Cymatic released new survey results from C-suite and VP-level executives in IT and cybersecurity detailing the state of web application security. The survey included some troubling results, including the finding that 75 percent of IT leaders lacked confidence in their web application security. Surprising given that 34% of respondents used over 10 products to protect their web applications. In addition to the lack of confidence the survey also found that 65 percent of organizations experienced cyber attacks that bypassed their Web Application Firewall (WAF).
The results around WAF probably aren’t all that surprising given K2 already wrote previously that satisfaction around WAFs was only around 40 percent. K2 was also tapped for commentary on an article Dark Reading wrote about dissatisfaction with WAF technology, titled “When WAFs Go Wrong.”
Customers Report WAFs are Less Effective
These results are actually no surprise to us here at K2 Cyber Security, as this disappointment with WAFs is also what we’re hearing from our customers. Typically we hear that WAFs are less effective at combatting cyber attacks than they have been in the past and require more tweaking and configuration than they have required in the past. Both of these problems are leading the growing dissatisfaction with WAFs as a security tool.
Unfortunately though, we’re also told by the same customers that they have no plans to remove their WAF infrastructure because for many industries, the WAF is a required for compliance reasons. So they will remain in place, even if they are ineffective at securing the application infrastructure.
Take a Page from NIST for Application Security
If WAFs are no longer as effective as they used to be, what’s the answer for improving your organization’s application security? There are a number of simple measures an organization can take to improve their web application security stance. First starts at the very beginning of application development, and that’s making sure developers take security into consideration when developing and coding applications. Second, is making sure that software and operating systems are kept up to date, with the latest updates and patches to ensure known vulnerabilities that have patches are not exploited.
In addition to these two fundamental starts to application security, there’s still a need to ensure security for web applications running in production, especially against threats either missed or not typically secured by network or system level security. The OWASP Top 10 Web Application Security Risks are a great example of risks that aren’t typically protected with network or system level security.
It is important to remember to have a security framework that offers a defense-in-depth architecture. Maybe it’s time to take a hint from the recent finalization of the National Institute of Standards and Technology (NIST)’s SP800-53 that was just released on September 23, 2020. The new security and privacy framework standard now requires Runtime Application Self-Protection (RASP) as an added layer of security in the framework.
Runtime Application Self-Protection
RASP solutions like the one from K2 Cyber Security offer significant application protection, including protection of vulnerable applications, while at the same time using minimal resources and adding negligible latency to an application. K2 Security Platform uses runtime deterministic security to monitor the application and has a deep understanding of the application’s control flows, DNA and execution. By validating the application’s control flows, deterministic security is based on the application itself, rather than relying on past attacks to determine a zero day attack. Deterministic security results in the detection of sophisticated zero day attacks and also protects from application from the risks listed in the OWASP Top Ten, including XSS and SQL Injection.
K2’s Next Generation Application Workload Protection Platform addresses today’s need for runtime security in an easy to use, easy to deploy solution. K2’s unique deterministic security detects new attacks without the need to rely on past attack knowledge, is lightweight, and adds under a millisecond of latency to the running application. To aid in quick remediation of vulnerabilities, K2 also provides detailed attack telemetry including the code module and line number being in the code being attacked, while at the same time integrating with leading firewalls to do real time attacker blocking.
Change how you protect your applications, and check out K2’s web application and application workload security solution and evaluate K2’s effectiveness at detecting and protecting your organization from attacks.