Web Application Attack to Breach Ratio Still High
September 06, 2018

In evaluating 316 million incidents, it is clear that attacks against the application are growing in volume and sophistication, and as such, continue to be a major threat to business, according to Security Report for Web Applications (Q2 2018) from tCell.

The majority of web application attacks are the result of overall scanning for vulnerabilities; however, many others are real attempts to compromise a particular target. Last year, tCell reported that the attack to breach ratio for web applications is 1,200 to 1. This report confirms that ratio is still in effect and identified five confirmed cross-site scripting (XSS) breaches. Web application attacks are noisy because hackers are using automated attacks to probe web applications for weak spots. The findings showed that 47 percent of companies were targeted by automated attacks.

"Real world web apps are under constant attack. For security operations teams, finding the successful attack amidst all the noise is like finding a needle in a haystack of needles," said Michael Feiertag, CEO of tCell. "Improving visibility and reducing the resource strain that these attacks put on the system are the reasons why companies are deploying runtime application self-protection technology."

tCell found that XSS, SQL injection, automated threats, file path traversals and command injection were the most common types of security attacks. These differ from the 2017 OWASP (Open Web Application Security Project) Top 10 list of web application threats and security flaws. The main reason for this difference is that tCell protects applications in-production that reside in the AWS, Azure and Google cloud environments. This provides a unique perspective on application security in production and the nature of the attacks themselves.

In looking at Common Vulnerabilities and Exposures (CVEs), tCell found that 90 percent of active applications use libraries with a known CVE -- 30 percent used a library with a critical CVE. Patching a critical CVE took an average of 34 days, only four days faster than the average time to patch overall regardless of severity. This demonstrates an overall improvement in time to remediation, which previously could take weeks to months, and the ability of organizations to track the business criticality of the application, understand the severity of the vulnerability and prioritize production security issues.

As interconnectivity of businesses and applications grow, the attack surface area is also growing through the use of APIs. tCell found that this represents a critical blind spot to security and operation teams. On average, each application had 2,900 orphaned routes or exposed API endpoints without a current business function. In fact, 92 percent of all routes and API endpoints are orphaned.

tCell protects web applications at runtime by installing an agent on the application server and browser. When looking at browser-based attacks such as XSS, clickjacking and cryptomining, 0.31 percent of users' browsers were infected with malware. To protect systems from cryptomining and the resulting drain on computing resources, it is essential to block the initial attack. Eliminating the ability to land a XSS attack dramatically decreases the likelihood of a successful cryptomining attempt.

"The frequency of web application threats makes it difficult for organizations to keep their web application firewalls running effectively and impact their ability to implement updates to security systems," added Feiertag. "The rapid growth of DevOps, containerization, microservices and cloud deployments have made it more essential to secure apps in production, yet simultaneously more difficult to do so. It is imperative that secure coding practices become a critical part of the larger landscape in order to stop vulnerabilities at the source, but even more important is the ability to protect these applications once they have moved out of the testing environment and into production."

Share this

Industry News

June 27, 2022

Delinea announced the latest release of DevOps Secrets Vault.

June 27, 2022

Jit announced a $38.5 million seed funding round and launched a free beta version which automates product security.

June 27, 2022

Platform.sh raised $140 million in Series D funding.

June 23, 2022

Akana by Perforce now offers BlazeMeter to customers, previously a solution with Broadcom Layer7.

June 23, 2022

Coder announced the release of a new open source project that gives developers and data scientists a consistent, secure, yet flexible way to create cloud workspaces in minutes.

June 23, 2022

GitGuardian is announcing a series of new features to address developer experience in securing the software development lifecycle.

June 22, 2022

OctoML released a major platform expansion to accelerate the development of AI-powered applications by eliminating bottlenecks in machine learning deployment.

June 22, 2022

Snow Software announced new functionality and integrations for Snow Atlas, a purpose-built platform that provides a framework to accelerate data-driven technology decision-making.

June 22, 2022

Traefik Labs launched Traefik Hub, a new cloud service that eliminates the complexity of management and automation of Kubernetes and Docker networking at scale.

June 21, 2022

The Linux Foundation, the nonprofit organization enabling mass innovation through open source, announced the new Open Programmable Infrastructure (OPI) Project.

June 21, 2022

Docker announced the acquisition of Atomist, a company founded to improve developer productivity and keep cloud native applications safe.

June 21, 2022

SmartBear released BitBar, an all-in-one web and native mobile app testing solution.

June 16, 2022

Armory announced general availability of Armory Continuous Deployment-as-a-Service.

June 16, 2022

Infragistics announced the launch of App Builder On-Prem.

June 16, 2022

LambdaTest launched Test-at-Scale (TAS), a test intelligence and observability platform, to help development teams with shift-left testing.