New research shows organizations in the region struggle with bad bots, broken APIs, and supply chain attacks.

Organizations across Asia Pacific (APAC) are struggling with a multitude of application security challenges, according to a new global study by Barracuda.

Taking in 750 responses from IT decision makers in APAC, the US and EMEA, Barracuda’s ‘The State of Application Security in 2021’ study found that, on average, APAC organizations were successfully breached twice in the past 12 months as a direct result of an application vulnerability (38%), with 27% of respondents reporting at least one breach over the same period, and 14% reporting being breached more than three times.

The study, conducted by independent market researcher Vanson Bourne, surveyed 250 APAC application security decision makers responsible for their organization’s application development and security, to get their perspectives on data breaches, top application security vulnerabilities, and the most important product capabilities needed to defend against multi-vector application attacks. 

Overall, the findings indicate that more needs to be done to protect against application security threats, revealing that the range of application security-related challenges facing organizations in APAC today may extend way beyond difficulties in securing multiple attack vectors.

APAC respondents identified their top application security challenges as software supply chain attacks (46%), with 44% saying that adding security significantly slows down application development time. 43% stated that vulnerability detection is a key challenge, followed closely by bot attacks (39%) and securing APIs (37%).

The research also revealed that web application and zero-day vulnerabilities were the main cause of successful security breaches affecting their organizations’ applications in the last 12 months (55%), followed closely by bot attacks and software supply chain attacks in joint second place (40% each).

Read here for the full report.

What you can do

“Applications have been steadily rising as one of the top attack vectors in recent years, and the rapid shift to remote work in 2020 has only intensified this trend,” said Mark Lukie, Systems Engineer Manager, Barracuda, Asia-Pacific.

Organizations in APAC are struggling to keep up with the pace of these attacks – particularly newer threats like bad bots, broken APIs and supply chain attacks – and need help filling these gaps effectively.

CybersecAsia asked Lukie how this could be effectively achieved. He replied: “The first step is to identify the threats that matter the most to your organization and the priority in which you need to protect against them. Once this is done, then the organization can start looking for specific solutions that are required to stop these attacks.”

Lukie acknowledged that determining which solutions make the most sense for your organization can be complicated, due to the fragmented nature of the security market. “There are many vendors who focus specifically on one issue (e.g. bot mitigation,) but have limited capabilities for other threats (e.g. API threats.) All of this leads to analysis paralysis and a general slowdown in the time taken to protect against the threats.”

Instead, stretched security teams can get some respite by looking for a vendor who can provide protection against all threats effectively, in a single integrated fashion.

This “can significantly reduce the learning curve, administrative time, and overheads it takes to set up these protections. Typically, such vendors would have a modular platform approach to security, with the ability to pick and choose the parts that are required to provide complete protection for all applications.”

Culture matters

The complaint that security slows down development “has been around since what seems like the dawn of application security”. Lukie believes the issue is multi-fold, with a significant part of it due to organizational culture.

“For instance, if application teams want to use newer agile methods and rapid deployment models, security needs to be able to keep pace both in terms of policy and actual security implementations,” he said.

“Many times, security teams are the gatekeepers for application deployment, and their rules and policies may not be very friendly to development teams – especially around the time it takes to discuss and implement the security.”

In addition, existing security solutions may not make it easy to set up and configure the required rules and policies for a given application.

“Fixing these issues needs to start with culture,” said Lukie. “If an organization has an agile culture with DevOps/automated deployments, then security should follow suit and ‘shift left’ in the cycle. What this means is that application security becomes part of the development cycle and is implemented earlier than before.”

Not only is training and agreement between all teams important, but having the right security tools in place to support this ‘shift left’ move is also crucial.

“For application security, this would mean having the right vulnerability scanning tools, test automation tooling, and most importantly security solutions like a WAF or cloud WAF services that are fully automatable.”

A fully automatable WAF or cloud WAF service will have the configuration APIs and integrations to automatically orchestrate security, which can drastically slow down configuration and deployment time, Lukie explained. A vulnerability scanning tool, introduced early in the process, will show problems in the application and WAF configuration quite easily.

“In short, this process requires a huge change in culture and policies and a smaller change (but still significant) in tools and techniques,” he said. “It sounds easy, but it is always a work in progress that can provide great dividends for fast moving organizations in the digital economy.”