Security teams are facing a daunting challenge in keeping up with the ever-increasing risks posed by organizations’ reliance on modern applications, which serve as the foundation for the majority of today’s most popular websites. According to a report by Cloudflare, the sheer volume of threats stemming from issues in the software supply chain, the rising number of distributed denial of service (DDoS) attacks, and the proliferation of malicious bots are overwhelming dedicated application security teams.
Web applications and APIs play a critical role in enabling ecommerce sites to process payments, allowing healthcare systems to securely share patient data, and powering various activities on mobile devices. However, as our dependence on these applications grows, so does the potential attack surface. This vulnerability is exacerbated by the increasing demand for developers to rapidly deploy new features, many of which are driven by generative AI. Without proper protection, exploited applications can result in business disruptions, financial losses, and the compromise of essential infrastructure.
Matthew Prince, the CEO of Cloudflare, highlighted the inherent security vulnerabilities in web applications, emphasizing that despite their essential functions, these platforms are often not built with security in mind, making them attractive targets for hackers.
The report also sheds light on the escalating prevalence and impact of DDoS attacks, which remain a significant threat to web applications and APIs. Cloudflare’s data indicates that DDoS attacks accounted for 37.1% of all application traffic mitigated by the platform, with industries such as gaming, IT, cryptocurrency, and marketing being the primary targets. The exploitation of new zero-day vulnerabilities is happening at an unprecedented pace, with some vulnerabilities being weaponized within minutes of their PoC publication.
Automated bots also pose a substantial risk, comprising 31.2% of all web traffic, with a significant portion being unverified and potentially malicious. Industries such as manufacturing, cryptocurrency, security, and the US Federal Government are particularly susceptible to bot attacks. Despite these threats, many organizations are still relying on traditional web application firewall rules that follow a negative security model, which may not be sufficient to protect against API traffic.
Furthermore, organizations are increasingly vulnerable due to their reliance on third-party software dependencies. On average, organizations integrate 47.1 third-party code pieces and establish 49.6 outbound connections to external resources to enhance website performance. However, this growing dependency on third-party providers exposes organizations to supply chain risks, compliance issues, and potential liabilities.
The report also highlights the increasing prevalence of zero-day exploits and the rapid weaponization of disclosed CVEs. In 2023, 97 zero-day vulnerabilities were exploited in the wild, and the number of disclosed CVEs saw a 15% increase from the previous year. Despite the growing number of critical vulnerabilities, the average time taken to patch a critical web application vulnerability is 35 days, leaving organizations exposed to potential exploitation.
Enterprises are facing challenges in securing their IT infrastructure due to the disjointed nature of their security solutions, making it easier for attackers to exploit vulnerabilities in SaaS applications, web apps, and other critical systems. This fragmented approach to security hinders organizations’ ability to effectively protect their assets and mitigate potential cyber threats.