资源描述
THE STATE OF WEB APPLICATION SECURITY RADWARE 2018 STATE OF APPLICATION SECURITY RESEARCH Global organizations face constant evolving threats but feel optimistic about their ability to manage attacks despite contradictory evidenceTable of ContentsExecutive Summary 04The State of Application Security 06The Threat Landscape 07The Issue with Denial of Service 09Conflicting Outlooks 10Why the Discrepancy? 11Impact of Attacks 14Protecting Sensitive Data 16Data Collection and Sharing Practices 17Discovering Data Breaches 18The Issue with APIs 20Bots: Friend and Foe 22Bot Traffic in the Network 23Determining Real Users vs. Bots 23The Issue with Web Scraping 24Business Implications Are Significant 24Securing Applications Across the Network Ecosystem 26Application Protection Strategies 27The Dynamic Application Environment 28Cloud Provider Trust Factor 29Summary and Recommendations 30About the Research 32About Radware 32THE STATE OF WEB APPLICATION SECURITY | 3 To compete more effectively, companies are examining how best to manage and secure applications and data. As the complexity of cloud and on-premises networks increases, new vulnerabilities are introduced that leave applications open to constant attacks. What is the current threat landscape like for multinational organizations? How is exposure to application attacks affecting how companies secure their networks against data breaches? To find out, Radware sought the opinions of senior executives and IT professionals responsible for network security at companies with a global reach. What follows is a summary of current global perceptions on the state of application attacks and insights on how to best identify and mitigate threats in the future. 4 | THE STATE OF WEB APPLICATION SECURITY Applications run the world. Executive Summary From sophisticated e-commerce engines to cloud-based productivity solutions and personal tools on mobile phones, web applications power how things get done. Organizations around the globe rely on them for connections to customers, business partners, suppliers and staff. To better understand the challenges that organizations face to protect web applications, Radware commissioned a second annual global survey of senior executives and IT professionals at companies with worldwide operations. The goal of the survey was to find out how security breaches have affected respondents organizations in the past 12 months and the impact of application attacks on plans for cybersecurity protection measures. The results painted a picture of what is common to companies around the world, as well as in three regions: Asia-Pacific (APAC), the Americas (AMER) and Europe/Middle East/Africa (EMEA). In general, organizations reported a contradictory combination of inputs between the frequency and severity of attacks and confidence in their abilities to manage the impact. While most respondents said that hackers were able to access their networks, the vast majority of respondents said that they were certain their organizations could keep up with the growing rate of application-layer attacks, even though many did not secure APIs or felt that their WAFs were not stopping all attacks. KEY FINDINGS: THE SURVEY REVEALED INSIGHTS IN FOUR KEY CATEGORIES: 1. The State of Application Security 2. Protecting Sensitive Data 3. The Emergence of Bot Traffic 4. Securing Applications Across the Network Ecosystem THE STATE OF APPLICATION SECURITY Threats to application security are a growing problem, but respondents had conflicting thoughts about the seriousness of the threat landscape and their ability to manage it. More than 25% of organizations experienced attacks on a daily basis, with the majority experiencing attacks weekly. The most common types of application/web server attacks were encrypted web attacks and data security breaches. 70% of respondents reported attacks against their applications over IPv6, with one-third of the attacks targeting application programming interfaces (APIs). 80% of respondents from APAC believed that they were vulnerable to hackers compared to about 60% in both AMER and EMEA. 90% of respondents across all regions said that they were confident that their organizations could keep up with the growing rate of application-layer attacks. About half of the organizations surveyed indicated that some of their customers asked for compensation or their own reputations suffered because of application/web server attacks. Respondents said that data security breaches were the most difficult type of application attack to detect and mitigate. EXECUTIVE SUMMARYTHE STATE OF WEB APPLICATION SECURITY | 5 PROTECTING SENSITIVE DATA As the number and severity of application attacks continue to grow, organizations are paying close attention to what information they collect, how many attacks they experience and how hackers access applications. 