Radware, a provider of cybersecurity and application delivery solutions, released a new study today titled, ‘Radware Research: Web Application Security in a Digitally Connected World’. The report takes an in-depth look into how organizations protect their web applications, and identifies clear gaps in security among common DevOps practices, highlights top attack types and vectors, as well as identifies key areas of risk and concern.
The research, which focused on such highly targeted industries as retail, healthcare and financial services, exposes the proliferation of bot-driven Web traffic and its impact on organizations’ application security. In fact, bots conduct more than half (52 percent) of all Internet traffic flow. For some organizations, bots represent more than 75 percent of their total traffic. This is a significant finding considering one-in-three (33 percent) organizations cannot distinguish between ‘good’ bots and ‘bad’ ones.
The report also found that nearly half (45 percent) of respondents had experienced a data breach in the last year, and 68 percent are not confident they can keep corporate information safe. What’s more, companies often leave sensitive data under-protected. In fact, 52 percent do not inspect the traffic that they transfer to-and-from APIs, and 56 percent do not have the ability to track data once it leaves the company.
Any organization that collects information on European citizens will soon be required to meet the strict data privacy laws imposed by General Data Protection Regulations (GDPR). These regulations take effect in May 2018. However, with less than a year until the due date, 68 percent of organizations are not confident they will be ready to meet these requirements in time.
“It’s alarming that executives at organizations with sensitive data from millions of consumers collectively don’t feel confident in their security,” said Carl Herberger, Vice President of Security Solutions at Radware. “They know the risks, but blind spots continue to pose a threat. Until companies get a handle on where their vulnerabilities are and take steps to protect them, major attacks and data breaches will continue to make headlines.”
According to Dr. Larry Ponemon, “This report clearly shows that pressure to continuously deliver application services limits DevOps’ ability to ensure web application security at various stages in the SDLC.”
Key Survey Findings Include:
Application security is an afterthought. Everyone wants the full automation and agility that the continuous delivery model of app development provides. Half (49 percent) of the respondents currently use the continuous delivery of application services and another 21 percent plan to adopt it within the next 12-24 months. However, continuous delivery can compound the security challenges of app development: 62 percent reckon it increases the attack surface and approximately half say that they do not integrate security into their continuous delivery process.
Bots are taking over. Bots are the backbone of online retail today. Retailers use bots for price aggregation sites, electronic couponing, chatbots, and more. In fact, 41 percent of retailers reported that more than 75 percent of their traffic comes from bots, yet 40 percent still cannot distinguish between “good” and “bad” bots. Malicious bots are a real risk. Web scraping attacks plague retailers by stealing intellectual property, undercutting prices, holding mass inventory in limbo, and buying out inventory to resell goods through unauthorized channels at markup. But bots are not the exclusive problem of retailers. In healthcare, where 42 percent of traffic is from bots, only 20 percent of IT security execs were certain they could identify the “bad” ones.
API security is often overlooked. Some 60 percent of organizations both share and consume data via APIs, including personally identifiable information, usernames/passwords, payment details, medical records, etc. Yet 52 percent don’t inspect the data that is being transferred back and forth via their APIs, and 51 percent don’t perform any security audits or analyze API vulnerabilities prior to integration.
Holidays are high risk for retailers. Retailers face two distinct but highly damaging threats during the holidays: outages and data breaches. Web outages during the holiday season, when retailers make most of their profits, could have disastrous financial consequences. Yet more than half (53 percent) are not confident in their ability to provide 100 percent uptime of their application services. High-demand periods like Black Friday and Cyber Monday also spell trouble for customer data: 30 percent of retailers suggest they lack the ability to secure sensitive data during these periods.
Patient healthcare data is at risk. Just 27 percent of healthcare respondents have confidence they could safeguard patients’ medical records, even though nearly 80 percent are required to comply with government regulations. Patching systems is critical to an organization’s security and its ability to mitigate today’s leading threats, but some 62 percent of healthcare respondents have little or no confidence in their organization’s ability to rapidly adopt security patches and updates without compromising operations. More than half (55 percent) of healthcare organizations said they had no way to track data shared with a third party after it left the corporate network. Healthcare organizations are particularly unlikely to monitor the Darknet for stolen data, with 37 percent saying they did so, compared to 56 percent in financial services, and 48 percent in retail.
Multiple touchpoints equal higher risk. The rise of new financial technology (like mobile payments) has increased the access and volume of engagement with consumers, which, in turn, increases the number of access points with vulnerabilities and expands the risk security executives face. While 72 percent of financial services organizations share usernames and passwords and 58 percent share payment details via APIs, 51 percent do not encrypt that traffic, potentially exposing valuable customer data in transit.
The survey, conducted by Ponemon Research on behalf of Radware, included responses from more than 600 chief information security officers and other security leaders across retail, healthcare, and financial services in six continents.