The Verizon Data Breach Investigations report is probably one of the most widely read reports in cyber security. Verizon released their 2021 edition of the report on May 13, 2021.
Since K2 Cyber Security focuses on application security, we thought we’d take a look at this latest report with a lens on web application and application workload security.
First, the press release issued by Verizon points out an important statistic related to web applications in the cloud: “The report highlights the challenges facing businesses as they move more of their business functions to the cloud – with attacks on web applications representing 39% of all breaches.” If protecting your organization from breaches is important than protecting web applications in the cloud should be a primary area of focus.
Here are some other interesting tidbits and statistics we gathered from the report around application security:
- Web applications remains the top vector used by hacking in breaches, at over 90%.
- Web applications (on servers) were involved in over 50% of incidents, and all servers (including web application, email, file and database) were involved in over 80% of incidents, and in almost 90% of breaches.
- Quote from the report: “breaches are moving toward social and webapp vectors, and those are becoming more server based, …” showing the importance of protecting web applications.
- Quote “external cloud assets were more common than on-premises assets in both incidents and breaches … cloud assets deserve a seat at the grown-up security table and a piece of your budget pie”, showing the need and importance of having security for applications hosted in the cloud.
- Organizations with known vulnerabilities typically have older vulnerabilities in their applications, rather than current ones. This is a frightening statistic, because it means organizations probably don’t know they’re vulnerable and have missed detecting these older vulnerabilities (dates ranged from 2006 to 2017, with most vulnerabilities dating back to 2010 – 11 years ago). “These older vulnerabilities are what the attackers continue to exploit.”
- Patching vulnerabilities is minimal at best. Even at 75 days past discovery of a vulnerability patching was only around 40%, meaning there 60% of applications with vulnerabilities remained unpatched vulnerable to an attack.
- Web application attack patterns (in both incidents and breaches) are up at the highest recorded level (more than 2016, 2017, 2018, and 2019).
- 40% of system intrusions was due to hacking.
- 100% of threat actors in web application attacks were external and 89% of those threat actors were motivated by possible financial gains.
All of these statistics and this report should give everyone a reason to take a second look at how your organization is handling application security, especially in the cloud.
Take a Page from NIST to Improve Application Security
There are a number of simple measures an organization can take to improve their web application security stance. First starts at the very beginning of application development, and that’s making sure developers take security into consideration when developing and coding applications. Second, is making sure that software and operating systems are kept up to date, with the latest updates and patches to ensure known vulnerabilities that have patches are not exploited.
In addition to these two fundamental starts to application security, there’s still a need to ensure security for web applications running in production, especially against threats either missed or not typically secured by network or system level security. The OWASP Top 10 Web Application Security Risks are a great example of risks that aren’t typically protected with network or system level security.
It is important to remember to have a security framework that offers a defense-in-depth architecture. Maybe it’s time to take a hint from the recent finalization of the National Institute of Standards and Technology (NIST)’s SP800-53 that was just released on September 23, 2020. The new security and privacy framework standard now requires Runtime Application Self-Protection (RASP) and Interactive Application Security Testing (IAST) as added layers of security in the framework.
The latest revision of NIST SP800-53 includes the requirement of RASP (Runtime Application Self-Protection) and IAST (Interactive Application Security Testing). It’s a first in recognizing these two advancements in application security by now requiring them as part of the security framework.
A RASP solution sits on same server as the application, and provides continuous security for the application during runtime. A RASP solution sits on same server as the application, and provides continuous security for the application during runtime. By running on same server as the application, RASP solutions provide continuous security for the application during runtime. For example, as mentioned earlier, a RASP solution has complete visibility into the application, so a RASP solution can analyze an application’s execution to validate the execution of the code, and can understand the context of the application’s interactions.
IAST is the other new recommendation for application security coming from the NIST revised draft, and if you haven’t heard of IAST, there’s a good definition available from Optiv
“IAST is an emerging application security testing approach which combines elements of both of its more established siblings in SAST (Static Application Security Testing) and DAST (Dynamic Application Security Testing). IAST instruments the application binary which can enable both DAST-like confirmation of exploit success and SAST-like coverage of the application code. In some cases, IAST allows security testing as part of general application testing process which provides significant benefits to DevOps approaches. IAST holds the potential to drive tests with fewer false positives/negatives and higher speed than SAST and DAST.”
With these two new requirements (RASP and IAST) for application security being added to the NIST framework, it’s really time to rethink how your organization is doing application security.
Here at K2 Cyber Security, we’d like to help out with your RASP and IAST requirements. K2 offers an ideal runtime protection security solution that detects true zero-day attacks, while at the same time generates the least false positives and alerts. Rather than rely on technologies like signatures, heuristics, fuzzy logic, machine learning or AI, we use a deterministic approach to detect true zero-day attacks, without being limited to detecting attacks based on prior attack knowledge. Deterministic security uses application execution validation, and verifies the API calls are functioning the way the code intended. There is no use of any prior knowledge about an attack or the underlying vulnerability, which gives our approach the true ability to detect new zero-day attacks. Our technology has 8 patents granted/pending, and has no false alerts.
We’ve also recently published a video, The Need for Deterministic Security. The video explains why the technologies used in today’s security tools, including web application firewalls (WAFs) fail to prevent zero day attacks and how deterministic security fills the need for detecting zero day attacks. The video covers why technologies like artificial intelligence, machine learning, heuristics, fuzzy logic, pattern and signature matching fail to detect true zero day attacks, giving very specific examples of attacks where these technologies work, and where they fail to detect an attack.
The video also explains why deterministic security works against true zero day attacks and how K2 uses deterministic security. Watch the video now.
Change how you protect your applications, include RASP and check out K2’s application workload security.