Today, applications are found in the most diverse IT environments, from the data center to the smartphone, and their number is inexorably increasing. The increased remote work has also led to the fact that more and more applications have to be outsourced to the cloud. […]
As a result, potential risks with regard to application security have increased even more. Understanding the different threat vectors is therefore essential for companies to be able to adequately protect their applications.
Without a doubt, bots have long been a source of threat to applications and are now at the top of the list of successful attack methods. Moreover, since many violations are caused by human error, it is more important than ever to ensure that no gaps in defense are left open.
However, security teams shouldn’t just focus on bots. Zero-day threats, vulnerabilities in web applications, the software supply chain and APIs (Application Programming Interfaces) are also relevant areas that security experts should pay as much attention to.
Recent research data from Barracuda shows that of 750 global companies, 72 percent have suffered at least one security breach from an application vulnerability in the last year, with nearly 40 percent reporting more than one breach.
New attack surfaces for applications through APIs
More and more companies are moving to “API-first”development as APIs significantly accelerate the development of new application versions. However, expanding the visibility of these applications creates a whole new attack surface.
For example, cashing a check used to take a bank several days to verify the origin account and related details until the money finally arrived at the recipient’s account. Today, money transfer is often done by transfers through an application on the smartphone. In order to carry out this one transaction, a large amount of IT is necessary in the background and this must be protected.
There are no people involved in checking the B2B endpoints, everything is handled through APIs that are a potential attack surface. Because APIs inherently expose the user’s application logic, credentials and tokens, and all kinds of personal information, all at cloud speed and from the user’s smartphone. An API-based application is much more exposed than a traditional web-based application because it is deliberately used to provide direct access to sensitive data.
For example, when users scroll through Facebook or check the live ticker for their stock portfolio in their banking app, their phones interact with the servers in their data centers via APIs. While scrolling, these APIs constantly authenticate via large alphanumeric strings, and this traffic needs to be inspected and backed up in real time. Here it is not possible to wait, as in the above-mentioned check example, until a contact person comes back from the lunch break to check whether it is a legitimate request.
Protection for applications and APIs
Companies are increasingly relying on APIs, but they’re having a hard time keeping up with security. Cybercriminals are ready with bots to jump on unsecured APIs, 24/7. If an attack is successful, hackers have access to customer data or employee information, which they can compromise at will. There are many examples of test APIs with direct access to production data being deployed without any safeguards (such as Facebook’s 2018 security breach). While protecting APIs is challenging, an encouraging finding from the Barracuda study shows that 75 percent of companies surveyed are aware of the risks.
Defending APIs is currently one of the most important security considerations. Therefore, organizations should consider a comprehensive, scalable, and easy-to-deploy platform to protect their applications wherever they are. A Web Application Firewall (WAF) with Active Threat Intelligence is the best manageable solution to protect applications and APIs from the above threats. Defending against zero-day threats, bots, DDoS attacks, supply chain compromise, credential stuffing, as well as implementing client-side security and protecting against malicious insiders should be on the agenda for companies to avoid security breaches caused by application vulnerabilities.
* Klaus Gheri is General Manager Network Security at Barracuda.