30% of companies collected and shared customer data about behavior, preferences and analytics. Over the past 12 months, respondents from APAC (55%) reported experiencing the most encrypted attacks, similar to EMEA (53%) and higher than AMER (41%). Across all regions, respondents estimated that it took hours (43%) or days (42%) for them to discover data breaches. Only a small number of organizations were alerted to data breaches by a third party. Anomaly detection tools were the most common method identified to discover data breaches. APIs were a major point of vulnerability. 62% of respondents did not encrypt data sent by API, 70% did not require authentication, and 33% allowed third parties to perform actions. The most common attacks targeting APIs were protocol attacks, access violations, brute force and denial of service that occurred on a weekly basis at 56% of the organizations. THE EMERGENCE OF BOT TRAFFIC Bot traffic, both good and bad, continues to grow as a percentage of overall internet traffic. Almost all (98%) felt that their organizations were capable of distinguishing between good and bad bots. The most common technique used to identify real users versus bots is CAPTCHA (which has already proven to be prone to bots that know how to bypass it), followed closely by dedicated anti-bot/anti-scraping solutions, IP rate-based detection and in-session detection and termination. Web scraping was viewed as a significant issue by most respondents who indicated experiencing these types of attacks on a regular basis, be it daily, weekly or monthly. SECURING APPLICATIONS ACROSS THE NETWORK ECOSYSTEM As more applications move to the cloud, organizations are addressing application security on their own networks and with cloud providers. Most respondents said that they incorporated web application firewalls (WAFs) in their application security strategies, but only one-third said that their WAF blocked all attacks. At the same time, nine out of 10 respondents were confident their security model was effective at mitigating most or all attacks. Organizations updated applications much more frequently than reported in previous reports, which introduced new security concerns. About one-third of all application types were updated on an hourly or daily basis, with about one-fourth updated weekly and another one-fourth updated monthly. 87% of respondents reported using a bug bounty program. In data centers, 60% said that they used DevOps automation tools to update applications. Respondents overwhelmingly (86%) placed their trust in cloud services providers ability to provide high levels of application security. They were also confident (83%) in their own abilities to enforce security levels across multiple cloud platforms. EXECUTIVE SUMMARY Respondents estimated that it takes hours (43%) or days (42%) to discover data breaches. HOURS DAYS 6 | THE STATE OF WEB APPLICATION SECURITY In application attacks, hackers exploit application vulnerabilities to cause service slowdowns and disruptions or gain access to digital assets. As network technologies evolve, the complexity of threats is keeping pace. The State of Application Security THE STATE OF APPLICATION SECURITYHackers employ a number of tools to scan and map applications and look for vulnerabilities. The emergence of the internet of things (IoT) and artificial intelligence and the explosion of web, mobile and cloud-based apps create a treasure trove of entry points from which to launch attacks. Plus applications often undergo constant changes to support dynamic business requirements and may not go through rigorous security screening before being made publicly available. How are organizations responding to the heightened need for application security defenses that safeguard their digital operations? THE STATE OF APPLICATION SECURITY THE THREAT LANDSCAPE Threats to application security are just part of doing business in a digital economy. Thats the reality survey respondents indicated when asked how often their organizations applications or web servers are attacked. Most said attacks happened weekly, and at least a quarter of the organizations reported attacks on a daily basis. Encrypting data is no longer enough to stop hackers. In the last 12 months, respondents said that the most common types of application/web server attacks they experienced were encrypted web attacks and data security breaches. About half of respondents noted both of these attack types as most common (see Figure 1). 