Protecting your applications — no matter where they live
Applications are everywhere, from Data Centres to Smartphones. Remote working has increased the need for more applications to be exposed to the cloud. Application growth is insatiable. However, Applications are regularly breached - so how on earth do you protect them? Having an understanding of what the threat vectors are is incredibly important in starting to figure out how to wrap your head around ‘AppSec’ and start protecting your applications.
Application security in 2021 is looking different. It has always been a major consideration for areas potentially exposed to attack but working from home has rapidly increased this (source CIF) We’ve talked before about BOTS and they are without doubt the biggest headache creator for customers and are now clearly sitting atop the list of successful methods of breaches. And they are certainly not going away, they are growing in capabilities. Add in the fact that 28% of breaches are caused by human error again, it’s more important than ever to make sure no door gets left open.
But it ain’t just the BOTS!
Zero-day threats, web application vulnerabilities, software supply chain and APIs (Application Programming Interface) are all very real areas that need as much attention. Recent research data shows that out of 750 Global customers, 72% said their organization had suffered at least one security breach from an application vulnerability in the past year, with nearly 40% experiencing more than one. We continue to see high-profile examples of this in the news, all the time.
APIs are a developer’s dream. Organisations are moving to an API-first development. APIs make the development of new versions of applications much, much faster. But again, therein lies another exposure point. Extending the visibility of these applications creates a whole new attack surface. And if you include Single Page Applications, it’s more than enough to keep you on your toes.
Think about cashing a cheque in. For those old enough to remember your grandparents giving you a cheque on your birthday, you used to have to wait for the bank to open, pay it in and….wait. They would take several days to check the originating account, confirm a few details, and then wait for the reply. When that eventually happened, the money would finally turn up in your account. What happens today? Instant bank transfers via an application on your smartphone. Super quick, but think about what is happening, it isn’t a simple one-call transaction, an incredible amount of IT goes on behind the scenes to complete that one transaction – and it all needs to be protected.
There are no humans involved in B2B endpoint checking, it’s all done by APIs and are all areas of potential threat. Why? Think about it, APIs by nature expose, the application's logic, the user's credentials & tokens, and all kinds of personal information and all done at Cloud speeds…all from your phone! An API-based application is significantly more exposed than a traditional web-based app because of the deliberate way it is deployed, allowing direct access to all the sensitive data.
If you think about scrolling through Facebook or checking livestock tickers, our phones are interacting with the servers in their data centres via APIs. If you’re scrolling live, those APIs are constantly authenticating via large alphanumeric strings – this traffic needs to be inspected and secured in real time. It’s not like with the cheque example where you can wait for someone to come back from lunch to see if it is a legitimate request.
Organisations love APIs but find it hard for security to keep up. BOTS are in place, ready to jump on unsecured APIs, 24 x 7. Once there, they have access to customer data or employee information that they can compromise however they see fit. There are plenty of examples of test APIs being deployed with direct access to production data with absolutely no security in place (Facebook’s 2018 breach is a case in point) but an encouraging statistic from the research showed that 75% say that whilst APIs present security challenges they are now recognising the risks, which is a positive sign that this area is being taken seriously.
Defending APIs is now a tier-one security consideration. It is important to consider a comprehensive, scalable, and easy to deploy platform to protect applications wherever they may reside. A web application firewall (WAF) with Active Threat Intelligence is the most manageable way to protect your applications and in turn APIs from the threats mentioned in this blog. Protecting your organisation against zero-day threats, BOTS, DDoS attacks, Supply Chain compromise, credential stuffing, adding client-side protection as well as internally protecting against malicious employees, should be discussed to avoid joining the 72%.
If you want to know more, Barracuda CTO Fleming Shi and other Barracuda experts took a look at current and upcoming API and supply chain attacks in a recent seminar - available here on demand.