Every year, Web-based attacks are among the most popular attack vector against enterprise data.
Of course, the layer of the technology stack where attackers focus their attention changes over time. When viruses and malware were spread by disk, exploitation was primarily aimed at the operating system layers. That changed as systems became connected, and enterprises rapidly networked their campuses. Attackers followed suit and moved to the network layer to find ways to exploit.
But for much longer than a decade now, Web applications have been one of, if not the, primary target of external attackers.
This shouldn’t come as a surprise to those who have been paying attention to attack trends. But according to a recently released report, many enterprises have actually not been paying attention to attacks aimed at the Web-application layer.
The Ponemon Institute report (sponsored by F5 Networks) Application Security in the Changing Risk Landscape shows that while respondents believe that Web app attacks are more severe, enterprises lack the visibility to understand what is actually happening within their apps. That’s according to the 605 IT and IT security practitioners in the United States who were questioned.
Here are some of the highlights from the study:
Lack of visibility in the application layer is the main barrier to achieving a strong application security posture. Other significant barriers are created by migration to the cloud (47% of respondents), lack of skilled or expert personnel (45% of respondents) and proliferation of mobile devices (43% of respondents).
The frequency and severity of attacks on the application layer is considered greater than at the network layer. Fifty percent of respondents (29% + 21%) say the application is attacked more and 58% of respondents (33% + 21%) say attacks are more severe than at the network layer. In the past 12 months, the most common security incidents due to insecure applications were: SQL injections (29%), DDoS (25%) and Web fraud (21%).
Network security is better funded than application security. On average, 18% of the IT security budget is dedicated to application security. More than double that amount (an average of 39%) is allocated to network security. As a consequence, only 35% of respondents say their organizations have ample resources to detect vulnerabilities in applications, and 30% of respondents say they have enough resources to remediate vulnerabilities in applications.
Accountability for the security of applications is in a state of flux. Fifty-six percent of respondents believe accountability for application security is shifting from IT to the end user or application owner. However, at this time, responsibility for ensuring the security of applications is dispersed throughout the organization. While 21% of respondents say the CIO or CTO is accountable, another 20% of respondents say no one person or department is responsible. Twenty percent of respondents say business units are accountable and 19% of respondents say the head of application development is accountable.
Considering the above, it should come as no surprise that the 2016 Verizon Data Breach Investigation Report found that attackers had great success launching attacks against Web applications last year. In fact, greater success than any other attack vector for the year.
What’s the takeaway? The takeaway is that it’s time for more enterprises to make the effort to gain visibility into their Web applications and secure them, whether that’s gathering more insight from their logs or installing a Web application firewall (and actually keeping it well tuned). In addition, enterprises need to spend more time putting Web apps through security and quality testing and ensuring hosted apps are properly patched.
Enterprises that don’t follow this advice are going to continue to have their Web applications breached.