Web Application Attack to Breach Ratio Still High
September 06, 2018

In evaluating 316 million incidents, it is clear that attacks against the application are growing in volume and sophistication, and as such, continue to be a major threat to business, according to Security Report for Web Applications (Q2 2018) from tCell.

The majority of web application attacks are the result of overall scanning for vulnerabilities; however, many others are real attempts to compromise a particular target. Last year, tCell reported that the attack to breach ratio for web applications is 1,200 to 1. This report confirms that ratio is still in effect and identified five confirmed cross-site scripting (XSS) breaches. Web application attacks are noisy because hackers are using automated attacks to probe web applications for weak spots. The findings showed that 47 percent of companies were targeted by automated attacks.

"Real world web apps are under constant attack. For security operations teams, finding the successful attack amidst all the noise is like finding a needle in a haystack of needles," said Michael Feiertag, CEO of tCell. "Improving visibility and reducing the resource strain that these attacks put on the system are the reasons why companies are deploying runtime application self-protection technology."

tCell found that XSS, SQL injection, automated threats, file path traversals and command injection were the most common types of security attacks. These differ from the 2017 OWASP (Open Web Application Security Project) Top 10 list of web application threats and security flaws. The main reason for this difference is that tCell protects applications in-production that reside in the AWS, Azure and Google cloud environments. This provides a unique perspective on application security in production and the nature of the attacks themselves.

In looking at Common Vulnerabilities and Exposures (CVEs), tCell found that 90 percent of active applications use libraries with a known CVE -- 30 percent used a library with a critical CVE. Patching a critical CVE took an average of 34 days, only four days faster than the average time to patch overall regardless of severity. This demonstrates an overall improvement in time to remediation, which previously could take weeks to months, and the ability of organizations to track the business criticality of the application, understand the severity of the vulnerability and prioritize production security issues.

As interconnectivity of businesses and applications grow, the attack surface area is also growing through the use of APIs. tCell found that this represents a critical blind spot to security and operation teams. On average, each application had 2,900 orphaned routes or exposed API endpoints without a current business function. In fact, 92 percent of all routes and API endpoints are orphaned.

tCell protects web applications at runtime by installing an agent on the application server and browser. When looking at browser-based attacks such as XSS, clickjacking and cryptomining, 0.31 percent of users' browsers were infected with malware. To protect systems from cryptomining and the resulting drain on computing resources, it is essential to block the initial attack. Eliminating the ability to land a XSS attack dramatically decreases the likelihood of a successful cryptomining attempt.

"The frequency of web application threats makes it difficult for organizations to keep their web application firewalls running effectively and impact their ability to implement updates to security systems," added Feiertag. "The rapid growth of DevOps, containerization, microservices and cloud deployments have made it more essential to secure apps in production, yet simultaneously more difficult to do so. It is imperative that secure coding practices become a critical part of the larger landscape in order to stop vulnerabilities at the source, but even more important is the ability to protect these applications once they have moved out of the testing environment and into production."

The Latest

November 15, 2018

Serverless infrastructure environments are set to become the dominant paradigm for enterprise technology deployments, according to a new report — Why the Fuss About Serverless? — released by Leading Edge Forum ...

November 14, 2018

What to automate? Which parts of the delivery process are good candidates? Which applications will benefit from automation? At first, those sound like silly questions. Automate all your repetitive processes. If you think that you'll do the same thing manually more than once, automate it. Why would you waste your creative potential and knowledge by doing things that are much better done by scripts? Yet, an average company does not adhere to that logic. Why is that? ...

November 13, 2018

I'd love to see more security automation deeply integrated into the development process. Everybody knows since the 1990s that security as an afterthought just doesn't work, yet we keep doing it. The reason, I think, is because it's very hard to automate security ...

November 09, 2018

DEVOPSdigest asked experts from across the IT industry for their opinions on what steps in the SDLC should be automated. Part 5, the final installment, covers deployment and production ...

November 08, 2018

DEVOPSdigest asked experts from across the IT industry for their opinions on what steps in the SDLC should be automated. Part 4 is all about security ...

November 07, 2018

DEVOPSdigest asked experts from across the IT industry for their opinions on what steps in the SDLC should be automated. Part 3 covers the development environment and the infrastructure ...

November 06, 2018

DEVOPSdigest asked experts from across the IT industry for their opinions on what steps in the SDLC should be automated. Part 2 covers the coding process ...

November 05, 2018

Everyone talks about automating the software development lifecycle (SDLC) but the first question should be: What should you automate? With this question in mind, DEVOPSdigest asked experts from across the IT industry for their opinions on what steps in the SDLC should be automated. Part 1 starts with by-far the most popular recommendation: Testing ...

October 31, 2018

Halloween is a time for all things spooky, but not when it comes to your mobile app experience. A poor experience can not only scare off your customers but keep them away for good ...

October 30, 2018

As organizations have embraced open source, they have become polyglot — using multiple programming languages and technology stacks to accomplish software and hardware related tasks. Enterprises are caught between the benefits provided by a polyglot environment and the complexities and challenges these environments bring. Ultimately, if the situation remains unchecked, polyglot will kill your enterprise ...

Share this