Forrester just released a new report, The State of Application Security, 2020. One of the main observations from the report, is that application vulnerabilities remain the main reason for the success of attacks, representing the source of 42% of attacks in 2020. In second place, 35% of attacks came through a web application, highlighting the continued need for application security. Some of the reasons for applications and application vulnerabilities continuing to be the main point of attack include the continued use of open source code, rapidly changing applications, and the pressure to increase the speed of bringing applications to production.
One of the bright spots in the Forrester report is that organizations are starting to do more security testing in pre-production, during the development cycles of applications. But it’s not enough as only 14% of organizations report they have security integrated through the Software Development Life Cycle (SDLC).
42% of global security decision makers whose firms experienced an external attack said it was carried out by exploiting a software vulnerability and 35% said it was through a web application
It’s another good reminder that when developing applications, even with the pressure to speed up development, taking care of security early on will mean less vulnerabilities being exploited in production. Organizations need to test applications continuously throughout the development life cycle. Then, as organizations move applications to the internet, organizations need to continue to keep security at the top of the checklist. It isn’t enough to rely on the security provided by your service provider or hosting platform. While service providers and hosting companies provide security for their components they aren’t responsible for security for your organization’s assets or applications in the cloud. Couple the lack of security provided by hosting companies and service providers with the continued attack on vulnerabilities in application code (the 42% mentioned in the Forrester report), and the continued attack on web applications (35% of attacks in the Forrester report), along with the corresponding increase in zero-day attacks on these vulnerabilities that we’ve written about in the past, and you’ve got a sure recipe for increased data breaches in our near future. It’s more important than ever to make sure you have security for your web applications and application workloads.
It’s also important to remember that zero-day attacks are becoming more and more sophisticated. With the ingenuity found in each new zero day attack, it’s more than likely the next big zero day attack will have no foundation in a past attack. To detect the next new zero day attack we need to change the way we approach security. We need to look at technologies that don’t rely on past attacks, for example, using deterministic security based on the application itself, rather than past attacks.
K2’s runtime deterministic application security platform monitors the application and has a deep understanding of the application’s control flows, DNA and execution. By validating the application’s control flows, deterministic security is based on the application itself, rather than relying on past attacks to determine a zero day attack. Deterministic security results in the detection of sophisticated zero day attacks.
K2’s Next Generation Application Workload Protection Platform addresses today’s need for runtime security in an easy to use, easy to deploy solution. K2’s unique deterministic security detects new attacks without the need to rely on past attack knowledge, is lightweight, and adds under a millisecond of latency to the running application. To aid in quick remediation of vulnerabilities, K2 also provides detailed attack telemetry including the code module and line number being in the code being attacked, while at the same time integrating with leading firewalls to do real time attacker blocking.
Change how you protect your applications.