Application security trumps availabilityThursday, January 19, 2017 Read Time: 2 min.
Application security is the ‘top concern’ for respondents in a recent survey of security professionals, as the sophistication of attacks and targeting of the application layer continues to rocket.
Although application security has historically been underestimated, new research points to rising concerns among enterprise security professionals.
The survey of 2,200 F5 international customers found that for the first time, application security trumped availability as the number one concern for respondents. Security teams are noting the increasing sophistication of attacks as their top challenge, and are expanding beyond traditional firewalls and the legacy enterprise perimeter as a response to hackers increasingly targeting apps. In fact, identity and availability remained almost flat, while app security concerns rose seven per cent.
There is certainly plenty of supporting evidence for the importance of securing the application layer – one study in late 2016 found that 84 per cent of web applications were found to have medium-severity vulnerabilities, while 16 per cent of perimeter network assets were also susceptible to at least one medium severity vulnerability.1 Ilia Kolochenko, CEO and founder of High-Tech Bridge, said: “Gartner highlighted in its Hype Cycle for Application Security 2016 that applications are the main source of data exfiltration, however companies still tend to underestimate the risks related to web applications, and consequently put their customers at huge risk. Many exploitation vectors of common web application vulnerabilities, including unpatched 0days, can be efficiently mitigated by proper web server hardening and a WAF, but many companies simply don’t pay attention to these details until there’s a serious data breach - and by then it’s too late.”
The F5 survey found the average number of app services in use by organizations has shot up from 11 in 2016 to 14 now, with the percentage of organizations that rely on 10 or more of these app services rose to 74 per cent in 2017, up 14 points from last year. Nearly half (49 per cent) of organizations deploy between 11 and 20 app services. This rapid growth could explain the overall lack of application security - researchers from High-Tech Bridge found that more than 90 per cent of in-house developed web applications designed to handle medical, financial or other sensitive data are vulnerable to a high-risk improper access control or other application logic flaws not related to the sanitization of user-supplied input (like in XSS or SQL injections for example)
Interestingly, in spite of this level of vulnerability, businesses are generally bullish about their application security, with nearly half (45 per cent) of all F5 respondents were “confident to very confident” in their organization’s readiness to withstand an application-layer attack. - Only 17 per cent were “not at all or less confident.” Among those organizations with a WAF deployed today, confidence was much higher (53 per cent) than those without a WAF deployed today (32 per cent). Although the enterprises with a WAF felt more secure, research by High-Tech Bridge has shown that on average, web applications protected with a WAF, contain 20 per cent more vulnerabilities on average than unprotected ones, and in fact more than 60 per cent of web vulnerabilities have advanced exploitation vectors allowing hackers to bypass WAF configuration and compromise the web application regardless.
The increasing sophistication of attacks remained the top security challenge in the next 12 months for respondents (50 per cent), with employees’ understanding of the importance of security policies next at 44 per cent, and the security skills gap at 34 per cent. In far better news for the industry, budgetary concerns dropped from 41 per cent in 2016 to 30 per cent in 2017.