Web app attacks are skyrocketing, it’s time to protect APIs
Web app attacks against UK businesses have increased by 251% since October 2019, putting both organizations and consumers at risk, an Imperva reserach reveals.
In a study of nearly 4.7 million web application-related cyber security incidents, Imperva Research Labs finds that attacks are increasing, on average, by 22% each quarter. Most concerningly, the growth rate for such attacks continues to increase with a 67.9% surge from Q2 2021 to Q3.
One of the most notable increases was in Remote Code Execution (RCE) / Remote File Inclusion (RFI) attacks, which jumped by 271%. RCE / RFI attacks target businesses’ websites and servers, and are used by hackers to steal information, compromise servers or even takeover websites and modify their content.
Web app attacks surge increasing data breaches
The consequence of this surge in web app attacks is a dramatic increase in data breaches. Earlier this year, Imperva Research Labs found that 50% of all data breaches begin with web applications. With the number of breaches increasing by 30% annually, and the number of records stolen is going up by a staggering 224%, it’s estimated that 40 billion records will be compromised by the end of 2021, with web application vulnerabilities likely responsible for around 20 billion.
“The pandemic placed immense urgency on businesses to get all kinds of digital transformation projects live as quickly as possible, and that is almost certainly a driving factor behind this surge in attacks” says Peter Klimek, Director of Technology at Imperva.
“The changing nature of application development itself is also hugely significant. Developments like the rapid proliferation of APIs and the shift to cloud-native computing is beneficial from a DevOps standpoint, but for security teams, these changes in application architecture and the accompanying increased attack surface is making their jobs much, much harder.”
The importance of API protection
Losses relating to fraud and cyber-crime have spiraled out of control during the pandemic, with the National Fraud Intelligence Bureau estimating that around £1.3bn was lost in the first half of 2021 alone, more than three times the amount lost during the same period in 2020. These figures suggest that the problem will continue to worsen throughout 2022.
“Businesses are seeing more traffic through their web applications than ever before, in particular APIs,” continued Klimek. “More than 70% of web traffic now comes through APIs, meaning businesses’ exposure is only getting higher. It’s no longer enough to have a WAF in place and hope for the best – businesses need to invest in a comprehensive Web Application and API Protection (WAAP) stack featuring elements like RASP and Advanced Bot Protection, allowing them to secure everything from edge to database.”