We’re in 2021 and Web Application Security still has to be one of our major concerns as it has become a common attack target. It was revealed that one in every five web application attacks is linked to state-affiliated attacker adding up to a loss of $4.3 billion. Web Applications has been the #1 leading incident patterns for consecutive years.
According to a report published by IBM, the cost of data breach rose from USD 3.86 million to USD 4.24 million which makes it the highest average data breach cost in the past 17 years. During this Covid pandemic, all of us learnt to work from home making work easier for most of us but that added up to the organization’s cost in breaches. The rise in average costs in breaches is due to the fact that now people working from home, remotely, is another factor to consider when taken into account for security consideration. The question arises here that what eventually helped lowering the average data breach cost for organizations? The Security AI and Zero Trust policy did.
2021 Statistics: Web Application Security 2021
The reports have emphasised for organizations to focus more towards the newer threats that are to the applications: bot attacks, API attacks and supply chain attacks.
The spike in digital transformation has resulted in web applications getting more and more complex with newer business models completely relying over it. This involved an intensive use of APIs and what not which does one thing for the attackers: enlarges the attack surface for them. Whereas, this complicates the defensive strategies as now there is a lot of more area to secure.
The report by F5 Labs reveals that in the most significant security incidents that occurred in last five years, 57% of them involved web application exploits. This amounts it to be 47% of the extreme financial losses recorded.
The average time-to-discovery for web application attacks has been 254 days as compared to the average time-to-discovery of 71 days for other extreme events studied.
Common Vulnerabilities in Web Applications
This question is challenging to answer as no single source in the report sees everything. Keeping that in view, only two attacks were reported by the three sources: SQL Injection(SQLi) and Cross Site Scripting(XSS) making it the most common web application attacks. Moreover, SQL injection was exploited 15% to 76% of attacks whereas Cross Site Scripting was exploited in 4% and 54%.
There have been other exploited vulnerabilities reported as well which includes remote code execution(RCE), XML External Entities(XXE) and Insecure Deserialization.
During the pandemic, there evidently has been a spike in digital transformation but that has provided the attackers with more targets to add in their lists. As per Verizon reports, most of the web applications that were targeted were cloud-based.
Threats in 2021: Video Gaming Industry
The web application exploitation has affected numerous industries but this time the video gaming industry has juicy statistics to share: experiencing 240 million attacks on web applications in 2020 making it a rise of 340% as compared to 2019. The video gaming industry has experienced targeted more than any other industry during this COVID-19 Pandemic.
For the video games that include in-app purchases has frequently targeted. The attackers are more interested in attacking the users that spend money for in-game items such as skins, enhancements and more. These attacks might be carried out for personal interests but most of the compromised data is evidently sold on criminal markets.
Akamai published a report SQL Injection attacks represented 57% of the all attacks that were observed making it to be the most common attack vector for web applications directly compromising user credentials and details. Second significant attack vector is Local File Inclusion(LFI) which represented 24% of all attacks, exposing the sensitive internal files of the applications and services that could further lead to more attacks. There were other attack vectors observed as well: Cross Site Scripting(XSS) and remote file inclusion(RFI) representing 8% and 7% of attacks.
“We’re observing a remarkable persistence in video game industry defenses being tested on a daily – and often hourly – basis by criminals probing for vulnerabilities through which to breach servers and expose information. We’re also seeing numerous group chats forming on popular social networks that are dedicated to sharing attack techniques and best practices” said the Security Researcher from Akamai.
Credential Stuffing attacks has resulted has had a significant increase of 224% compared to the last year amounting to nearly 11 billion as per the statistics provided for 2020. The attacks were carried out on a larger scale, with an average of millions per day including a spike of 100 million attacks for two days. Explaining it for the ones who’re not familiar with such attacks, Credential stuffing is using the compromised or leaked data of one organization and using it onto another organization. The users that use the same password or reuse their passwords were the ones getting compromised because of it.
It is recommended that using password managers and generating random passwords through tools and using multi-factor authentication systems can help users prevent from it.
Web Applications can get secure?
It continues to get more challenging for organizations to secure their web applications with such significant increase in its users due to the rapid digital transformation and our increasing dependency over it. The other emerging technologies and industries significantly increases our dependency on web apps as well. For example, Internet of Things(IoT) enabling us to digitalises our normal appliances does increase our comfort levels but increases the attack surface for cybersecurity attacks as well.
As discussed previously, even the vehicle charging stations have been found to be vulnerable to cyberattacks.
Moreover, it is evident that web applications are a core part of technological advancement that comes up for any organization hence securing it has to be every organization’s concern.
The flaw in organizations patching vulnerabilities on time has led to it being a source of significant importance in data breaches. There have been more than 11,000 vulnerabilities reported to Common Vulnerabilities and Exploits(CVE) database out of which 34% still remains unpatched. As seen previously, the attackers have widely targeted unpatched systems while the organizations struggle in coming up with an effective patch management system.
It can be concluded that organizations will have to schedule scans, immediately patch security vulnerabilities, review their code and implement additional security layers for preventions.