We all know instinctively that threat actors are getting smarter, more organized, and more resourceful. Web application attacks, from API-based threats to distributed denial of service (DDoS), are growing in number and sophistication. Tackling them head-on must be a priority for organizations serious about digital transformation.
The truth is that a serious breach or outage at the web app layer could be enough to derail the kinds of projects businesses are increasingly reliant on to drive revenue and customer loyalty. It’s time to get back on the front foot.
DDoS attackers get smarter
DDoS attacks have been with us for years. But the barriers to entry have never been lower. In fact, data from the UK’s National Crime Agency has shown that children as young as nine have been able to deploy such attacks thanks to “as-a-service” tooling. Attacks on web applications are now a major contributor to an overall surge in DDoS campaigns.
While they can be slower to carry out, they are also harder for organizations to detect and require more resources to spot than network-layer attacks. Threat actors are also using them in a wide variety of ways, including direct ransom attacks and in “triple extortion” efforts designed to force ransomware victims to pay up. This might change the DDoS risk calculation for some security leaders in mid-sized firms.
Web app attacks
Web apps are also a major target for threat actors in their own right as they can provide a direct route to lucrative customer and internal data. Representing a majority of these attacks in 2021, “broken access control” and injection attacks were the most common causes.
Broken access control is an OWASP Top 10 application security risk. It includes “predictable resource location” violations, where an attacker is able to guess or brute force common names for file directories, and therefore access potentially sensitive info. Injection attacks include SQL injection and similar. All organizations should be mindful of these threats. There isn’t a single industry where web apps don’t play a key role for customers and/or employees.
APIs under scrutiny
A new report also uncovers the growing threat to APIs. These increasingly sit at the heart of the digital enterprise, as more organizations connect their web applications, data, and devices internally and with third-party systems to create enhanced user experiences. The study revealed that 95% of organizations experienced an API security incident over the past 12 months, with 12% suffering an average of over 500 attacks per month.
Top of respondents’ concerns was the risk of outdated APIs (43%), followed by the potential for incidents to lead to account takeover (22%). As tech innovation continues to advance, security teams mustn’t forget about previous iterations of technology which may be less well secured, such as these “zombie” APIs. Visibility into this corner of the IT environment is as important as understanding that APIs are becoming an increasingly important pathway for unauthorized data access. Gartner has predicted that by 2022, APIs will become the most frequent attack vector for data breaches.
Why you should care
As cyberwarfare intensifies in Ukraine, all organizations must work to harden the weakest links in their security chain because that’s where attackers will strike. Even if the conflict doesn’t spill over into a broader online battle between Russia and Ukraine’s Western allies, organizations should be laser-focused on mitigating web app risks — especially as their investments in digital initiatives grow.
What does this mean in practice? Consider:
- Paying more heed to APIs as an attack vector, understanding where gaps in protection may be, and securing them via web app firewalls and other tools.
- Understanding the changing dynamics of DDoS, including the emerging threat of triple extortion and a surge in DDoS ransom attacks. Organizations should partner with a specialist to mitigate the impact of such attacks on the web app layer.
- Working harder to build security into the application and API development process, as well as to protect these environments from third-party attacks.
Being proactive matters because a serious incident could slow down the rollout of new applications, which sit at the heart of companies’ ability to respond quickly to market demands with new customer experiences. Security in this context is not a nice-to-have; it should be built into every project as an essential prerequisite for digital innovation and success.
Phil Muncaster is a technology writer and editor with over 12 years’ experience working on some of the biggest technology titles around, including Computing, The Register, V3 and MIT Technology Review. He spent over two years in Hong Kong immersed in the Asian tech scene and is now back in London where information security has become a major focus for his work.