Welcome to GRIP, Global Relay’s new digital information service on practical compliance and regulatory change.

Please enjoy this free trial of our subscription content service, for a limited time only.

  

Rules

As web apps and APIs widen the attack surface, security teams struggle to keep up

Hands using a keyboard and screen
Photo: Matt Cardy/Getty Images

Martin Cloake

 Click to share on Facebook (Opens in new window/tab) Click to share on Twitter (Opens in new window/tab) Click to share on LinkedIn (Opens in new window/tab) Click to share on WhatsApp (Opens in new window/tab)

Latest State of Application Security report from web security firm Cloudflare reveals the size of the challenge.

Web apps and application programme interfaces (APIs) are increasingly central to modern life, but dependency on them is widening the attack surface as security teams struggle to keep pace with the risks. That’s the conclusion reached by web security firm Cloudflare in its latest report, State of Application Security 2024.

The firm serves an average of 57 million HTTP requests a second, and uses the insights gained to produce the report. Findings included:

  • Distributed denial-of-service attacks made up 37.1% of attacks against web applications, making them the number one type of attack against web apps.
  • Enterprise organizations on average use 47.1 third-party scripts and their web apps make an average 49.6 outbound connections to third-party resources.
  • Enterprise websites use an average 11.5 HTTP cookies.
  • A third (31.2%) of all traffic stems from bots, 93% of which are malicious.
  • The largest attack observed peaked at 201 million requests per second.
  • One zero-day vulnerability was subject to an exploitation attempt just 22 minutes after its proof-of-concept was published.
  • Most traditional firewall negative security model approaches are insufficient protection against modern threats.

DDOS attacks continue to increase in number and volume, with notable recent incidents including attacks on independent media in Hungary, attacks on Swiss websites during the WEF forum in Davos, the takedown of French state services by Russian hackers, and a 466% increase in such attacks on Sweden after that country joined NATO.

The report notes an “increasing efficiency” in DDOS attacks, with many cyber crime groups offering DDOS-as-a-service at a price of as little as $10 for a one-hour attack.

Bot traffic

Manufacturing and consumer goods sites were subject to 68.5% of all bot traffic, with one particularly prevalent problem being hoarding bots buying up online inventory before humans get a chance to purchase, thus damaging brand trust.

Use of third-party scripts is widespread, because it avoids the need to build all new app features in-house. But when third-party software dependencies are loaded client side, organizations can be placed at risk because they have no direct control over security measures. The report emphasizes that: “While third-party scripts and cookies are here to stay, web application owners are increasingly responsible for the risk these scripts can expose their end users to – not to mention the compliance and liability implications.”

The report also found that “many organizations lack accurate API inventories,” and that “organizations had 33% more public-facing API endpoints than they knew about.” This meant that “nearly a third of APIs are ‘shadow APIs’ – and may not be properly inventoried and secured.”

Negative security model

And, says Cloudflare: “Traditional WAF negative security model approaches may be unable to detect all attack traffic directed at APIs, especially API-specific attacks like endpoint enumeration or authentication hijacking. Any WAF used to protect API endpoints should have modern API-specific capabilities that can enforce a positive security model.”

The report concludes that “the complexity of securing an organization’s applications and APIs from new risks continues to grow,” and that “the broad nature of web application and API threats requires specialized approaches to stop specialized attacks.”

, , , , , , , ,

You may also like