At least 10 attacks a year at Australian organisations go undetected by security tools, and are discovered only when something negative happens.
Fastly, Inc. (NYSE: FSLY), a global edge cloud platform provider, today released new research in partnership with Enterprise Strategy Group (ESG) that uncovers a crucial need for a unified, modern, and simplified approach to security. The study, based on insights from information security and IT professionals in Australia and globally, revealed growing concerns around adequately securing the rapidly rising number of mission-critical cloud services and API-centric applications introduced as part of ongoing digital transformations.
Applications are being modernised, coded and deployed more quickly than ever before; 47% of Australian organisations surveyed expect to support more than 200 internally-developed applications within two years, up from 33% of organisations today. Most if not all internal applications rely on APIs to support the use of microservices, to share data or interconnect with other applications. Organisations are amassing large API footprints as a result.
These APIs are increasingly targeted by attackers as an entry point into the organisation and a way to steal data. In response, organisations are layering multiple web application and API security tools in the hope of creating best-of-breed and defence-in-depth protection. The result is a patchwork of incompatible tools that cause more problems than they solve. Data correlation is difficult, there are multiple ‘blind spots’, and the amount of alerts generated – and proportion of false positives – is leading organisations to disable automated threat blocking capabilities within the tools, or in some cases the tools themselves. The ESG study shows attackers are exploiting this to slip into many large Australian business environments undetected.
Nine out of ten Australian organisations experienced at least 10 attacks on their web applications and APIs in the past year that went undetected by security tools until they had a negative impact of some kind. For a quarter of Australian respondents, the negative impacts included legal problems, compliance issues, a loss of revenue or brand damage. For one in five respondents, the breaches led to downtime and customer experience impacts.
The type of attacks varied, but included exploitation of the OWASP Top Ten (experienced by 31% of respondents) and zero-days (29%), malware infections (33%), account take-over 24%) and cloud service misconfiguration (21%). Outdated security offerings, alert fatigue and ineffective blocking are among the cracks in organisations’ security armour that allowed these incidents to slip through.
Australian organisations surveyed prefer security tools that can detect and block potential attacks automatically but say their existing tools block too much legitimate business traffic when in this mode of operation. The overblocking impacted customer experience (for 40% of Australian respondents), wasted time (40%), led to system downtime or undetected attacks (37%), caused loss of revenue (30%) or led to a failure to meet service level agreements (21%). Many Australian organisations chose to disable blocking or to limit its use to certain windows of time or application traffic types in order to mitigate against these potential impacts.
“One of the biggest security challenges we are seeing today is that technologies are rapidly evolving to better serve the growing demand for digital experiences, but the security offerings that protect those technologies are not experiencing that same level of transformation — and often erode the benefits of modern technology stacks,” said Kelly Shortridge, Senior Principal Technologist at Fastly. “Security tools should fuel innovation, actively support service resilience, and minimise disruption to software delivery workflows, rather than slowing build cycles and producing disjointed, unactionable, or irrelevant data.”
More than three-quarters of Australian respondents recognised an appropriate long-term response would be an overhaul of their security tooling and approach, moving to an evolved and consolidated web application and API security solution from a single vendor.
Stephen Gillies, Manager – Sales Engineering APAC, Fastly, added, “The DevOps movement proved that rapid automation and testing and rapid iteration would translate into more innovation. But innovation filled with risk is not really the end game. The next crucial step is to implement security directly into the internal app and API workflow process so it is not a hurdle to work around, but a part of the process that can move as quickly as the rest if done right. Otherwise, it’s just more of the same, and security will remain elusive.”
Research from the study also concludes:
- On average, Australian organisations surveyed spend close to $580,000 annually for web application and API security tools. Security is becoming more complex and costly as organisations are required to protect traditional architectures, in addition to new architectures and cloud environments.
- Traditional security tools are ineffective and impede business growth. Current security tools frequently block harmless business traffic, impacting the organisation’s bottom line. As a result, 72% of Australian respondents configured their security tools to run in log or monitoring mode only, rather than in blocking mode; 12% shut the tools off entirely; and 16% did both. This is despite 53% preferring to run tools in blocking mode, since it would reduce manual intervention and effort – if it worked effectively.
- Nearly half of all security alerts are false positives. A majority of Australian respondents spend an equal amount or more time on false positives as they do on actual attacks, suggesting current security tools are causing more problems than they solve for.
- 45% of Australian organisations surveyed believe most or all of their applications will use APIs in the next two years. Despite an anticipated increase in API implementation, organisations stated that web application and API security is more difficult than two years ago and indicated struggles to maintain adequate security across new application architectures. Driving these difficulties is the shift to public cloud and API-centric applications without a modern security solution to support those innovations.
- Distributed responsibility for security often adds complexity. Among Australian organisations surveyed, 63% of organisations have different teams responsible for securing web applications, but plan to merge and centralise these responsibilities in the future. Responsibilities may fall on developers, cloud engineers, IT ops or line-of-business owners. They rarely fall on specific security personnel. Cybersecurity typically only gets involved just before an app goes into production (35%) or when it starts to store sensitive data (28%).
“The responsibility for protecting enterprise assets, data, and users from cyber threats no longer falls solely on the security organisation, even as the threat landscape becomes increasingly complex. Application security in particular, is a team sport that requires input and cross-functional collaboration across many parts of an organisation,” said John Grady, Senior Analyst at ESG. “As a result, security professionals have become frustrated with the complex and siloed nature of traditional application security solutions that fail to address these issues. Modern businesses require uniform tools and approaches that can minimise vulnerabilities between their public cloud infrastructure, microservices-based architecture, and legacy applications, while supporting a variety of personas.”
To download the full report: Reaching the Tipping Point of Web Application and API Security, visit https://www.fastly.com/web-application-and-api-security-tipping-point.