Application Security in a Digital-First World
In this article
One of the top traits that characterize today's consumer base is "short-lived loyalty." One in three customers will leave a brand they love after just one bad experience. We are ready to dispose of any product that disappoints us, and web and mobile applications are no exception. This becomes tricky when 98% of organizations depend on applications to run or support their business. Further, being that applications can lead to huge profits, the bad actors are trying their best to get a piece of the pie, with estimated online fraud losses projected to exceed $48 billion per year by 2023.
In response, businesses across the globe have upped their focus on application security. However, some security measures poorly affect user experience, which in turn leads to transaction abandonment, loyalty decline and lost revenue.
The goal now is finding a way to achieve application security without the risk of end user friction. Let's dive in…
Before we shed light on the most appealing methods available for application security, let's take a stab at the major types of attacks on the application landscape.
- Client-side attack: target vulnerabilities in clients especially web browsers. Associated terms include cross-site scripting, phishing, man-in-the-middle.
- Web application attack: target vulnerabilities in web applications. Associated terms include cross-site scripting, man-in-the-middle, credential stuffing, online fraud, SQL injection.
- App infrastructure attack: target application's supporting infrastructure such as network, DNS services, TLS.
- DDoS attack: Target a website to make it slow or unavailable. Associated terms include botnet-driven-DDoS attacks.
Lot's a attacking going on, but let's turn our focus to web application attacks. As per a recent report from The Cyentia Institute and F5 Labs, web application attacks were the leading incident pattern among data breaches for six of the last eight years, and 56% of the largest incidents of the last five years tie back to some form of web application security issue, constituting 42% of all financial losses recorded.
There is spectrum of web application attacks, ranging from automated threats [Read OWASP automated threats to web applications], credential-based attacks driving account takeover and fraud, to exploiting application vulnerabilities, such as code-level vulnerabilities like cross-site scripting and SQL injection [Read OWASP top 10 threats].
Credential stuffing attacks: they're lucrative
Among the various types of web application attacks, there's one growing in volume due to preference of the attackers, and that is credential stuffing. Here's why…
By definition, credential stuffing is where attackers take credentials that have been stolen from third parties and test them (en masse and rapidly via automation) on the target site. It is a known tenet that most users reuse passwords across online services; therefore 0.5%-2% of a credential list will be valid on a target. These exploits defraud organizations of billions of dollars with fake accounts, unauthorized fund transfers or chargebacks, credit application fraud, and stolen loyalty points or gift cards
Let's examine the increasing prevalence of credential stuffing:
- Username/password is the universally accepted identity mechanism for access control and many people reuse passwords. The problem is, once attackers obtain legitimate credentials from one website it's virtually guaranteed that some will work when attackers test them on other websites.
- This type of attack supports attacker economics and is a numbers game. In other words, attackers think about ROI and go after targets that offer the highest ROI. F5 Labs surmises that a small-time cybercriminal can test 100,000 credentials for an investment of less than $200 USD. Even with a typical success rate between 0.2 percent and 2 percent, the attacker can net anywhere from 200 to 2,000 valid accounts from a single attack. For a cybercriminal willing to make a larger investment, a million fraudulent login attempts could yield as many as 20,000 valid accounts.
- The average elapsed time between a data breach and its discovery or public disclosure is 15 months; this gives attackers plenty of opportunity to abuse stolen credentials.
Because legitimate credentials are used, it can be extremely difficult to recognize in-progress credential stuffing attacks, unless a third party notifies them or there is a blatantly unusual spike in network traffic.
Even when not attacked directly, an organization may still be forced to bear the brunt. A breached social medial user account can put that user's banking account at greater risk due to a common pattern in login credentials.
To defend against credential stuffing, organizations typically adopt security controls such as:
- Multi-Factor Authentication [MFA]
- Device and browser fingerprinting
- IP rate limiting/IP Reputation
- Automation based on factors such as low login success rates despite a high traffic volume
Attacks and attackers keep evolving
It's an even playing field. Attackers gain insight into weaknesses in much the same way security teams gain insight into security threats. With each new way of protecting the environment, comes a new way of attacking it. The evolution of the attackers' game is very much in line with the defensive strategy of their targets. Here are some examples:
- Rate limiting and deny lists were measures taken for "first-generation" attacks. Advanced attackers are adept at bypassing IP rate limits by disguising their attacks through proxy services, which distribute the traffic across thousands of valid residential IP addresses. Research data shows that attackers reused IP addresses during a campaign only 2.2 times on average, well below any feasible rate limit.