50% 46% 39% 34% 34% 34% 32% 24% 11% Encrypted web attacks (SSL/TLS based) Data security breaches Web scraping HTTP/Layer 7 DDoS API manipulations SQL injections Cross-site scripting Credential stuffing/credential cracking None of these/no attacks experienced FIGURE 1. ORGANIZATIONS FACED A NUMBER OF ATTACK TYPES ON A REGULAR BASIS. THE MOST COMMON REPORTED THREATS WERE ENCRYPTED WEB ATTACKS AND DATA BREACHES. MOST COMMON APPLICATION ATTACKS IN THE LAST 12 MONTHS THE STATE OF WEB APPLICATION SECURITY | 7 8 | THE STATE OF WEB APPLICATION SECURITY IPv6 is an internet protocol that was developed in anticipation of the need to be able to generate unique IP addresses for the ever-growing number of network-connected devices. Seventy percent of respondents reported attacks against their applications over IPv6, while one-third of the attacks targeted application programming interfaces (APIs) (see Figure 2).ATTACKS AGAINST APPLICATIONS OVER IPV6 We didnt suffer IPv6 attacks 27% Yes, against mobile apps 21% Yes, against APIs we use 33% Yes, against web apps 19% FIGURE 2. ACROSS ALL REGIONS, RESPONDENTS REPORTED THAT THEY HAVE SUFFERED APPLICATION ATTACKS OVER IPV6. THE STATE OF APPLICATION SECURITYDenial-of-service (DoS) attacks on the application layer often target applications in ways that mimic legitimate user requests to exhaustion of the application resources or other limiting actions. The purpose of DoS attacks is to disrupt service. The survey revealed that buffer overflow and HTTP flood attacks were the most common types of DoS attacks, especially in APAC, versus AMER and EMEA. REGIONAL DIFFERENCES: APAC SEES MORE APPLICATION-LAYER DDOS THE ISSUE WITH DENIAL OF SERVICE According to Radwares 20172018 Global Application and Network Security Report, denial-of-service (DoS) attacks shift from the network layer to the application layer, making them harder to detect and mitigate. 2DoS attacks on applications render them inoperable. There are many techniques to exhaust the application resources. The most common ones are overwhelming application servers with session requests and buffer overflow, which involves writing more data to a fixed- length block of memory than can be accepted. Generally, their goal is to prevent legitimate users from accessing the applications. Respondents indicated that they experienced in the past 12 months a fairly equal distribution of the types of DoS attacks disrupting application services (see Figure 3). 52% 46% APAC 35% 34% AMER 28% 32% EMEA % OF DOS ATTACKS BUFFER OVERFLOW HTTP FLOODMOST COMMON DENIAL-OF-SERVICE (DOS) ATTACKS IN THE LAST 12 MONTHS 38% 37% 36% 34% 34% 15% BUFFER OVERFLOW HTTP FLOOD HTTPS FLOOD LOW AND SLOW (SUCH AS LOIC, SLOWLORIS, TORSHAMMER) RESOURCE DEPLETION WE DIDNT SUFFER ANY DENIAL-OF-SERVICE ATTACKS AGAINST OUR APPLICATIONS FIGURE 3. ORGANIZATIONS FACE A NUMBER OF DOS ATTACKS ON A REGULAR BASIS. THE STATE OF APPLICATION SECURITY THE STATE OF WEB APPLICATION SECURITY | 9 FIGURE 4. 2 Radwares 20172018 Global Application and Network Security Report 10 | THE STATE OF WEB APPLICATION SECURITY SECTION 1 SECURING THE DIGITAL TRANSFORMATION At the same time, 90% of all respondents across all regions said that they were confident that their organizations can keep up with the growing rate and complexity of application-layer attacks. The conflicting outlook matches a key finding in Radwares 2018 C-Suite Perspectives report that found that the majority of respondents across all regions (65%81%) felt that their internal security resources were sufficient to handle their security needs. Yet 66% believed that hackers could penetrate their networks. 1 KEY FINDING: CONFLICTING OUTLOOKS When asked if hackers can penetrate the applications in their organizations networks, two-thirds of respondents said yes. About 80% of respondents from APAC believed that they were vulnerable compared to about 60% in both AMER and EMEA (see Figure 5). 1 Radware. C-Suite Perspectives: Trends in the Cyberattack Landscape, Security Threats and Business Impacts; 2018 Executive Application & Network Security Report. THE STATE OF APPLICATION SECURITY 80% APAC RESPONDENTS 60% AMER AND EMEA RESPONDENTS PERCENTAGE WHO BELIEVE A HACKER CAN PENETRATE THEIR NETWORK REGIONAL DIFFERENCES: APAC SEES HIGHER RISK OF NETWORK PENETRATION FIGURE 5. SECTION 1 SECURING THE DIGITAL TRANSFORMATION Compared to a similar survey in 2017, respondents were also more confident that they were able to achieve 100% availability of application services. In this years survey, on a scale of one to five, most scored their organizations ability at four (see Figure 7). WHY THE DISCREPANCY? There are likely two main reasons to consider. First, its difficult for organizations to keep up with the fast pace of evolving threats. New application exploit kits are released almost daily, and most organizations refresh security practices perhaps once a year and security solutions every three or four years. Consistent action is undertaken that can generate a false sense of security because critical solutions based on aged heuristics do not address the current threat landscape. Second, cybersecurity issues can be a blind spot for senior management. Based on internal reviews,
展开阅读全文