Applications are being modernised, coded and deployed more quickly than ever before: 47% of Australian organisations surveyed expect to support more than 200 internally-developed applications within two years, up from 33% of organisations today. Most if not all internal applications rely on APIs to support the use of microservices, to share data or interconnect with other applications. Organisations are amassing large API footprints as a result.
These APIs are increasingly targeted by attackers as an entry point into the organisation and a way to steal data. In response, organisations are layering multiple web application and API security tools in the hope of creating best-of-breed and defence-in-depth protection. The result is a patchwork of incompatible tools that cause more problems than they solve. Data correlation is difficult, there are multiple 'blind spots', and the amount of alerts generated - and proportion of false positives - is leading organisations to disable automated threat blocking capabilities within the tools, or in some cases the tools themselves. The ESG study shows attackers are exploiting this to slip into many large Australian business environments undetected.
Nine out of ten Australian organisations experienced at least 10 attacks on their web applications and APIs in the past year that went undetected by security tools until they had a negative impact of some kind. For a quarter of Australian respondents, the negative impacts included legal problems, compliance issues, a loss of revenue or brand damage. For one in five respondents, the breaches led to downtime and customer experience impacts.
The type of attacks varied, but included exploitation of the OWASP Top Ten (experienced by 31% of respondents) and zero-days (29%), malware infections (33%), account take-over 24%) and cloud service misconfiguration (21%). Outdated security offerings, alert fatigue and ineffective blocking are among the cracks in organisations' security armour that allowed these incidents to slip through.
Australian organisations surveyed prefer security tools that can detect and block potential attacks automatically but say their existing tools block too much legitimate business traffic when in this mode of operation. The overblocking impacted customer experience (for 40% of Australian respondents), wasted time (40%), led to system downtime or undetected attacks (37%), caused loss of revenue (30%) or led to a failure to meet service level agreements (21%). Many Australian organisations chose to disable blocking or to limit its use to certain windows of time or application traffic types in order to mitigate against these potential impacts.
"One of the biggest security challenges we are seeing today is that technologies are rapidly evolving to better serve the growing demand for digital experiences, but the security offerings that protect those technologies are not experiencing that same level of transformation -- and often erode the benefits of modern technology stacks," said Fastly senior principal technologist Kelly Shortridge. "Security tools should fuel innovation, actively support service resilience, and minimise disruption to software delivery workflows, rather than slowing build cycles and producing disjointed, unactionable, or irrelevant data."
More than three-quarters of Australian respondents recognised an appropriate long-term response would be an overhaul of their security tooling and approach, moving to an evolved and consolidated web application and API security solution from a single vendor.
Fastly APAC sales engineering manager Stephen Gillies added "The DevOps movement proved that rapid automation and testing and rapid iteration would translate into more innovation. But innovation filled with risk is not really the end game. The next crucial step is to implement security directly into the internal app and API workflow process so it is not a hurdle to work around, but a part of the process that can move as quickly as the rest if done right. Otherwise, it's just more of the same, and security will remain elusive."
Research from the study also concludes:
● On average, Australian organisations surveyed spend close to $580,000 annually for web application and API security tools. Security is becoming more complex and costly as organisations are required to protect traditional architectures, in addition to new architectures and cloud environments.
● Traditional security tools are ineffective and impede business growth. Current security tools frequently block harmless business traffic, impacting the organisation's bottom line. As a result, 72% of Australian respondents configured their security tools to run in log or monitoring mode only, rather than in blocking mode; 12% shut the tools off entirely; and 16% did both. This is despite 53% preferring to run tools in blocking mode, since it would reduce manual intervention and effort - if it worked effectively.
● Nearly half of all security alerts are false positives. A majority of Australian respondents spend an equal amount or more time on false positives as they do on actual attacks, suggesting current security tools are causing more problems than they solve for.
● Forty-five percent of Australian organisations surveyed believe most or all of their applications will use APIs in the next two years. Despite an anticipated increase in API implementation, organisations stated that web application and API security is more difficult than two years ago and indicated struggles to maintain adequate security across new application architectures. Driving these difficulties is the shift to public cloud and API-centric applications without a modern security solution to support those innovations.
● Distributed responsibility for security often adds complexity. Among Australian organisations surveyed, 63% of organisations have different teams responsible for securing web applications, but plan to merge and centralise these responsibilities in the future. Responsibilities may fall on developers, cloud engineers, IT ops or line-of-business owners. They rarely fall on specific security personnel. Cybersecurity typically only gets involved just before an app goes into production (35%) or when it starts to store sensitive data (28%).
"The responsibility for protecting enterprise assets, data, and users from cyber threats no longer falls solely on the security organisation, even as the threat landscape becomes increasingly complex. Application security in particular, is a team sport that requires input and cross-functional collaboration across many parts of an organisation," said ESG senior analyst John Grady. "As a result, security professionals have become frustrated with the complex and siloed nature of traditional application security solutions that fail to address these issues. Modern businesses require uniform tools and approaches that can minimise vulnerabilities between their public cloud infrastructure, microservices-based architecture, and legacy applications, while supporting a variety of personas."
To download the full report: Reaching the Tipping Point of Web Application and API Security, visit https://www.fastly.com/web-application-and-api-security-tipping-point.
To gather data for this report, ESG conducted a comprehensive online survey of information security and IT professionals knowledgeable about their organisation's application development practices and involved in security purchase processes (61%). The survey also included developers, engineering, and DevOps leaders who build and deliver applications for their organisation (39%). Respondents were distributed across North America (41%), Europe (30%), Australia, New Zealand and Japan (29%). Respondents were employed at organisations with 10 or more employees. Specifically, 10% were employed at small organisations (i.e., those with 10 to 499 employees), 15% at mid-market organisations (i.e., those with 500 to 999 employees), and 75% at enterprises (i.e., organisations with 1,000 or more employees). Respondents represented numerous industry and government segments, with the largest participation coming from manufacturing (23%), financial services (14%), retail/wholesale (14%), technology (11%), healthcare (8%), and communications (8%). The survey was fielded between 17 March 2021 and 31 March 2021.
Fastly helps people stay better connected with the things they love. Fastly's edge cloud platform enables customers to create great digital experiences quickly, securely, and reliably by processing, serving, and securing our customers' applications as close to their end-users as possible — at the edge of the internet. Fastly's platform is designed to take advantage of the modern internet, to be programmable, and to support agile software development with unmatched visibility and minimal latency, empowering developers to innovate with both performance and security. Fastly's customers include many of the world's most prominent companies, including Pinterest, The New York Times, and GitHub. Australia and New Zealand customers include Freelancer, Kogan, Linktree, NRL, Radio New Zealand, Seven Network, Trademe and Vodafone.
Enterprise Strategy Group is an IT analyst, research, validation, and strategy firm that provides market intelligence and actionable insight to the global IT community. Learn more at www.esg-global.com.