Skip to main content
Application Security padlock icon

This post is from the Arxan blog and has not been updated since the original publish date.

Last Updated Jan 31, 2019 — Application Security expert

Analyst Perspective: 2019 Threat Landscape And Application Protection Best Practices

Application Security


High-profile application breaches dominated headlines in 2018, affecting businesses and consumers across industries and continents. From major hotel chains to international airlines to financial institutions, app attacks left companies in a tailspin to plug holes in their security approach and repair customer trust and brand damage. The top two attack methods for such breaches? Software vulnerabilities and web app attacks.

So what can you do to improve app security against a threat landscape that’s constantly changing? We posed this question — plus a few more — to Forrester Principal Analyst Amy DeMartine, who is the special guest speaker for our webinar Your App Security Stack: How to Defend Against the Evolving Threat. We asked Amy to share her predictions for 2019 and what it means for application security:

Q: Do you foresee a time when applications aren’t the primary reason for breaches?

A: I certainly hope so; however, malicious attackers know that once they can access an application as a valid user or through a weakness or vulnerability, the data that these applications access is easily breached. Unfortunately, automation makes attacks even easier to create and execute with a little coding know-how and will only increase the number, types, and sophistication of attacks on applications, including web apps, mobile apps, and APIs. The advent of AI could give malicious attackers an additional boost by allowing attacks to learn and morph depending on what protections are found.

Q: What application types will be the biggest target in 2019?

A: I have a feeling that 2019 will be the year of API attacks. Applications are being composed of loosely coupled APIs, and as virtual agents become more popular, open APIs become the method customers use to reach products and services. However, because these APIs can be developed and deployed quickly, security is often overlooked, leaving these APIs vulnerable to attacks.

Q: Do you see businesses in 2019 placing a focus on app hardening given the high percentage of mobile apps released without reverse engineering protection?

A: Mobile applications are just one type of application that lives in an unprotected environment. The explosion of internet-of-things (IoT) devices means that applications are living in unprotected environments such as our cars, refrigerators, and watches. All of these applications can be easily scanned and evaluated by attackers to understand any vulnerabilities or weaknesses that can be exploited. App hardening is the only way to protect these vulnerable applications.

Q: Magecart became a big problem in 2018, putting a security focus on web apps. How do you foresee this style of attacks evolving in 2019?

A: The injection of malicious code is not new. However, as applications evolve, attacks will evolve with them. The popularity of JavaScript, for example, gives Magecart a perfect opportunity to insert card skimmer code into a website’s execution. As applications morph to serverless functions, I’m certain that attacks will morph again to take advantage of how serverless applications are executed.

Q: In your experience, how important is it for businesses to understand the security posture of web and mobile apps once they are published?

A: Even after a web application is in the production environment, newly discovered vulnerabilities can be just the opening a malicious attacker is looking for. Production protection tools can certainly help detect and prevent breaches, and vigilant companies should also ensure their websites are current with all patches. Mobile apps are a much harder problem to solve because you can’t force consumers to upgrade. Mobile apps are essentially on their own and should be deployed with protection and threat detection built in to minimize their attack surface.

To hear more about Amy’s 2019 threat predictions and what you can do to defend against app-level threats, join our webinar on Tuesday, Feb. 5.


More from the Blog

View more
Aug 09, 2022

Secure mobile application vulnerabilities with an inside-out approach

Application Security
Effective mobile application security is a comprehensive software secu ...
Read More
Jan 18, 2022

Be aware or beware: Easily insert security into your mobile apps

Application Security
COVID-19 has quickly pushed companies over the technological tipping p ...
Read More
Dec 23, 2021

Using machine learning to detect malicious packages

Application Security
Staying up to date with new technology in today’s advanced digital age ...
Read More
Dec 17, 2021

Log4j: Not the Vulnerability We Want, and Not the Vulnerability We Need

Application Security
Log4j is the reminder we didn’t need: the reminder that vulnerabilitie ...
Read More
Contact Us