Web Application Attack to Breach Ratio Still High
September 06, 2018

In evaluating 316 million incidents, it is clear that attacks against the application are growing in volume and sophistication, and as such, continue to be a major threat to business, according to Security Report for Web Applications (Q2 2018) from tCell.

The majority of web application attacks are the result of overall scanning for vulnerabilities; however, many others are real attempts to compromise a particular target. Last year, tCell reported that the attack to breach ratio for web applications is 1,200 to 1. This report confirms that ratio is still in effect and identified five confirmed cross-site scripting (XSS) breaches. Web application attacks are noisy because hackers are using automated attacks to probe web applications for weak spots. The findings showed that 47 percent of companies were targeted by automated attacks.

"Real world web apps are under constant attack. For security operations teams, finding the successful attack amidst all the noise is like finding a needle in a haystack of needles," said Michael Feiertag, CEO of tCell. "Improving visibility and reducing the resource strain that these attacks put on the system are the reasons why companies are deploying runtime application self-protection technology."

tCell found that XSS, SQL injection, automated threats, file path traversals and command injection were the most common types of security attacks. These differ from the 2017 OWASP (Open Web Application Security Project) Top 10 list of web application threats and security flaws. The main reason for this difference is that tCell protects applications in-production that reside in the AWS, Azure and Google cloud environments. This provides a unique perspective on application security in production and the nature of the attacks themselves.

In looking at Common Vulnerabilities and Exposures (CVEs), tCell found that 90 percent of active applications use libraries with a known CVE -- 30 percent used a library with a critical CVE. Patching a critical CVE took an average of 34 days, only four days faster than the average time to patch overall regardless of severity. This demonstrates an overall improvement in time to remediation, which previously could take weeks to months, and the ability of organizations to track the business criticality of the application, understand the severity of the vulnerability and prioritize production security issues.

As interconnectivity of businesses and applications grow, the attack surface area is also growing through the use of APIs. tCell found that this represents a critical blind spot to security and operation teams. On average, each application had 2,900 orphaned routes or exposed API endpoints without a current business function. In fact, 92 percent of all routes and API endpoints are orphaned.

tCell protects web applications at runtime by installing an agent on the application server and browser. When looking at browser-based attacks such as XSS, clickjacking and cryptomining, 0.31 percent of users' browsers were infected with malware. To protect systems from cryptomining and the resulting drain on computing resources, it is essential to block the initial attack. Eliminating the ability to land a XSS attack dramatically decreases the likelihood of a successful cryptomining attempt.

"The frequency of web application threats makes it difficult for organizations to keep their web application firewalls running effectively and impact their ability to implement updates to security systems," added Feiertag. "The rapid growth of DevOps, containerization, microservices and cloud deployments have made it more essential to secure apps in production, yet simultaneously more difficult to do so. It is imperative that secure coding practices become a critical part of the larger landscape in order to stop vulnerabilities at the source, but even more important is the ability to protect these applications once they have moved out of the testing environment and into production."

Share this

Industry News

December 05, 2019

Parasoft announced the newest release of Parasoft C/C++test, the unified C and C++ development testing solution for enterprise and embedded applications.

December 05, 2019

Datadog announced Security Monitoring, a new product that enables real-time threat detection across the entire stack and deeper collaboration between security, developers, and operations teams.

December 05, 2019

Pulumi announced the availability of Pulumi Crosswalk for Kubernetes, an open source collection of frameworks, tools and user guides that help developers and operators work better together delivering production workloads using Kubernetes.

December 04, 2019

CloudBees announced a Preview Program for CloudBees CI/CD powered by Jenkins X, a Software as a Service (SaaS) continuous integration and continuous delivery solution running on Google Cloud Platform.

December 04, 2019

Rancher Labs announced the general availability of K3s, their lightweight, certified Kubernetes distribution purpose built for small footprint workloads, along with the beta release of Rio, their new application deployment engine for Kubernetes that delivers a fully integrated deployment experience from operations to pipeline.

December 04, 2019

WhiteSource announced a new integration with Codefresh, the Kubernetes-native CI/CD solution.

December 03, 2019

Styra is addressing one of the most significant enterprise blockers of Kubernetes: compliance. With Styra, enterprises can move Kubernetes clusters into production en masse while complying with traditional governance, audit, and compliance rules and regulations.

December 03, 2019

Nureva added 13 agile-themed templates to Span Workspace, Nureva’s expansive cloud-based digital canvas for visual planning and team collaboration.

December 03, 2019

Threat Stack announced support for AWS Fargate in the Threat Stack Cloud Security Platform.

December 02, 2019

Tricentis announced the publication of Enterprise Continuous Testing: Transforming Testing for Agile and DevOps, written by Tricentis Founder Wolfgang Platz and Cynthia Dunlop.

December 02, 2019

JFrog announced the availability of the popular JFrog Platform subscription package Cloud Pro X on AWS Marketplace.

December 02, 2019

MuleSoft will extend its Anypoint Runtime Fabric to run on Google Cloud.

November 26, 2019

NeuVector announced the immediate availability of its “Security Policy as Code” capability for Kubernetes services.

November 26, 2019

Agile Stacks announced the launch of KubeFlex, a new cloud-native software platform enabling zero-touch Kubernetes deployments in data centers and at the edge.

November 26, 2019

Bacula Systems announced significant enhancements to its backup module for Kubernetes clusters.