A recent security incident investigation conducted by LastPass revealed that even cutting-edge password technology is not immune to cyberattacks. The consequential fallout sent shockwaves across the industry—with millions of customers' data compromised.
The passwordless future, biometrics, and encryption keys are supposed to be the answer to the top vectors of attacks, such as stolen credentials and phishing. Still, they are proving to be insufficient. In a world where all sectors and industries use apps, the stakes cannot be higher. From digital banking to business-critical systems, healthcare, government, and more, mobile and web apps are the users´ doorways in the digital transformation era.
To secure critical data, software-as-a-service (SaaS) companies usually apply encryption, multi-factor authentication (MFA), biometrics, and authentication and authorization for their web and mobile customer-facing applications. However, as threats increase, IT and security teams must not settle for surface-level measures.
Our State of Application Security Report showed that on 1,400 sites, there were 61,000 open vulnerabilities—an average of 30 vulnerabilities per site. And weaknesses often go unnoticed by developers: 30% of those discovered were unpatched for over 180 days, giving hackers enough time to run automated and manual vulnerability discovery and exploitation.
But if authentication and authorization are not enough to protect apps and the ever-expanding customer-facing attack surfaces, what technology can companies deploy to strengthen their security postures?
Vulnerability scans, penetration testing, and application firewalls
Application programming interfaces (APIs) have become a leading vector of attacks as Gartner predicted that in 2022, they will become cybercriminals' preferred attack vector.
APIs help software applications communicate with each other, giving data access when requested. Developers and programmers often use authentication and authorization methods to grant API keys or access to all kinds of data depending on admin levels. If a hacker breaches the API system he can easily access sensitive data which he can use to run exploits or exfiltrate.
This is where web application firewalls (WAF), vulnerability scans, and penetration testing come into play. They are among APIs' most robust cybersecurity tools. These ensure an API or an app has no weaknesses and can block malicious attacks before they happen.
API and app vulnerability scanning and penetration testing are essential to finding vulnerabilities, defining better protection policies, and getting better insight into the strengths of digital assets. While vulnerability scans are automated processes, ethical hackers run penetration tests—like white, black, or grey box testing. Both scans and pentests are excellent resources as they can laser-focus on the new app or API and inspect source code profoundly, from inside or outside the system.
Application firewalls are the final defense to stop attacks in case hackers breach the systems. These firewalls are customized to monitor traffic and behave in specific ways (blocking, allowing, or doing both) using a set of rules to mitigate distributed denial of service attacks (DDoS).
In DDoS attacks, criminals will flood an app, an API, or a website with false traffic requests, forcing it often to shut down, go offline, or malfunction. Application firewalls can block malicious traffic, preventing DDoS attacks from being fully executed. Every DDoS mitigation solution should come with anomaly-scoring features. These should include identifying malicious IPs, Malicious user agents, and response lengths.
But as attackers evolve, it has become difficult to differentiate between legitimate and malicious requests. In these cases, security teams can use rate limits defined as requests per minute or rpm and set firewall rules. For example, if the maximum traffic capacity is 10,000 rpm and 3,000 rpm is detected, a custom rule can be set to tarpit (delay) each request by 5 seconds. This creates costs for cybercriminals and inserts obstacles that debilitate the attack, forcing it to lose momentum.
In the unlikely case that 5,000 rpm is detected, developers can force captchas for each request. Finally, at 7,000 rpm, requests are blocked. Blocking requests at 7,000 rpm leave developers maneuvering space as they still have a buffer of 3,000 rpm.
Meeting customers´ demands for privacy and security
The cyber threat news cycle never sleeps. Customers, constantly exposed to media coverage of data breaches, leaks, and cyberattacks, are becoming increasingly aware of their level of exposure. Additionally, users strongly link data security with data privacy. How a company manages and protects data, responds to attacks, and communicates to users, can make or break its reputation. Consumer and investor trust has become vital business components.
The 2022 Consumer Digital Trust Index of Thales, reveals the connection between historical breaches and consumer trust. Sectors like social media companies (18%), government (14%), and media and entertainment organizations (12%) have the lowest level of consumer trust and are among the most targeted by cybercriminals.
Thales explains that concrete damaging events have shaped consumer trust: One-third of global consumers have already been impacted by data breaches at least once.
Furthermore, as the global regulatory landscape intensifies, app developers face increased responsibilities, liabilities, and accountabilities, as the recent U.S. National Cybersecurity Strategy announced by the White House signals.
While modern password managers, face or fingerprint ID, and other modern authentication and authorization technologies are positively embraced by global users, they should not be the only layer of security in app development. Reducing malicious attacks can only be achieved by going the extra mile. Testing and scanning tools can strengthen app security, increase performance, and enhance consumer trust.
