Application security 2021 report — How bad bots and broken APIs are putting European business data at risk

Almost three-quarters (72%) of mid-to-large companies admit to having suffered at least one security breach caused by an application vulnerability in the last 12 months, with many being hit multiple times.

That’s according to the findings of a global survey of 750 application security decision-makers carried out by Vanson Bourne and Barracuda Networks in April 2021, which also found that the top challenges facing organisations are bot-based attacks, vulnerability detection, API security, and supply chain attacks.

The shift to remote working since the Covid-19 lockdowns and the difficulties this has posed for organisations has amplified the opportunities for application-based cyberattacks, which have become even more pervasive and aggressive over the last year.

When it comes to challenges facing application development and security, Europe had one major difference in the top five – threat remediation. Primarily driven by France and the DACH (Austria, Germany, Switzerland) region, this is likely due to strict privacy and compliance laws like the EU’s General Data Protection Regulation (GDPR). GDPR penalties hit the headlines in Germany late last year when fashion chain H&M was fined €35 million for incorrect storage of employee data.

Over the last two years, flawed API security was cited as a significant factor in successful data breaches by at least 70% of respondents globally, and as high as 77% for European respondents – showing just how important it is that organisations successfully protect their APIs.

No wonder then that API security was a big concern for the vast majority of those surveyed. Many of the participants deploy public-facing APIs for their customers and partners and most of the organisations are moving towards API-first development. While APIs make the development of newer versions of apps faster and extend their usability, they also create a far-reaching and growing attack surface for cybercriminals.

The companies surveyed said they are using an average of 33 public-facing APIs, making them vulnerable to numerous opportunities for breaches and direct access to sensitive data relating to the applications. Despite the fact that most organisations are using more than one tool to secure their API traffic, these tools aren’t providing adequate security. While they are deploying multi-layered protections for APIs, such as firewalls, gateways, and RASP solutions, there is undoubtedly still room for improvement.

It is also clear from the figures that the German-speaking DACH region still favours next-generation firewalls which unfortunately offer very little protection for web applications and APIs and this is perhaps why we are seeing significant issues reported in this area of the Eurozone.

Almost two-thirds (64%) of European respondents had been breached through a web application vulnerability in the last 12 months, with Germany/DACH region leading at 75% of respondents being breached. Just under half of European respondents said bot attacks on applications were the most likely source of successful data breaches in the last 12 months, compared to 40% of those surveyed in the Asia-Pacific region.

And bot-based attacks were cited as making up two of the top three app security risks, with breaches including scraping, spam, carding, and other fraud affecting organisations across all regions.

While bot spam may be viewed as more of a nuisance than a big risk, often this activity is used as a smokescreen to conceal a more targeted attack. That’s how the massive TalkTalk breach happened – a denial of service attack which disguised an SQL injection which actually led to the loss of customer data.

Online marketplaces for bots are becoming more commonplace and automated attacks initiated by these bots cover a large variety of vectors. And when different types of bots are used in conjunction with each other, they are all the more successful. Interestingly, bot protection and API gateways are the top two solutions that respondents were planning to deploy in the next 12 months.

Despite moves to ensure security is considered from the earliest stages of software development, the implementation of security measures slowing down the process of application development was another key concern.

With the prevalence of attacks reported by the survey’s respondents, it is obvious that more effective measures need to be taken in order to protect applications against bot attacks and API breaches. While organisations understand this, with many looking to deploy new solutions, app security becomes more complex when more solutions are added, which can add management headaches and hassle for users.

Another worrying figure arose from the study – 28% of respondents admitted that employee error was a contributing factor in their recent bot breach. While many security measures may be in place, if an employee makes a mistake that leaves a vulnerability, bot attacks will absolutely exploit it. With these factors in mind, protecting applications from bot-based and API attacks should be top of mind for organisations.

A platform approach to securing applications provides powerful protection against traditional and novel threats, as well as being simple to deploy and manage. Organisations must reach out to third-party vendors for help with preventing, detecting, and identifying bot activity to protect themselves from attacks on their applications – without doing this they will inevitably be breached, or, in the case of most organisations, breached again.

Barracuda can help your organisation with this, with our Web Application Firewall service. Try it for free and schedule a demo.