APIs, App Updates Create New Vulnerabilities

Some of the technology tools that are fueling global enterprises are also making them more vulnerable to data breaches, a new survey by Radware reveals. Increased collection and sharing of data, growing use of web applications and more frequent updates to those apps all create new exposures and contribute to the increasing number and complexity of application-layer attacks.

The Radware 2018 State of Web Application Security report is based on a Merrill Research survey of 302 executives and IT professionals from global enterprises with revenues more than $250 million a year.

It found the vast majority -- 89% -- had experienced attacks against web applications or servers within the past 12 months, and that more than half were experiencing daily or weekly attacks.

Source: Radware 2018 State of Web Application Security

One major reason is the failure to protect application programming interfaces (APIs) and API gateways, notes Mike O'Malley, Radware Ltd. (Nasdaq: RDWR)'s vice president of carrier strategy and business development. The vast majority of organizations who use API gateways do so to share or consume data, but 70% of survey respondents said they don't require authentication from third-party APIs and 62% don't encrypt data sent by APIs, which creates a major new landscape for data breaches.

"The vast majority of companies are not doing something on the API side," O'Malley said. He points to the massive breach of the Facebook API as an example of what can happen but adds that most organizations have false confidence in their own systems' security, with 90% of those surveyed saying they were confident their organizations could mitigate application-layer attacks. "They think if they haven't had a Black Swan attack in the last month, it's not going to happen to them."

Source: Radware 2018 State of Web Application Security

The need to update applications on a daily or even hourly basis is also contributing to new security concerns. The survey shows about a third of all application types are updated on an hourly or daily basis, with another quarter being updated weekly. Those frequent changes can create new security problems, if there isn't an application security framework in place that automatically refreshes the security along with the change in application behavior, O'Malley notes. Re-provisioning static web security with each application change is not cost-effective.

While the survey addresses large global enterprises, he stresses the fact that potentially devastating security breaches aren't limited to large companies. In fact, smaller operations with fewer IT resources may be more vulnerable, particularly if they are repositories of sensitive customer data.

"A lot of people think this is a Tier 1 problem, and it won't affect them," O'Malley comments, citing his favorite example of the local car dealership, with its treasure trove of customer data including driver's license numbers and financial information. "They don't realize that it is not a matter of your size in terms of revenue and number of employees, it's more about intellectual property and personal data."

The impacts can be devastating, with 52% of those surveyed saying customers asked for compensation following a breach, almost as many reported major reputation loss and almost quarter said executives lost their jobs after a data breach.

To read more about this particular report, check out this story on our sister site, Light Reading. — Carol Wilson, Editor-at-Large, Light Reading