Post pandemic, most companies are now operating a hybrid model with employees working both in the office and from home. This new way of working has intensified the importance of web apps, with many businesses rapidly upgrading their existing web services, exposing older apps or deploying wholly new ones. Unfortunately, in the scramble to rapidly build new applications, particularly when using APIs and open source software, security is often being overlooked.
Businesses should now be aware of three new and evolving critical attack vectors – we’re calling them the ‘new ABCs of application security’.
A is for API vulnerabilities
Applications have been a top attack vector for some years now but are no longer limited to traditional attacks like cross-site scripting, SQL injection and command injection. These attacks have now spread to APIs (Application Programming Interface) and mobile apps.
A high-profile example of an app with security vulnerabilities was the suddenly ubiquitous Zoom. Its meetings were, by default, protected by a six-digit numeric password. Any meeting was using one of 1 million possible passwords. Despite this, a researcher discovered that these passwords were brute-forceable, leading to Zoom bombing and similar attacks.
Importantly, this process had no rate-limiting enabled. So one researcher continually tried passwords, discovering the correct one after only 29 minutes. By using multiple parallel machines in an attack, the password could be cracked very quickly.
B is for Bot attacks
Meanwhile Bot attacks are impacting businesses in other ways, performing a variety of other attacks, the most damaging of which are account takeover and DDoS (Distributed Denial of Service) attacks.
One malicious attempt tried to overwhelm the login portal of a major Indian manufacturing company. It was experiencing unusually high traffic coming in primarily from mobile networks. This was unusual, but not unexpected. However, further analysis determined that the incoming traffic was more likely from a hotspot-connected desktop browser that was impersonating multiple mobile devices. The ‘multiple clients’ were successfully blocked and page response time was restored to normal.
C is for Client-side attacks
Client-side attacks, also known as supply chain attacks, were first discovered around 2018 and dubbed Magecart, named after the Magento online shopping application they primarily targeted. Such attacks are notoriously difficult to detect and block.
More recently the number of vulnerabilities and breaches attributed to APIs and client-side attacks has grown exponentially, with some breaches within companies like T-Mobile and British Airways making headlines for all the wrong reasons.
In September 2020, Visa issued a warning over a new online skimmer called Baka that was performing client-side skimming attacks. It was designed to run only from memory, so that no traces of it would be found in the storage of the browser.
Preparing for the new ABCs of application security
Companies are getting breached more than ever through their web and API applications. As newer technologies proliferate, attackers work to identify ways to bypass their security measures and breach them. APIs, Bot attacks, and Client-side attacks are the latest ways they are working to breach applications for fun and profit.
Our research shows that many companies are moving to address these security risks by deploying new solutions in the coming year, such as bot protection (41%), API gateway (36%), and software supply chain protection (scanning) (33%). But the more solutions they add, the more complex application security becomes.
To provide effective protection, an application security solution needs to be a platform that is capable of protecting customers against all of these attack vectors. A platform approach provides powerful protection against both traditional and emerging threats while remaining easy to use and manage.
Learn more about the new ABCs of Application Security and how you can take action to prevent such attacks in this free downloadable eBook.