Web App Bugs Drove Multiple Breaches Per Firm in 2020

Web application vulnerabilities enabled attackers to breach organizations on average twice each last year, with bot-based raids the biggest challenge, according to Barracuda Networks.

The security vendor polled 750 application security decision makers to compile its latest report: The state of application security in 2021.

It revealed that nearly three-quarters (72%) of firms suffered at least one breach from a web app flaw, a third (32%) were hit twice and 14% were compromised three times.

Such incidents can be extremely damaging for organizations as they could enable attackers to steal sensitive customer information and credentials.

According to the latest Verizon Data Breach Investigations Report (DBIR), attacks on web applications represented 39% of all breaches it analyzed over the past year.

Respondents to the Barracuda Networks study claimed that bad bots were the biggest challenge for defenders (43%) followed by supply chain attacks (39%), vulnerability detection (38%) and securing APIs (37%).

Over two-fifths (44%) of respondents also claimed that malicious bots also led to a successful breach involving vulnerability exploitation.

As well as scanning for and exploiting flaws in web applications, bots can be set to work in price scraping, content scraping, account creation and takeover, fraud, denial of service and denial of inventory, according to Imperva.

The vendor claimed that bad bot traffic stood at 26% of all traffic last year, the highest percentage since it started measuring in 2014.

Supply chain attacks have also gained notoriety since the SolarWinds campaign in which sophisticated nation state operatives planted malware in software updates, breaching the defenses of at least nine US government agencies.

Tim Jefferson, Barracuda’s SVP engineering for data, networks and application security, argued that the rapid shift to remote work in 2020 has made web applications an even bigger target for threat actors.

“Organizations are struggling to keep up with the pace of these attacks, particularly newer threats like bot attacks, API attacks, and supply chain attacks, and they need help filling these gaps effectively,” he added.

What’s Hot on Infosecurity Magazine?