Application security is often overlooked or misunderstood, which has left many companies vulnerable to criminals all over the world. This Verizon Data Breach Investigations Report (DBIR) found that web application attacks have doubled in the past year, to nearly 43 percent of all attacks analyzed in the report. In addition, 55 percent of all breaches involved organized crime, and 30 percent involved internal threats.
The DBIR also reports that security misconfiguration errors have been increasing steadily since 2017 and are up 5 percent over last year. For an example of a security misconfiguration error leading to a massive data breach, check out our blog on the Equifax breach. A web application firewall is engineered to protect applications from external and internal threats. The Open Web Application Security Project (OWASP) maintains the OWASP Top 10, which identifies the ten most critical web application threats. The list is created from input by security researches and is updated every few years.
Threats like the OWASP Top 10 exist because there are multiple components in an application, and it can be difficult to keep these components secure. Many web applications include plugins and integrations from separate developers, and both the developers and application owners play a role in maintaining the security of that code. The entire web application is at risk if a component is compromised. In the case of Equifax, a security patch was available for the vulnerable component long before the criminals attacked. Equifax just never installed the patch. Web application firewalls can recognize and block the attacks that seek to exploit vulnerable code.
Web applications are also subject to attacks that do not rely on vulnerabilities. For example:
DDoS attacks: A Distributed Denial of Service attack can crash your application, interrupt your business, and cost your company time, money, and customers. There are different types of DDoS attacks, and the motive for an attack could be anything from creating a nuisance to covering the tracks of a simultaneous attack involving data or financial theft. One of the largest DDoS attacks in history targeted Github and is widely thought to have been politically motivated. The DYN DDoS attack was also historic in terms of attack strength and impact. The 100,000+ devices in the Mirai botnet made the power and scope of that attack possible. Thanks to crime-as-a-service, anyone can hire a DDoS criminal to attack your company.
Credential stuffing: This attack uses automated tools and stolen user name and password combinations to attempt to login at multiple sites on the web. The goal is to gain access to a victim's account and use it to steal money or data from the victim. This attack works because people often use the same password across multiple accounts, and they rely on passwords rather than multi-factor authentication to secure their accounts. Successful attacks on Disney+, State Farm, and Nintendo have resulted in the exposure of private customer information and the fraudulent use of customer credit cards. It can be difficult and expensive to rebuild a brand after a data breach.
The Barracuda Web Application Firewall (WAF) protects your applications from these attacks, as well as the OWASP Top 10 and many more. Our Barracuda WAF-as-a-Service is a full-featured, cloud-delivered application security service that can be up and running and protecting your web application in a matter of minutes.
For a free 30-day trial of the Barracuda WAF-as-a-Service, visit our website here.
Christine Barry is Senior Chief Blogger and Social Media Manager at Barracuda. Prior to joining Barracuda, Christine was a field engineer and project manager for K12 and SMB clients for over 15 years. She holds several technology and project management credentials, a Bachelor of Arts, and a Master of Business Administration. She is a graduate of the University of Michigan.
Connect with Christine on LinkedIn here.