Organizations Struggle with Outdated Security Approaches, While Online Threats Increase

Cloudflare Inc, recently published its State of Application Security 2024 Report. Findings from this year's report reveal that security teams are struggling to keep pace with the risks posed by organizations’ dependency on modern applications—the technology that underpins all of today’s most used sites. The report underscores that the volume of threats stemming from issues in the software supply chain, increasing number of distributed denial of service (DDoS) attacks and malicious bots, often exceed the resources of dedicated application security teams.

Today’s digital world runs on web applications and APIs. They allow ecommerce sites to accept payments, healthcare systems to securely share patient data, and power activities we do on our phones. However, the more we rely on these applications, the more the attack surface expands. This is further magnified by the demand for developers to quickly deliver new features—e.g., capabilities driven by generative AI. But if unprotected, exploited applications can lead to the disruption of businesses, financial losses, and the collapse of critical infrastructure.

"Web Applications are rarely built with security in mind. Yet, we use them daily for all sorts of critical functions, making them a rich target for hackers," said Matthew Prince, co-founder and CEO at Cloudflare. "Cloudflare's network blocks an average of 209 billion cyber threats for our customers every single day. The layer of security around today’s applications has become one of the most essential pieces to making sure the Internet stays secure."

Key findings from Cloudflare’s State of Application Security 2024 Report include:

DDoS attacks continue to increase in number and volume: DDoS remains the most leveraged threat vector to target web applications and APIs, comprising 37.1% of all application traffic mitigated by Cloudflare. Top targeted industries were Gaming and Gambling, IT and Internet, Cryptocurrency, Computer Software and Marketing and Advertising.

First to patch vs. first to exploit—the race between defenders and attackers accelerates: Cloudflare observed faster exploitations than ever of new zero-day vulnerabilities, with one occurring just 22 minutes after its proof-of-concept (PoC) was published.

Bad bots—if left unchecked—can cause massive disruption: One-third (31.2%) of all traffic stems from bots, the majority (93%) of which are unverified and potentially malicious. Top targeted industries were Manufacturing and Consumer Goods, Cryptocurrency, Security and Investigations, and US Federal Government.

Organizations are using outdated approaches to secure APIs: Traditional web application firewall (WAF) rules that use a negative security model—the assumption that most web traffic is benign—are most commonly leveraged to protect against API traffic. Far fewer organizations use the more widely accepted API security best practice of a positive security model—strict definitions on traffic that is allowed, rejecting the rest.

Third-party software dependencies pose growing risk: Organizations use an average of 47.1 pieces of code from third-party providers and make an average of 49.6 outbound connections to third-party resources to help enhance website efficiency and performance—e.g., leveraging Google Analytics or Ads. But as web development has largely shifted to allow these types of third-party code and activity to load in a user's browser, organizations are increasingly exposed to supply chain risk and liability and compliance concerns.

Featured

  • Maximizing Your Security Budget This Year

    The Importance of Proactive Security Measures: 4 Stories of Regret

    We all want to believe that crime won’t happen to us. So, some business owners hope for the best and put proactive security measures on the back burner, because other things like growth, attracting new customers, and meeting deadlines all seem more pressing. Read Now

  • Global IT Outage Cause by Faulty Update from Cybersecurity Provider CrowdStrike

    Systems are starting to come back online after a global IT outage on Friday disrupted everything from airline operations to banks and 911 call centers. Read Now

  • Securing the Flow of Operations

    The transportation industry is a complex and dynamic environment where efficient management of physical keys, vehicles and shared devices is critical to ensuring smooth operations, reducing costs and maintaining security. Every day, more transportation facilities are using modern electronic key and asset management systems to better secure, audit and manage the important assets that keep operations running smoothly. Read Now

  • The Recipe for Stadium Security

    The threat landscape of stadium security is fluid. Today’s venues and stadiums have operational security 24/7, hosting sporting events, community events, concerts, conventions and more – each with a unique visitor base and each with unique security risks. Read Now

Featured Cybersecurity

Webinars

New Products

  • A8V MIND

    A8V MIND

    Hexagon’s Geosystems presents a portable version of its Accur8vision detection system. A rugged all-in-one solution, the A8V MIND (Mobile Intrusion Detection) is designed to provide flexible protection of critical outdoor infrastructure and objects. Hexagon’s Accur8vision is a volumetric detection system that employs LiDAR technology to safeguard entire areas. Whenever it detects movement in a specified zone, it automatically differentiates a threat from a nonthreat, and immediately notifies security staff if necessary. Person detection is carried out within a radius of 80 meters from this device. Connected remotely via a portable computer device, it enables remote surveillance and does not depend on security staff patrolling the area. 3

  • PE80 Series

    PE80 Series by SARGENT / ED4000/PED5000 Series by Corbin Russwin

    ASSA ABLOY, a global leader in access solutions, has announced the launch of two next generation exit devices from long-standing leaders in the premium exit device market: the PE80 Series by SARGENT and the PED4000/PED5000 Series by Corbin Russwin. These new exit devices boast industry-first features that are specifically designed to provide enhanced safety, security and convenience, setting new standards for exit solutions. The SARGENT PE80 and Corbin Russwin PED4000/PED5000 Series exit devices are engineered to meet the ever-evolving needs of modern buildings. Featuring the high strength, security and durability that ASSA ABLOY is known for, the new exit devices deliver several innovative, industry-first features in addition to elegant design finishes for every opening. 3

  • Unified VMS

    AxxonSoft introduces version 2.0 of the Axxon One VMS. The new release features integrations with various physical security systems, making Axxon One a unified VMS. Other enhancements include new AI video analytics and intelligent search functions, hardened cybersecurity, usability and performance improvements, and expanded cloud capabilities 3