By Indusface Research Team
Not a brief silent moment in web application security last year. There was so much noise over alleged and confirmed hacking episodes. Enterprises, startups, and digital empires were dragged to controversies, largely because of the impact they had on the lives of customers.
So now, what does the coming year have in store for businesses? Was
2015 just a prologue of what is coming? Indusface Research brings you
the top expected trends for application security this year.
Data or transaction compromises will pull bad press
There is no way to control, manipulate or stop information in a connected world. Customers are getting smarter about their choices and know what and when to trust. It doesn’t mean that they do not want to do business online, they simply seek safer choices that they feel confident with.
“ Security strategy will shift from responding to preventing. New age businesses will have to balance security with pace of their growth.”
Ashish Tandon, CHAIRMAN AND CEO, INDUSFACE.
There was a time in the 90s when selling something online was a long shot, fast-forward it to 2015, customers happily spent $1, 471 billion online. It’s clear that people will be purchasing over the internet one way or the other as long as they feel safe with the seller. Managing threats is the best way of doing that.
Ashley Madison had to fire their CEO followed by a series of critical internal posts. TalkTalk stock tanked by 10% when hacking news broke out. It’s clear. Companies cannot bury data breaches anymore. In fact, Australia is already considering mandatory data breach disclosures for companies turning over more than $3 million, a trend that other countries are expected to pick.
Application security on the cloud will be essential
Web applications are backbone of new-age companies. They create and customize applications to perform every kind of business operation from enabling better shopping experience to making payments easier. Cloud is a huge part of the process. Here are two pieces of stats to support that.
- 82% of enterprises had a hybrid cloud strategy for their applications in 2015. It was 74% in 2014.
- More and more companies want to try out the cloud. AWS adoption for cloud usage was 57% and 12% for Azure in 2015.
These figures tell us that cloud adoption is increasing and AWS (with better security partners) has the larger market share. It’s kind of obvious. With more dependability, resource availability, and cost efficiency, companies prefer cloud to build and host their applications.
However, the pace of progress is not necessarily matched with security precautions. With frequent changes and cloud infrastructure, the security lapse risks are much greater. Unfortunately, most still do not explore advanced security options other basic cloud infrastructure. They need to take initiatives and responsibility on web application security in the cloud.
More attacks on Personally Identifiable Information (PII)
What’s the problem if hackers get their hands on some email addresses and passwords? What can they possibly do with names and addresses? While it might not look like much in pieces, Personally Indefinable Information (PII) is a growing underground market. Attackers create entire portfolios with whatever information they can get on a person and use it for identity frauds. These attacks include fake shopping orders, stealing more information, changing passwords, and creating ground for larger attacks in the future.
Here’s how these attacks work. In one of the data breaches hackers get hands on name, phone number and email address for Frank. It’s definitely not financially threatening at this level. Now in one of the other hacking incidents, on another company, by another group of hackers, credit card details of Frank go out. Again then cannot do anything about it without secured PIN and OTP verification.
Now when these pieces of information are out in the underground market for sale, they are synced together to get what looks like enough information to steal. That is the level of sophistication in attacks and that is why customers today are not comfortable with any level of privacy breach. Companies respecting this and conveying their security status to customers are more likely to garner trust and grow.
Application layer distributed denial-of-services (DDoS) will continue as an epidemic
For attackers, rival companies and disgruntled employees, nothing comes easier than DDoS attacks. They can always hire bots to send traffic flood to specific website until it crashes. If you still think that DDoS is not that serious, we have some stats to prove otherwise.
- Over 2000 DDoS attacks happen daily.
- About 33% of the times, websites are down due to DDoS attacks.
- Just for $150, you can buy a DDoS attack that will last for 7 days.
“ Application layer DDoS is one of the major risks that digital businesses face today. They cannot afford to investigate and fix issues after a shutdown of a service happens.”
Venkatesh Sundar, CHIEF TECHNOLOGY OFFICER, INDUSFACE.
When it’s easier, everyone does it. Then applications are critical to key business processes, it gets mandatory to block such zombie requests at the right time. Protection gets even more difficult with certain types of attacks that can bring applications down even with relatively lower traffic rates, which also makes it difficult to spot attack pattern earlier and block it.
Half Secured Is Half Not
Dependency on traditional ways to secure applications has to evolve in the coming months. Organizations will have to evaluate their web application risks more proactively to ensure complete protection. Technology that simply find problems or blocks them is insufficient to begin with.
“Automated security tools need to be augmented with continuous traffic analysis to detect new trends in attack patterns and to come up with remediation actions. New age companies often lack time or required expertise to focus on these security aspects.”
Raj Marripalli, HEAD, PRODUCT MANAGEMENT & MARKETING.
Indusface suggests Total Application Security moving ahead in this year. A security cycle of detect-protect-monitor is the mandatory for the following reasons:
- Detection with web application scanning finds out existing vulnerabilities in the application framework. Since applications change frequently, they should be scanned frequently or continuously.
- Protection with web application scanning ensures that accurate virtual patching blocks attacks. It goes hand in hand with detection too. As new issues are found, WAF can be updated to block attacks exploiting those issues too.
- Monitor is an integral part of the whole process. When vulnerability, attack, and traffic data is put together, it not only allows making detection and protection better but also ensures accuracy of the whole process.
In a nutshell, detect, protect or monitor cannot succeed as a standalone security tech. These three processes have to be tuned and synchronized to complement each other, as they do in Total Application Security.