A recently released report by F5 Networks has shed light on the frequency and nature of web application attacks. The first annual Application Protection Report from F5 surveyed 3,135 IT and security practitioners across the globe, while additional research conducted by Whatcom Community College (University of Washington Tacoma), along with data from WhiteHat Security and Loryka, served to make this one of the most comprehensive application protection reports available today.
This is according to a recent F5 article from Ray Pompon, a principal threat research evangelist with F5 Labs, who is also the author of the Application Protection Report.
Pompon explains that in the report: ‘…we provide a practical model for understanding the complexities of web applications; we look at the cold, hard facts about how, why, where, and how frequently apps are attacked; and we suggest concrete steps that security professionals can take today to protect their applications’.
Simon McCullough, major channel account manager at F5 in South Africa, says, “When apps are attacked, there are many different potential impacts, including denial of service, breach of confidential or sensitive information such as trade secrets and intellectual property, and the loss of potentially identifiable information for both customers and employees.
“Significant application breach risks, as outlined in the report, include payment card theft via web injection, website hacking, and app database hacking. The report is a mine of useful and practical information setting out the key risks regarding application attacks, and advice on how to protect this critically important IT layer, which is so key in today’s business environment.”
According to the report, the most significant new application risks include the following:
- Injection attacks against app services: These allow an attacker to insert commands or new code directly into a running application (also known as tampering with an app) and are rated as the number one risk to applications on the OWASP Top 10 2017 list;
- Account access hacking: This includes credentials stolen via compromised e-mails, access control misconfiguration, brute force attacks to crack passwords, credential stuffing from stolen passwords, and social engineering theft.
- Deserialisation attacks against app services: Serialisation occurs when an app converts its data into a format for transport, and deserialisation is the process of converting that data back again. This method was used to breach credit reporting company Equifax in 2017 (the Apache Struts deserialisation injection) and steal the identities of 148 million Americans and 15.2 million UK citizens last year.
- Attacks against transport layer protection: Organisations need to ensure that all applications are running acceptable levels of encryption and have proper third-party signed certificates in place.
- Denial-of-service attacks against any component of the app: Such attacks are pervasive across all levels of the application tier, so it’s critical that every organisation has a response strategy.
- Scripting attacks against clients to hijack access: These attacks generally involve a client app encountering malicious scripting code planted by an attacker somewhere on a website, with the result that user credentials are stolen or access is hijacked, or else the client unknowingly runs unauthorised commands on a website.
- Malware attacks against app clients: This occurs when clients are attacked directly with malware that hijacks the browser to intercept the application authentication credentials. The advent of the European Union’s General Data Protection Regulation (GDPR) is likely to impose stricter protection of the client device. Malware that targets financial logins is quite common for both browser and mobile clients.
Anton Jacobsz, managing director at Networks Unlimited, a value-added distributor of F5 in Africa, concludes, “The report outlines that four key steps to take to protect your application security are: understand your environment; reduce your attack surface; prioritise your defences based on risk; and select flexible and integrated defence tools. The release of this report is a pivotal moment, pooling information from highly credible sources and giving IT professionals critically important knowledge of the current web application threats and what we can do to protect against them.”
To find out more, please contact Esti Bosch, F5 product manager at Networks Unlimited: esti.bosch@nu.co.za.
Staff Writer
