The future of web application security

Evolving attack vectors illuminate security gaps

Cyber attacks continue to increase in complexity and diversity

The effects of the ongoing coronavirus pandemic led to web traffic surges of almost 40%, precipitated by work from home initiatives and increased online activity. With this increase came a simultaneous rise in both large and small cyber attacks, as security teams lacked the adequate tools, resources, and visibility to detect and patch gaps in security infrastructure. This left them vulnerable to a variety of application and network-layer threats.

During this time, two primary trends have emerged:

Attack vectors are more diverse. In addition to carrying out common attacks like DDoS, SQL injections, cross-site scripting, and credential stuffing, attackers were quick to capitalize on additional vulnerabilities. They targeted vulnerable organizations using tactics like ransom-based DDoS attacks (RDDoS), IoT bot attacks, QUIC amplification attacks, and other innovative attack strategies, which became increasingly popular as efforts increased to knock organizations offline, extort exorbitant ransom fees, and erode brand reputation.

A rise in Internet Of Things (IoT) device usage preceded a subsequent rise in IoT botnet attacks. Retailers forced to move popular product releases online have been plagued with bots scraping inventory information or making fraudulent purchases, shutting out real consumers in the process. Other attacks have been carried out over protocols that run UDP; like when attackers disrupted gamers who used TeamSpeak (a Voice over Internet Protocol (VoIP) that allows players to voice chat with each other) to impact their performance.

Attacks are more complex. As the frequency of cyber attacks rose in 2020, so did the number of multi-vector attacks. Sophisticated attacks aren’t necessarily the longest or largest attacks, but use repetition, advanced bot behavior, and multiple methods and entry points — often at several different layers of the OSI model — to evade detection and threat protection technologies. This means that it may take longer for organizations’ security teams to discover and recover from attacks, resulting in data loss, poor customer experience, and additional costs.

According to Verizon’s 2020 Data Breach Investigations Report, web applications remain one of the primary vectors for attacks that exploit vulnerabilities and utilize stolen credentials, backdoors, and C2 functionalities — a trend that is likely to continue as organizations migrate more of their applications and data to the cloud, employ an increasingly distributed workforce, and encounter spikes in web traffic.

As the application attack landscape evolves, so must a web security strategy that is both robust and proactive, enabling organizations to anticipate and mitigate threats as they arise.

The challenges with point solutions

The traditional approach to web application security calls for multiple point solutions — typically labeled as best-in-class — across DDoS mitigation, malicious bot mitigation, API protection, and web application firewalls (WAF), each uniquely designed to address the specific attack vectors that cross their paths.

However, instead of effectively layering solutions to create a stronger defense, the implementation of siloed security solutions often introduces visibility challenges and stress to already overburdened security organizations:

  • Visibility: Using point solutions from different vendors can often impact visibility and introduce security gaps. Attacks against web applications and APIs can span the purview of multiple point products, rather than single product offerings. For example, detecting and mitigating a credential-stuffing attack may require capabilities found in a WAF, a bot mitigation solution, and an API security offering. Without the ability to easily manage security services and monitor all traffic, endpoints, and browsing activity through a single pane of glass, security teams may not be able to detect anomalies in advance or defend against zero day attacks.

  • Burden: As attacks increase in size and complexity, stopping them requires an ever-expanding list of individual point solutions, many of which may not integrate. Additionally, layering multiple services is costly and time consuming. Maintaining a bevy of different security tools may place unnecessary strain on organizations, especially if the tools overlap in functionality.

A comprehensive approach to web application security

The patchwork of point solutions no longer serves the needs of the modern enterprise. As new vectors emerge and attacks increase in frequency and sophistication, organizations need a robust, integrated web application security platform — one that bundles the core services of DDoS protection, web application firewalls, API protection, and bot management.

But what does it mean to be truly integrated — and what benefits does this kind of strategy offer against a complex and evolving threat landscape?

When properly implemented, an integrated security platform layers security controls that work to strengthen each other, rather than creating gaps that can leave endpoints open to attack. Vendors need to ensure that each tool works with the others to seamlessly detect and defend against a variety of attack vectors while sharing information that can improve threat prevention capabilities. With each threat encountered, the whole system should become more efficient at blocking threats.

An integrated platform provides several additional advantages over a stack of point solutions, even when named best-in-class:

  • Comprehensive security — with no gaps. Integrated web application security solutions should work together to cover all attack surfaces, no matter what attackers throw their way.

  • Better visibility. A truly integrated web application security approach consolidates solutions behind a single pane of glass, giving security teams full visibility and control over each aspect of their security posture.

  • Simplified management. Reporting tools, firewall rules, attack alerts, and logs should all be managed and modified in the same place, allowing security teams to see and mitigate threats as they arise.

Holistic Web Protection

Frost & Sullivan recently assessed the security offerings of 10 cloud providers to further assist organizations in evaluating integrated web application security platforms. Each provider was measured on the strength of their “Holistic Web Protection,” which encompasses DDoS mitigation strategies, web application firewalls, and bot management solutions that work in tandem to keep web applications — and the data they purvey — available, confidential, and secure.

Cloudflare was distinguished as a leader in innovation, delivering web application security on its global edge network of over 200 data centers.

This article is part of a series on the latest trends and topics impacting today’s technology decision-makers.

Key takeaways

After reading this article you will be able to:

  • Takeaway 1

  • Takeaway 2

  • Takeaway 3

  • Takeaway 4

RELATED RESOURCES



Dive deeper on this topic

Follow the Cloudflare Blog