December 17, 2021

Last Updated on January 15, 2024

Recent research from Akami, Imperva and others show that web application attacks have increased by up to 300% since last year, resulting in a flood of data breaches and the potential exposure of billions of compromised consumer records. Recorded web app attacks increased by 68% just from Q2 to Q3 2021, as fraudsters sought to frontload underground sites with stolen data ahead of the holiday shopping rush.

Hackers recognize that web apps are widely vulnerable to popular attack vectors like remote code injection (RCI) and local/remote file inclusion (RFI), which can be used to exfiltrate data or even hijack a site outright. But the explosive growth in API usage could be the biggest factor contributing to the rise in attacks.

According to Akami, the top three web app attack scenarios—SQL injection, local file inclusion and cross-site scripting—account for almost 95% of attacks, and are often carried out via APIs. Credential stuffing attacks are also frequently conducted through the target application’s APIs.

APIs accelerate development, but their security is often an afterthought. Many teams know their code is vulnerable, but speed-to-market takes precedence and a “fix-it-later” attitude sometimes prevails.

The ongoing shift to DevOps pipelines is also making life tougher for security teams as they struggle to fit their testing into a continuous delivery cycle. (But check out this podcast for an emerging solution.) Many avoidable vulnerabilities in production code are the result.

No wonder half of all data breaches now start with a compromised web application.

What can you do to keep your web apps from becoming “sitting ducks”? A top best practice is to apply an open, trusted security framework like the OWASP Application Security Verification Standard (ASVS). The ASVS gives you a flexible, best-practice basis for testing your web app security, and also gives developers a list of requirements for secure development.

Now at version 4.0.3, the OWASP ASVS is a mature tool to increase your confidence in the security of your web apps

 

What’s Next?

 

If you don’t apply proven best practices like the ASVS to your web app security testing, it’s unlikely that you can consistently verify security. This leaves your business exposed to high-risk data breach scenarios, including theft of customer and internal data, disruption of operations and significant lost sales. Especially in industries like retail, you can’t afford to forego web app security.

To connect with an expert about how to apply the OWASP ASVS to your web application security program, contact Pivot Point Security.

 

Here’ some other recent content you might want to check out related to web app security testing:

Podcast EP#74 – Harshil Parikh – Bridging the Gap Between Security & Development Teams – Pivot Point Security

OWASP ASVS Levels: Which is Right for My Application? – Pivot Point Security