This post is from the Arxan blog and has not been updated since the original publish date.
Analyst Perspective: 2019 Threat Landscape And Application Protection Best Practices
High-profile application breaches dominated headlines in 2018, affecting businesses and consumers across industries and continents. From major hotel chains to international airlines to financial institutions, app attacks left companies in a tailspin to plug holes in their security approach and repair customer trust and brand damage. The top two attack methods for such breaches? Software vulnerabilities and web app attacks.
So what can you do to improve app security against a threat landscape that’s constantly changing? We posed this question — plus a few more — to Forrester Principal Analyst Amy DeMartine, who is the special guest speaker for our webinar Your App Security Stack: How to Defend Against the Evolving Threat. We asked Amy to share her predictions for 2019 and what it means for application security:
Q: Do you foresee a time when applications aren’t the primary reason for breaches?
A: I certainly hope so; however, malicious attackers know that once they can access an application as a valid user or through a weakness or vulnerability, the data that these applications access is easily breached. Unfortunately, automation makes attacks even easier to create and execute with a little coding know-how and will only increase the number, types, and sophistication of attacks on applications, including web apps, mobile apps, and APIs. The advent of AI could give malicious attackers an additional boost by allowing attacks to learn and morph depending on what protections are found.
Q: What application types will be the biggest target in 2019?
A: I have a feeling that 2019 will be the year of API attacks. Applications are being composed of loosely coupled APIs, and as virtual agents become more popular, open APIs become the method customers use to reach products and services. However, because these APIs can be developed and deployed quickly, security is often overlooked, leaving these APIs vulnerable to attacks.
Q: Do you see businesses in 2019 placing a focus on app hardening given the high percentage of mobile apps released without reverse engineering protection?
A: Mobile applications are just one type of application that lives in an unprotected environment. The explosion of internet-of-things (IoT) devices means that applications are living in unprotected environments such as our cars, refrigerators, and watches. All of these applications can be easily scanned and evaluated by attackers to understand any vulnerabilities or weaknesses that can be exploited. App hardening is the only way to protect these vulnerable applications.
Q: Magecart became a big problem in 2018, putting a security focus on web apps. How do you foresee this style of attacks evolving in 2019?
Q: In your experience, how important is it for businesses to understand the security posture of web and mobile apps once they are published?
A: Even after a web application is in the production environment, newly discovered vulnerabilities can be just the opening a malicious attacker is looking for. Production protection tools can certainly help detect and prevent breaches, and vigilant companies should also ensure their websites are current with all patches. Mobile apps are a much harder problem to solve because you can’t force consumers to upgrade. Mobile apps are essentially on their own and should be deployed with protection and threat detection built in to minimize their attack surface.
To hear more about Amy’s 2019 threat predictions and what you can do to defend against app-level threats, join our webinar on Tuesday, Feb. 5.