State of application security

Three surprising web app and API threat trends

Web applications are rarely built with security in mind. Yet, we use them daily for all sorts of critical functions, making them a rich target for hackers.

Given the critical nature of web applications and APIs and the data they hold, exploited or unprotected apps can lead to business disruptions, financial losses, and critical infrastructure collapses.

Insights from Cloudflare’s recently-released State of Application Security report show organizations struggle with outdated security approaches for web apps and APIs, while online threat actors are operating more efficiently and quickly than ever. The research was based on aggregated traffic patterns (observed April, 2023 - March, 2024) from the Cloudflare global network, which identifies and blocks 209 billion cyber threats each day.

This article highlights three key trends from the report that require urgent attention and action from CISOs.

Trend 1: Organizations overwhelmingly use outdated API security

Consumers and end users expect dynamic web and mobile experiences — which are increasingly enhanced and powered by APIs. For businesses, APIs fuel competitive advantages — greater business intelligence, swift cloud deployments, integration of new AI capabilities, and more.

Yet, for many, API security has fallen behind the fast pace of API deployment. Cloudflare uses machine learning models to identify API traffic that may otherwise be unaccounted for. In this report, organizations had 33% more public-facing API endpoints than they knew about. (This number was calculated by comparing the number of API endpoints detected through machine learning-based discovery vs. customer-provided session identifiers.)

Despite the fact that APIs present different security challenges compared to web apps, we found that 66.6% of API traffic defended by some form of layer 7 security is primarily protected with traditional negative security WAF rules rather than with specialized API rules employing a positive security model. Negative security models work by blocking bad traffic and allowing everything else, while positive security models specify what traffic is explicitly allowed while denying everything else.

Recommendation

As businesses expose more services via APIs, they should augment web app security tools (like WAFs and DDoS) with purpose-built API security and management enhanced by unsupervised machine learning.

Rather than rely on negative security model rules to protect APIs, industry best practices encourage protecting APIs with a positive security model. A positive security model for API security allows organizations to protect APIs by only accepting traffic that confirms to set OpenAPI schemas — while blocking malformed requests and HTTP anomalies that could contain attacks.

Continue to enhance your API security by discovering shadow APIs. A robust API security tool should constantly scan for every public API in your landscape, even those that are unmanaged or unsecured.

Trend 2: Third-party code has caused an increase in supply chain risk

Most organizations’ web apps rely on separate pieces of code from third-party providers (often JavaScript). The use of third-party scripts accelerates modern web app development and allows organizations to ship features to market faster, without having to build all new app features in-house.

The latest research shows how the average Cloudflare customer website contains 47 third-party scripts, 50 connections to JavaScript functions and their destination, and serves 12 cookies.

Third-party code, as well as cookies, represent security risks to your web visitors due to the fact that this code is often loaded in the user’s browser, and cookies can be tampered with to take over a session or account, for example. Attackers can gain access to modify the code of JavaScript components used in websites in a variety of ways, such as using stolen account credentials or exploiting zero-day or unpatched vulnerabilities. Then, they use this privileged access to launch a downstream attack on every website using that JavaScript code.

Recommendation

Look for a security vendor that automatically identifies third-party script risks, and provides a full, single dashboard view of all the first-party cookies being used by your websites.

Trend 3: One third of all Internet traffic stems from bots, but some industries are more impacted than others

On average, bots comprise one-third (31.2%) of all application traffic processed by Cloudflare. This percentage has stayed relatively consistent (hovering at about 30%) over the past three years.

The term bot traffic may carry a negative connotation, but in reality bot traffic is not necessarily good or bad; it all depends on the purpose of the bots. Some are “good” and perform a needed service — such as customer service chatbots and authorized search engine crawlers. But some bots misuse an online product or service and need to be blocked, given the disruptions to revenue that they can potentially cause. In fact, the typical business in the US and UK loses over 4% of their online revenue every year due to malicious bot attacks.

These industries see the highest median daily share of bot traffic:

Image source: State of Application Security, 2024

Recommendation

If your industry tends to experience more bot traffic, consider boosting investments in bot management to preemptively stop threats from bad bots.

Look for a bot management service that:

• Accurately identifies bots at scale by applying behavioral analysis, machine learning, and fingerprinting to a diverse and vast volume of data

• Integrates easily with your other web application security and performance services (e.g., WAF, CDN, DDoS)

• Allows good bots, such as those belonging to search engines, to keep reaching your site while preventing malicious traffic

Staying ahead of emerging risks

Many organizations have a tapestry of legacy security hardware, cloud-native security, and home-grown security to address all of their application security challenges. But this fragmented approach makes it harder to connect and protect SaaS apps, web apps, and other IT infrastructure. IT sprawl makes it easier for attackers to find and exploit vulnerabilities. A consolidated platform approach helps ensure better security, latency-free connectivity, improve business growth by allowing organizations to comply with local regulations when expanding into new markets, and strengthen customer trust.

Cloudflare’s Application Security protects applications and APIs from abuse, stops bad bots, thwarts DDoS attacks, and monitors for suspicious payloads and browser supply chain attacks. Our application security products work closely with our performance suite, all delivered by Cloudflare’s connectivity cloud — the next evolution of the public cloud, providing a unified, intelligent platform of programmable, composable services on one programmable global cloud network.

This article is part of a series on the latest trends and topics impacting today’s technology decision-makers.

Key takeaways

After reading this article you will be able to understand:

• The role of applications and APIs in modern business and communication

• 3 emerging web application and API trends requiring urgent attention from CISOs

• Practical recommendations that help organizations stay ahead of threats

Related resources

• State of Application Security, 2024

• Global Security Brief, 2024

• Client-side attacks are mounting