Imperva Research Labs discovered that attacks are increasing by 22% per quarter in a survey of approximately 4.7 million web application-related cyber security incidents. Worryingly, the pace of increase in such attacks has continued to rise, with a 67.9% increase from Q2 2021 to Q3. One of the most noticeable rises was in Remote Code Execution (RCE) / Remote File Inclusion (RFI) assaults, which increased by 271%. RCE / RFI attacks are used by hackers to steal information, compromise servers, or even take over websites and manipulate their content.
“Application security was traditionally very low on CISOs’ priority list but, as the attacks targeting applications increase in frequency, it’s getting more attention,” said Eugene Dzihanau, Senior Director of Technology Solutions at EPAM Systems. “The application layer is quickly becoming more exposed to the outside world, drastically increasing the attack surface. Applications are deployed on the public cloud, mobile phones, and IoT devices. Also, applications process a lot more data than before, making them a more frequent target of an attack.”
As a result of the growth in web app attacks, there has been a significant increase in data breaches. Imperva Research Labs discovered earlier this year that online applications are the source of 50% of all data breaches. With the frequency of breaches increasing by 30% each year and the number of records stolen increasing by an astounding 224%, it is anticipated that 40 billion records will be compromised by the end of 2021, with web application vulnerabilities expected to be responsible for roughly 20 billion.
“The pandemic placed immense urgency on businesses to get all kinds of digital transformation projects live as quickly as possible, and that is almost certainly a driving factor behind this surge in attacks,” says Peter Klimek, Director of Technology at Imperva.
The changing nature of application development is also extremely important. Developments such as the rapid growth of APIs and the shift to cloud-native computing are advantageous to DevOps, but these changes in application architecture and the accompanying increased attack surface are making security teams' tasks much harder, according to Peter.
During the pandemic, losses from fraud and cybercrime have spiraled out of control, with the National Fraud Intelligence Bureau estimating that over £1.3 billion was lost in the first half of 2021 alone, more than three times the amount lost in the same period in 2020. These estimates indicate that the problem will increase during 2022.
The usual approach of the security team identifying vulnerabilities and the development team correcting them will not work; Dzihanau said that the feedback cycle must be swift and collaborative.