive sign that this area is being taken seriously.
Defending APIs is now a tier one security consideration. It is important to consider a comprehensive, scalable, and easy to deploy platform to protect applications wherever they may reside.
A web application firewall with Active Threat Intelligence is the most manageable way to protect your applications and in turn APIs from the aforementioned threats. Protecting your organisation against zero-day threats, BOTS, DDoS attacks, Supply Chain compromise, credential stuffing, adding client-side protection as well as internally protecting against malicious employees, should be discussed to avoid joining the 72%.
An API based application is more exposed than a traditional web-based app because of the way it is deployed, allowing access to sensitive data.