Web- and cloud-based applications are increasingly under assault by cybercriminals.

Email has long been a popular route for cybercriminals to launch attacks via phishing scams, account takeover, and spoofing, among other strategies. But web- and cloud-based applications have emerged as a new attack vector, allowing criminals to breach companies via browser-based interfaces and launch ransomware and other attacks without ever triggering security protection.

According to the Barracuda State of Application Security in 2021 report, the top five global challenges in application security are bots, supply chain attacks, vulnerability detection, API security, and security solutions slowing down application development.

The lingering impact of web- and cloud-based attacks

Application security attacks often exploit vulnerabilities such as Log4j or the VMware flaws identified earlier this year. However, in a recent Barracuda Below the Surface episode, experts indicated that these vulnerabilities have a very long tail – cyber-attacks continue to be launched aimed at exploiting issues that are months or years old. In addition, automated tools have made it easier for criminals to scan for these vulnerabilities with little effort.

Companies are not well equipped to defend against application attacks, with Barracuda finding that roughly 75 percent of respondents had experienced a successful application compromise or incident over the preceding 12 months.

APIs present an acute challenge because mobile apps and web front ends that leverage APIs can open the door to a wide variety of attacks, and not every organization is aware of all the APIs that have been used to build their applications. According to the report, flawed API security is a big contributor to significant data breaches.

In the case of a client-side or supply chain attack, a single compromised library can expose an entire application. This is because the attack takes place in the client browser, allowing hackers to extract data within the browser and then post the information to their own servers. That puts the activity outside the view of most security solutions.

A holistic approach to AppSec

To prevent and mitigate the impact these attacks could have, organizations should take stock of the entire threat landscape, and inventory all of their web applications and the APIs and libraries that may be running under the hood. Regular scanning of applications using a tool like the Barracuda Vulnerability Remediation Service can streamline and automate that process. Scans should take place after updates as well.

Additionally, multi-factor authentication should be enabled across systems to help ensure illicit activity is blocked from your web applications. You should also be able to set up automatic email alerts when suspicious activity is detected.

Next, look for a security platform that can provide a single solution for monitoring and security. Otherwise, IT departments can quickly become overwhelmed trying to integrate multiple solutions. For example, the Barracuda Cloud Application Protection (CAP) platform can protect against API exploits, bot attacks, client-side attacks, DDOS, and other threats.

According to Barracuda researchers:

“With such a high portion of organizations getting breached multiple times through their web applications in the past 12 months, it’s clear more needs to be done to protect against these threats, particularly to protect against newer threats like bot attacks, API attacks, and supply chain attacks. Organizations seem to understand this, with many looking to deploy new solutions in the coming year, such as bot protection (41 percent), API gateway (36 percent), and software supply chain protection (scanning) (33 percent).”

Researchers add, “To provide effective protection, an application security solution needs to be a platform that can protect customers against all of these attack vectors. A platform approach to application security can provide powerful protection against traditional and emerging threats while remaining easy to use and manage.”

As the use of web-based applications increases, they will come under increased attention from cybercriminals. As a result, organizations need to deploy automated security solutions that can help them stay on top of API vulnerabilities, bot activity, and client-side attacks. As noted in the Below the Surface episode, defenders are having a hard time keeping pace with attackers regarding application security – a comprehensive set of tools and processes that can identify app-based vulnerabilities and provide quick remediation will be critical moving forward.

Chris Crellin is Senior Director of Product Management for Barracuda MSP, a provider of security and data protection solutions for managed services providers, where he is responsible for leading product strategy and management.