- CAPTCHA and browser challenges were "second generation" measures navigated by attackers using tools like automated CAPTCHA solvers, Phantom JS and Trifle JS. As it turns out, machine learning algorithms are now better at solving these puzzles than we humans.
- In the third and current generation, fraudulent traffic more accurately imitates human behavior and is increasingly effective at bypassing behavioral analytics. Attackers go to great lengths to simulate real users, from deploying real browsers to copying natural mouse movements to subtle randomization of behavior.
The third generation attacks pose the greatest challenge, so perhaps businesses are willing to trade an effective security solution for a subpar end user experience. But maybe that's not necessary. These modern-day attacks are sophisticated, but so can be your approach to application defense. Certainly, there is a solution that doesn't drive customers away, can detect sophisticated bots, and is automatically learning, adapting, and continuously evolving alongside the threat landscape from which it defends.
Shape Security defends against malicious automated attacks targeting both web and mobile applications. Shape Security is part of F5 and a leader in application security for Anti-Fraud and Abuse Protection. More than 200 million mobile devices have Shape Security deployed and about 150 million legitimate human logins are protected per day, with over 1 billion attacks detected and mitigated every day.
Shape's unique principles
Shape Security banks on continuous learning and adaptation and doesn't resort to any single countermeasure. Here's how it works:
- Your web and mobile apps are instrumented with code;
- This code collects signals from the end-user environment [browser and user behavior];
- These signals are checked by Shape Defense Engine, a real-time rules engine, which detects bot activity and mitigates attacks (actions based on rules could be blocked, redirected, or flagged);
- The signals are fed into Shape AI Cloud, a data system that is processed by multiple machine learning systems;
- The resultant outputs are analyzed by data scientists and experts to develop new signals, rules and to inform quality decisions.
This forms a continuous learning and enhancement loop. The out-of-the-box, real-time rule engine is robust: Shape Security has been analyzing massive quantities of data across many of the world's largest industries for years and has been through many learning cycles. As soon as a new attack technique is observed on one customer, all other Shape Security customers are immediately protected, as well.
Shape Security disrupts the ROI of an attack. Given an economically driven attacker Shape Security, make successful attacks too expensive, which encourages attackers to move on to other targets.
As soon as new countermeasures are deployed, 5%-10% of attackers will typically attempt to retool. Shape Security uses supervised and unsupervised deep learning methods to detect new TTP [Tactics, Techniques & Procedures] and autonomously deploy appropriate countermeasures.
Beyond credential stuffing
Aside from credential stuffing, additional application security concerns must be considered:
- Legitimate users face annoying authentication challenges at login. In the B2C web application world, up to 30% of legitimate human traffic struggles to successfully login due to security controls.
- The advent and adoption of Open banking brings with it the following risks of screen scraping, compliance breach, and DoS/website flooding resulting in latency and outages.
- There is a dearth of enablers for fraud teams–today's fraud tools simply deliver raw ingredients such as device properties and risk scores and expect enterprises to use these ingredients to write and maintain complex rules.
- Weak protection for customer credentials, financial details, and PII against Magecart, Formjacking, and other client-side supply chain attacks.
Shape Security enables organizations to address the above challenges with its comprehensive portfolio as shown in the below table.
Understanding SHAPE Security's portfolio
There are numerous deployment methods for Shape Security, allowing relatively simple insertion within many varieties of contemporary enterprise architecture:
- Cloud Hosted (Load Balancer Routed)
- Cloud Hosted (CDN routed)
- Non-Proxy API
- Server Side Module (SSM)
One of the most common, easy deployment models for Shape Security is sending protected HTTP traffic through the Shape Defense Engine, via the configuration of your load balancer (Option 2 above).
How WWT can help
WWT is an F5 Platinum Partner and has grown to become F5's largest and most strategic partner across the F5 product portfolio, geographic theaters, and market segments. Together, WWT and F5 help organizations deliver secure digital experiences by securing every application and enabling modern app delivery at scale.
As an F5 Guardian Advanced Security Provider partner, WWT Professional Services can help with your implementation of Shape Security. WWT's application security experts assist and guide your teams to develop a comprehensive application security architecture that protects your applications, your users, and your customers throughout the journey of your organization's data.
WWT's investments in its Advanced Technology Center (ATC) and partnership with F5 are unparalleled. The ATC is a collaborative ecosystem where customers can explore, test, and realize the effectiveness of IT solutions from top OEMs like F5, and evaluate how products interoperate with native and new architectural solutions within a simulation of their own environment.