Cloudflare, Inc., the cloud connectivity company, has released its State of Application Security 2024 report. According to findings from this year’s edition, security teams are struggling in their efforts to keep pace with the risks posed by enterprises’ reliance on modern applications – the technology that powers all of today’s most visited websites.
As the report highlights, the multitude of threats emanating from software supply chain issues, the increasing number of distributed denial of service (DDoS) attacks and malicious bots often overwhelm the resources of specialized application security teams.
Today’s digital world is built on web applications and APIs. They enable e-commerce sites to accept payments, healthcare systems to securely share patient data, and they support a wide range of activities we perform on our phones. But the more we rely on these applications, the larger the attack surface becomes. This is further exacerbated by the pressure on developers to quickly deliver new features, such as those powered by generative AI. However, unprotected applications can lead to business disruption, financial loss, and the collapse of critical infrastructure.
” Security is rarely a top priority when developing web applications. Yet we use them every day for all kinds of critical functions that make them a lucrative target for hackers,” said Matthew Prince, co-founder and CEO of Cloudflare. ” Every day, Cloudflare’s network blocks an average of 209 billion cyber threats for our customers. The security layer of today’s applications has become one of the most important components in protecting the Internet.”
Key findings from Cloudflare’s State of Application Security 2024 report include:
Number and volume of DDoS attacks are increasing: DDoS remains the most commonly used threat vector for attacking web applications and APIs, accounting for 37.1% of all application traffic mitigated by Cloudflare. The main targeted industries were gaming, IT and internet, cryptocurrencies, computer software, and marketing and advertising.
The fastest patch against the fastest exploit – the race between defenders and attackers continues to intensify: According to findings from Cloudflare, new zero-day vulnerabilities are being exploited faster than ever before – in one case just 22 minutes after the proof of concept (PoC) was published.
Malicious bots can cause widespread disruption if left unchecked: bots account for one-third (31.2%) of all traffic, most of which (93%) are unverified and potentially malicious. The main industries targeted were manufacturing and consumer products, cryptocurrency, security and law enforcement, and the U.S. government.
Organizations are taking outdated approaches to protecting APIs: Traditional web application firewall (WAF) rules with a negative security model – based on the assumption that most web traffic is harmless – are often used to protect against API traffic. Far fewer organizations are adopting the widely accepted API security best practice: a positive security model with strict definitions of allowed traffic and rejection of the rest.
Third-party software dependencies are a growing risk: On average, companies use 47.1 third-party codes and make 49.6 outbound connections to third-party resources such as Google Analytics or Ads to improve website efficiency and performance. However, as web development has largely adopted the practice of loading this type of third-party code and activity into users’ browsers, companies are increasingly exposed to supply chain risks as well as liability and compliance issues.
