Back in 2011 – a virtual eternity in internet years – Marc Andreessen famously declared that software is eating the world. With the explosion of cloud computing and mobile devices, that proclamation is more true today than it was when Andreessen said it. Unfortunately for many organizations, that software is also putting you at greater risk.
There’s an App for That
When Andreessen wrote his essay, he pointed out major trends of the time. For example, Borders and Barnes & Noble failed to recognize Amazon as a threat when it first began selling books online. Eventually, Amazon crushed the concept of brick and mortar book stores and went on to become a software platform for selling just about everything. Amazon is king of the retail world now.
Andreessen also pointed out the way Netflix used software and an innovative sharing and distribution model to drive Blockbuster and other brick and mortar video stores out of existence. Netflix eventually shifted even further toward software—focusing almost exclusively on streaming content rather than shipping DVDs to customers.
It was also around that time that the Apple iPhone dominated the mobile device landscape and Apple was engaged in an arms race with Google to own the platform with the most apps. The phrase “There’s an app for that,” was a clever marketing slogan, but it was – and still is – true that there is a mobile app for almost anything you can possibly think of. That was just the beginning, though.
As more and more organizations have moved servers and data to the cloud, there has also been an explosion of web-based applications. Just about any and every function that used to be performed using software installed locally on a PC can now be performed in the cloud using a web app from just about any device with an internet connection.
Web Apps are the New Black
Zero day threats and clever exploits make cyber attacks seem sexy or cutting edge. The reality, however, is that most attackers are relatively lazy and lack the skill to develop a truly innovative exploit. Instead, most attackers tend to focus on the cross-section of biggest pool of potential victims and easiest targets to exploit.
That’s why the exponential growth of web apps has placed them squarely in the crosshairs of attackers. According to the latest Verizon Data Breach Investigation Report (DBIR), there has been a 300 percent increase in web app attacks in just the last three years. Our most recent Cloud Security Report found that more than three quarters of all events we saw during the 18-month period analyzed involved web application attacks.
A recent report from Veracode revealed that 77 percent of enterprise applications that were assessed for the first time had at least one vulnerability and 88 percent of Java applications had at least one vulnerability inherited from a third-party open-source component. The sheer volume of web apps combined with the potential that nearly 4 out of 5 web apps are potentially vulnerable makes it a prime target for attackers.
The traditional approach of guarding the perimeter and focusing resources only on protecting “high-value” assets can leave you exposed to compromise in a wide variety of ways. When it comes to web application security — reducing risk is essentially a function of minimizing your attack surface and ensuring you have compensating controls in place as you keep burning down your vulnerabilities and exposures.
You can’t just stop using web applications. Let’s face it – that ship sailed. There are too many benefits and advantages to using web apps, and most organizations are far too invested in them at this point. Rather than throwing the baby out with the proverbial bath water, you need to focus on making sure you have everything required for web apps security.