Press Release

Radware, a leading provider of cyber security and application delivery solutions, released a new study today titled Radware Research: Web Application Security in a Digitally Connected World. The report takes an in-depth look into how organisations protect their web applications, and identifies clear gaps in security among common DevOps practices, highlights top attack types and vectors, as well as identifies key areas of risk and concern.

The research, which focused on such highly targeted industries as retail, healthcare and financial services, exposes the proliferation of bot-driven Web traffic and its impact on organisations’ application security. In fact, bots conduct more than half (52%) of all Internet traffic flow. For some organisations, bots represent more than 75% of their total traffic. This is a significant finding considering one-in-three (33%) organisations cannot distinguish between ‘good’ bots and ‘bad’ ones.

The report also found that nearly half (45%) of respondents had experienced a data breach in the last year, and 68% are not confident they can keep corporate information safe. What’s more, companies often leave sensitive data under-protected. In fact, 52% do not inspect the traffic that they transfer to-and-from APIs, and 56% do not have the ability to track data once it leaves the company.

Any organisation that collects information on European citizens will soon be required to meet the strict data privacy laws imposed by General Data Protection Regulations (GDPR). These regulations take effect in May 2018. However, with less than a year until the due date, 68% of organisations are not confident they will be ready to meet these requirements in time.

“It’s alarming that executives at organisations with sensitive data from millions of consumers collectively don’t feel confident in their security,” said Carl Herberger, Vice President of Security Solutions at Radware. “They know the risks, but blind spots continue to pose a threat. Until companies get a handle on where their vulnerabilities are and take steps to protect them, major attacks and data breaches will continue to make headlines.”

According to Dr. Larry Ponemon, "This report clearly shows that pressure to continuously deliver application services limits DevOps’ ability to ensure web application security at various stages in the SDLC."

Key Survey Findings Include:

Application security is an afterthought. Everyone wants the full automation and agility that the continuous delivery model of app development provides. Half (49%) of the respondents currently use the continuous delivery of application services and another 21% plan to adopt it within the next 12-24 months. However, continuous delivery can compound the security challenges of app development: 62% reckon it increases the attack surface and approximately half say that they do not integrate security into their continuous delivery process.

Bots are taking over. Bots are the backbone of online retail today. Retailers use bots for price aggregation sites, electronic couponing, chatbots, and more. In fact, 41% of retailers reported that more than 75% of their traffic comes from bots, yet 40% still cannot distinguish between “good” and “bad” bots. Malicious bots are a real risk. Web scraping attacks plague retailers by stealing intellectual property, undercutting prices, holding mass inventory in limbo, and buying out inventory to resell goods through unauthorised channels at markup. But bots are not the exclusive problem of retailers. In healthcare, where 42% of traffic is from bots, only 20% of IT security execs were certain they could identify the “bad” ones.

API security is often overlooked. Some 60% of organisations both share and consume data via APIs, including personally identifiable information, usernames/passwords, payment details, medical records, etc. Yet 52% don’t inspect the data that is being transferred back and forth via their APIs, and 51% don’t perform any security audits or analyse API vulnerabilities prior to integration.

Holidays are high risk for retailers. Retailers face two distinct but highly damaging threats during the holidays: outages and data breaches. Web outages during the holiday season, when retailers make most of their profits, could have disastrous financial consequences. Yet more than half (53%) are not confident in their ability to provide 100% uptime of their application services. High-demand periods like Black Friday and Cyber Monday also spell trouble for customer data: 30% of retailers suggest they lack the ability to secure sensitive data during these periods.

Patient healthcare data is at risk. Just 27% of healthcare respondents have confidence they could safeguard patients’ medical records, even though nearly 80% are required to comply with government regulations. Patching systems is critical to an organisation’s security and its ability to mitigate today’s leading threats, but some 62% of healthcare respondents have little or no confidence in their organisation’s ability to rapidly adopt security patches and updates without compromising operations. More than half (55%) of healthcare organisations said they had no way to track data shared with a third party after it left the corporate network. Healthcare organisations are particularly unlikely to monitor the Darknet for stolen data, with 37% saying they did so, compared to 56% in financial services, and 48% in retail.

Multiple touchpoints equal higher risk. The rise of new financial technology (like mobile payments) has increased the access and volume of engagement with consumers, which, in turn, increases the number of access points with vulnerabilities and expands the risk security executives face. While 72% of financial services organisations share usernames and passwords and 58% share payment details via APIs, 51% do not encrypt that traffic, potentially exposing valuable customer data in transit.
The survey, conducted by Ponemon Research on behalf of Radware, included responses from more than 600 chief information security officers and other security leaders across retail, healthcare, and financial services in six continents.