The future of web application security

Evolving attack vectors illuminate security gaps

Cyber attacks continue to increase in complexity and diversity

The effects of the ongoing coronavirus pandemic led to web traffic surges of almost 40%, precipitated by work from home initiatives and increased online activity. With this increase came a simultaneous rise in both large and small cyber attacks, as security teams lacked the adequate tools, resources, and visibility to detect and patch gaps in security infrastructure. This left them vulnerable to a variety of application and network-layer threats.

During this time, two primary trends have emerged:

Attack vectors are more diverse. In addition to carrying out common attacks like DDoS, SQL injections, cross-site scripting, and credential stuffing, attackers were quick to capitalize on additional vulnerabilities. They targeted vulnerable organizations using tactics like ransom-based DDoS attacks (RDDoS), IoT bot attacks, QUIC amplification attacks, and other innovative attack strategies, which became increasingly popular as efforts increased to knock organizations offline, extort exorbitant ransom fees, and erode brand reputation.

A rise in Internet Of Things (IoT) device usage preceded a subsequent rise in IoT botnet attacks. Retailers forced to move popular product releases online have been plagued with bots scraping inventory information or making fraudulent purchases, shutting out real consumers in the process. Other attacks have been carried out over protocols that run UDP; like when attackers disrupted gamers who used TeamSpeak (a Voice over Internet Protocol (VoIP) that allows players to voice chat with each other) to impact their performance.

Attacks are more complex. As the frequency of cyber attacks rose in 2020, so did the number of multi-vector attacks. Sophisticated attacks aren’t necessarily the longest or largest attacks, but use repetition, advanced bot behavior, and multiple methods and entry points — often at several different layers of the OSI model — to evade detection and threat protection technologies. This means that it may take longer for organizations’ security teams to discover and recover from attacks, resulting in data loss, poor customer experience, and additional costs.

According to Verizon’s 2020 Data Breach Investigations Report, web applications remain one of the primary vectors for attacks that exploit vulnerabilities and utilize stolen credentials, backdoors, and C2 functionalities — a trend that is likely to continue as organizations migrate more of their applications and data to the cloud, employ an increasingly distributed workforce, and encounter spikes in web traffic.

As the application attack landscape evolves, so must a web security strategy that is both robust and proactive, enabling organizations to anticipate and mitigate threats as they arise.

The challenges with point solutions

The traditional approach to web application security calls for multiple point solutions — typically labeled as best-in-class — across DDoS mitigation, malicious bot mitigation, API protection, and web application firewalls (WAF), each uniquely designed to address the specific attack vectors that cross their paths.

However, instead of effectively layering solutions to create a stronger defense, the implementation of siloed security solutions often introduces visibility challenges and stress to already overburdened security organizations:

A comprehensive approach to web application security

The patchwork of point solutions no longer serves the needs of the modern enterprise. As new vectors emerge and attacks increase in frequency and sophistication, organizations need a robust, integrated web application security platform — one that bundles the core services of DDoS protection, web application firewalls, API protection, and bot management.

But what does it mean to be truly integrated — and what benefits does this kind of strategy offer against a complex and evolving threat landscape?

When properly implemented, an integrated security platform layers security controls that work to strengthen each other, rather than creating gaps that can leave endpoints open to attack. Vendors need to ensure that each tool works with the others to seamlessly detect and defend against a variety of attack vectors while sharing information that can improve threat prevention capabilities. With each threat encountered, the whole system should become more efficient at blocking threats.

An integrated platform provides several additional advantages over a stack of point solutions, even when named best-in-class:

Holistic Web Protection

Frost & Sullivan recently assessed the security offerings of 10 cloud providers to further assist organizations in evaluating integrated web application security platforms. Each provider was measured on the strength of their “Holistic Web Protection,” which encompasses DDoS mitigation strategies, web application firewalls, and bot management solutions that work in tandem to keep web applications — and the data they purvey — available, confidential, and secure.

Cloudflare was distinguished as a leader in innovation, delivering web application security on its global edge network of over 250 data centers.

This article is part of a series on the latest trends and topics impacting today’s technology decision-makers.

Dive deeper on this topic

Explore these findings in more depth in the Frost Radar: Global Holistic Web Protection Market Report.

Get the report

Follow the Cloudflare Blog