43% of Data Breaches Connected to Application Vulnerabilities: Assessing the AppSec Implications

Web applications are a growing focus point for cyber criminals. Motivated by financial outcomes, they understand the value of the information exchanged and stored in web applications. The 2020 Verizon Data Breach Investigations Report (DBIR) confirms that this is the case: 43% of data breaches are tied to web application vulnerabilities—which more than doubled year over year. Legacy, outside-in DevOps security is failing, and a new approach is needed that takes an inside-out approach.

It makes complete sense. Cyber criminals hone their attacks on vectors that produce the most and best financial outcomes. For example, the latest iteration of Verizon’s Data Breach Investigations Report (DBIR) finds that 86% of data breaches are financially motivated—up 15% over the previous year. In contrast, espionage—the second-highest motive—declined from 2018 to 2020.

Almost Half of Data Breaches Are the Result of Application Vulnerabilities

The Verizon report also reveals that web applications show up as a vector to which cyber criminals have increasingly turned their attention over the past year: 43% of all data breaches analyzed by Verizon this past year were the result of a web application vulnerability. This more than doubled over the previous year, an indication that there is something happening here worth further analysis. As the adage goes, “when there is blood in the water,” sharks will sense the smell and gather for a feeding frenzy.

Sponsorships Available

Sponsorships Available

Sponsorships Available

43% of data breaches that Verizon analyzed this past year targeted web applications.

The cost of a data breach is certainly not something organizations can ignore. Ponemon Institute and IBM examined the impact of data breaches across industries—everything from lost business to regulatory fines and remediation costs—and pinpointed the average cost at $3.92 million. The average size of a breach amounts to over 25,000 records. And the numbers are going up—rising 12% over the last five years.

Reasons for Growing Cyberattacks on Web Applications

So, what might be the cause of increased cyberattacks around web applications? There are several different reasons they are paying more heed.

More Applications, More APIs, More Sophistication

Most businesses have embraced some set of digital transformation initiatives today. Customer-, partner-, and employee-facing applications are critical drivers, and organizations see modern software development life cycles (SDLC), as enabled by Agile and DevOps, as means for achieving the velocity needed to accelerate business models—delivering enhanced customer experiences, new revenue opportunities, and improved operational efficiencies. A recent study by Okta on applications finds that the average business uses 88 applications, a 21% increase since three years ago. Interestingly, for customers using Okta for more than four years, the average number of applications is 190.

All signs are that the rush to embrace Agile and DevOps—enhancements to legacy applications and development of new ones—will continue. Indeed, based on a recent study by OpsRamp, despite economic uncertainty due to COVID-19 (spending slowdown to unemployment), 61% of IT and DevOps leaders expect to accelerate their digital transformation initiatives and projects (with 58% increasing spending). Nearly two-thirds of the digital transformation initiatives and projects fall into the areas of Agile and DevOps.

More than 6 in 10 IT and DevOps leaders expect to accelerate digital transformation initiatives and projects, despite the economic conditions resulting from COVID-19.

Naturally, as a result of this growth in applications and faster velocity per modern SDLC, legacy AppSec that relies on capabilities such as line-by-line code scanning (static application security testing [SAST]) and black-box testing (dynamic application security testing [DAST]) simply cannot scale. As these AppSec models rely on signature-based engines to identify application vulnerabilities, they miss false negatives (unknown threats and zero-day attacks) that expose organizations to serious risks. They also incur large numbers of false positives that lead to alert fatigue, which when combined with pressure from C-suite leaders to place velocity and code releases over security, ratchet risks up further.  

As organizations embrace Agile and DevOps practices, they are adopting containers and microservices to help accelerate and optimize their SDLC. But this can result in an AppSec “tool soup” that is time-consuming to manage and can actually slow development cycles.

As the interconnectivity between web applications increases, the number of application programming interfaces (APIs) that provide various access points for data flows into and out of applications grow accordingly. They are the regularly stated ways applications talk to one another, and thus there is an API for every component in an application. The result is that organizations often manage hundreds or even thousands of APIs, many of which are exposed externally to customers and partners. These APIs are developed internally (about half), created by managed services providers and other partner organizations (28%), and leveraged from open-source libraries (19%).

43% of API developers, testers, and product leaders list security as a major concern.

But as the number of APIs grow in number, so do the number of potential vulnerabilities that can be exploited—enabling cyber criminals to exfiltrate valuable data such as personally identifiable information (PII) of customers and intellectual property (IP). It is not surprising that Gartner predicts that APIs will be the most targeted attack vector in the enterprise within two years.

A More Advanced Threat Landscape

Bad actors are no longer primarily comprised of individual hacktivists who operate in the stealth of their garages. Verizon categorizes nearly 60% of cyber criminals as organized crime, and another 15% as nation-state actors. Attacks on web applications typically require greater sophistication and organization than email-borne attacks.

As cyber criminals gain greater organization and wherewithal, they simultaneously acquire technological capabilities and sophistication that was previously not possible—from polymorphic and metamorphic malware to the use of botnets and artificial intelligence (AI) to weaponize attacks further. The growth of the dark web, which includes Malware-as-a-Service (MaaS) capabilities, also lowers the bar for cyber criminals to instigate advanced application attacks. These cyber-attack advancements also shrink the time for mean time to resolution (MTTR).

Legacy AppSec Cannot Keep Pace with Modern SDLC

It is unacceptable for organizations to simply resign themselves to using legacy AppSec models that fail to protect them from cyberattacks. The fact that the average number of vulnerabilities per application is the same today—26.7—as it was almost two decades ago is corroboration that the status quo is unacceptable. Further, as the research data from Ponemon Institute and IBM demonstrates, data breaches pose serious financial implications—which can destroy small and midsize businesses and have measurable repercussions on the enterprise (from diminished revenue, to executive management firings, to lower stock valuations).

Doing the same thing simply does not make sense. Traditional static and dynamic application security testing models that approach AppSec from the outside-in are flawed. A paradigm shift is needed—an AppSec model that analyzes software for vulnerabilities from the inside- out and that uses instrumentation to automate vulnerability management.