Concerned about app sec? Not as concerned as you should be

Representational image of data security
(Image credit: Kingston)

Whenever something grows at an exponential rate, problems are likely to arise. Over the last decade, trends like cloud migration or the growth of DevOps functions have grown at an incredible pace. These changes have revolutionized digital services, but they’ve also been accompanied by a staggering rise in cybersecurity risks. In the UK alone, web app attacks have escalated dramatically in recent years, with Imperva Research Labs uncovering a whopping 251% increase since October 2019, with the volume nearly doubling each year. There are many reasons why these attacks are rising - from rushed digital transformation projects due to the pandemic or a lack of funding for cybersecurity.

About the author

Peter Klimek is Director of Technology at Imperva.

Attacking vulnerable apps is one of the most effective paths for hackers to steal information. Last year, Imperva Research Labs found that half of all data breaches started at the web application layer, and the number of breaches are increasing by 30% annually. Based on this rate of increase, web app vulnerabilities were linked to the theft of an estimated 20 billion stolen records in 2021.

Attack, attack, attack

This tidal wave is overwhelming British businesses, with large-scale data breaches hitting the headlines every day. Already, traditional approaches to security are being exposed as inadequate. For many businesses, software development innovations and cloud adoption are happening so quickly that security teams can’t keep up. As a result, organizations are relying on a large tech stack, full of various point solutions that are unable to integrate. As with most growing problems, stemming the flood means fundamentally rethinking the current approach to cybersecurity and adopting a new, ‘security by default’ model that is designed to cope with round the clock threats.

On average, Imperva Research Labs found that attacks on UK businesses are rising by an average of 22% each quarter. The rate of increase varies between different types of attack, but every single one was found to increase over the same 21-month period. One representative example would be Remote Code Execution (RCE) or Remote File Inclusion (RFI) -- attacks which allow hackers to steal information, compromise servers, or even takeover or modify websites -- have increased by 271% since the start of 2019. This means RCE/RFI attacks pose huge threats to businesses and consumers’ sensitive data, and can lead to significant problems like unexpected outages or reputational damage.

One of the most fundamental drivers has been the evolution of application architecture itself. Developments like the rapid proliferation of APIs or the shift to cloud-native computing has accelerated the pace of software development, while rendering many traditional security tools virtually useless. As a result, already overstretched security teams are being pulled from pillar to post, trying to fight fires that are emerging from every corner of the business.

Rethinking security

Facing more attacks, businesses need to reassess their cyber-security requirements from top to bottom. For example, while WAF remains an essential centerpiece of an application security strategy, it has to be buttressed with new innovations that can catch complex attacks that a traditional WAF might miss. It’s why organizations are investing in a Web Application and API Protection (WAAP) stack.

WAAP serves as an evolved WAF and includes a cohesive suite of cloud-based services created to safeguard vulnerable APIs and web applications, meaning it can handle the more complex and varied application security threats that businesses face today -- from DDoS and bot attacks to Account Takeover attempts. Not only can WAAP help protect against more advanced threats but, as more organizations adopt a multi-cloud strategy, having a WAAP that can operate across multiple cloud environments allows companies to have the flexibility they need while not sacrificing effective security controls.

A second key component of bolstering security defenses is adding Runtime Application Self-Protection (RASP). It protects apps from the inside out. Because RASP works on grammar-based techniques, it can effectively guard against zero day attacks, such the remote code execution vulnerabilities recently discovered in the popular Log4j2 library, as well as security risks from third party dependencies, in a way that signature-based defenses or patching cannot. This means that DevOps teams can have reliable protection against the top ten OWASP vulnerabilities without slowing down pushing new code into production.

The warning signs are clear - web app and API attacks are growing at an astonishing rate, both in volume and variety. It’s impossible to predict where the next novel attack is coming from, but there is no doubt that they are coming. Therefore organizations need to take steps today to avoid being caught out in the future, by investing in security solutions that can deliver comprehensive protection while not compromising on speed and agility.

At TechRadar Pro, we've featured the best business VPN.

Peter Klimek is Director of Technology, Office of the CTO at Imperva.