APIs, App Updates Create New Vulnerabilities

Enterprises need to build more security into API gateways and applications including encryption and authentication, Radware survey shows.

Carol Wilson, Editor-at-large

October 4, 2018

3 Min Read

Some of the technology tools that are fueling global enterprises are also making them more vulnerable to data breaches, a new survey by Radware reveals. Increased collection and sharing of data, growing use of web applications and more frequent updates to those apps all create new exposures and contribute to the increasing number and complexity of application-layer attacks.

The Radware 2018 State of Web Application Security report is based on a Merrill Research survey of 302 executives and IT professionals from global enterprises with revenues more than $250 million a year.

It found the vast majority -- 89% -- had experienced attacks against web applications or servers within the past 12 months, and that more than half were experiencing daily or weekly attacks.

Source: Radware 2018 State of Web Application Security

Source: Radware 2018 State of Web Application Security

One major reason is the failure to protect application programming interfaces (APIs) and API gateways, notes Mike O'Malley, Radware Ltd. (Nasdaq: RDWR)'s vice president of carrier strategy and business development. The vast majority of organizations who use API gateways do so to share or consume data, but 70% of survey respondents said they don't require authentication from third-party APIs and 62% don't encrypt data sent by APIs, which creates a major new landscape for data breaches.

"The vast majority of companies are not doing something on the API side," O'Malley said. He points to the massive breach of the Facebook API as an example of what can happen but adds that most organizations have false confidence in their own systems' security, with 90% of those surveyed saying they were confident their organizations could mitigate application-layer attacks. "They think if they haven't had a Black Swan attack in the last month, it's not going to happen to them."

Source: Radware 2018 State of Web Application Security

Source: Radware 2018 State of Web Application Security

The need to update applications on a daily or even hourly basis is also contributing to new security concerns. The survey shows about a third of all application types are updated on an hourly or daily basis, with another quarter being updated weekly. Those frequent changes can create new security problems, if there isn't an application security framework in place that automatically refreshes the security along with the change in application behavior, O'Malley notes. Re-provisioning static web security with each application change is not cost-effective.

While the survey addresses large global enterprises, he stresses the fact that potentially devastating security breaches aren't limited to large companies. In fact, smaller operations with fewer IT resources may be more vulnerable, particularly if they are repositories of sensitive customer data.

"A lot of people think this is a Tier 1 problem, and it won't affect them," O'Malley comments, citing his favorite example of the local car dealership, with its treasure trove of customer data including driver's license numbers and financial information. "They don't realize that it is not a matter of your size in terms of revenue and number of employees, it's more about intellectual property and personal data."

The impacts can be devastating, with 52% of those surveyed saying customers asked for compensation following a breach, almost as many reported major reputation loss and almost quarter said executives lost their jobs after a data breach.

To read more about this particular report, check out this story on our sister site, Light Reading. — Carol Wilson, Editor-at-Large, Light Reading

Read more about:

Security Now

About the Author

Carol Wilson

Editor-at-large

After a quarter of a century covering telecom, what Carol doesn't know about the industry can't even be Googled. Carol's CV, which is available as a partwork, includes spells at Telephony, Interactive Week and The Net Economy. She was also the founding of a telecom news website, BroadbandEdge. Prior to covering telecom, she covered higher education, business, politics, the arts, and sports for publications in North Carolina and Wisconsin. [Ed note: Is there such as thing as the arts in Wisconsin, technically speaking?]

Now working for Light Reading from her home aviary with faithful dog Sunny as her executive assistant and personal trainer, Carol welcomes feedback from her readers, particularly if they shout "Go Heels!" in her face at any given trade show.

In her current role, Carol is the link between the editorial team and other parts of the UBM Tech organization, including events. As part of her brief, she will be the Dean of the soon-to-be-launched Light Reading University, so if you were wondering about the outfit, now you know.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights