History or Mystery? 
As we look back at the first half of 2018, many of the cyber threat predictions have already come to pass around lack of GDPR compliance, increasing breaches on IoT devices and web apps, more DDoS attacks, etc. The attacks on the web applications like that of MyFitnessPal, TaskRabbit, and Pizza Hut are just the beginning of what’s to come for web application threats.
With breaches hammering the headlines daily, it’s easy to identify a trend: Hacking is a lucrative business and it’s not going anywhere. Savvy business leaders are struggling to keep up with technology, outsourcing, and moving services to IaaS platforms, with less ‘direct’ contact to their assets. Securing and protecting the sensitive data held on those systems is ever more critical to maintaining a strong security posture.
According to the recent Verizon Data Breach Investigation Report, “we saw, yet again, that cybercriminals are still finding success with the same tried and tested techniques, and their victims are still making the same mistakes.” The report also showed that web application attacks led the way as the most common breach pattern. It seems history is intent on repeating itself. However it has also become more evident that new flavors of ransomware and botnets like Mirai will continue to invade infrastructures as attackers work to refine their craft.
The Catch-22 of Web Apps.
As organizations try to remain agile and innovative, the pressure of speed to market, staying agile, and remaining relevant are just some ‘Catch-22s’ and harsh realities for a modern business. Sure, the benefits of web applications are undeniable, but application development, bypassing stringent code review, testing, and default creds are just some of the struggles that can inhibit innovation or open up more holes for hackers to exploit.
“There’s an App for That.”
We haven’t heard that in a while! Even app stores and apps for phones and tablets pose a significate risk and benefit for organizations. ‘We’ want an app for everything and app developers are scrambling to put in new features and functionality to stay in the game. The more apps we have the more potential attack surfaces and vectors exist and we have to prepare for them to be exploited. It can be a vicious cycle.
Hacks byway of web applications have steadily been on the rise, likely due in part to the growing adoption by organizations around the Internet of things (IoT), of which many have web interfaces, and mobile device adoption. According to a recent 2018 Symantec report, the “Internet of Things (IoT) attacks increased 600% between 2016 and 2017.” It’s just simple math, right? The more web interfaces there are, the more you need to scan them for vulnerabilities to protect them to avoid cyber incidents such as DDoS attacks. But the truth is the math is the only simple thing about it or we wouldn’t all be scrambling to stay ahead of these threats.
The Cart Before the Horse?
As hackers succeed and fail, the more knowledge they gain and the faster we have to work to try to head them off at the pass. Putting a Web Application Firewall (WAF) in place to protect your web applications isn’t enough anymore. History has proven that we are seeing more variations of attack vectors, and consequently an organization needs to proactively prepare for the inevitable attack by scanning for weaknesses.
If you’re thinking you’ve put the cart before the horse by moving to the cloud but are just now realizing what needs to be done for web application security, you probably did. The good news is that you’re not alone, and it isn’t too late to put safeguards in place to protect the application layer of your key assets, while still reaping the rewards of innovative web applications.
It’s Not Too Late to Automate.
There are best practices to protect your web applications and solutions to help you get quick wins by leveraging key technologies such as Digital Defense’s Frontline WAS™. Our solution has been developed to provide the highest level of dynamic web application testing results through a system that is easily deployed and maintained. A Web Application Scanner can help your prioritization of the most critical vulnerabilities, saving you valuable resources through targeted remediation efforts.
As we continue through the second half of 2018, perhaps we can learn from historical data around vulnerabilities and breaches to unravel the cybercrime mystery that is no doubt never-ending. We may not be able to get ahead of all threats, but learning from the past is the best way to prepare for the future.
