The state of application security in 2021 - Bad bots, broken APIs, and supply chain attacks put business data at risk. " - Barracuda Networks

Page created by Leo Blair
IT & Technique
English
 
CONTINUE READING
Page content transcription
If your browser does not render page correctly, please read the page content below
The state of application security in 2021 - Bad bots, broken APIs, and supply chain attacks put business data at risk. " - Barracuda Networks
May 2021

MARKET REPORT

The state of
application security
in 2021

Bad bots, broken APIs, and
supply chain attacks put
business data at risk. »
Contents
Introduction: The state of application security in 2021             3

Top global challenges                                            4-6

Bot attacks                                                    7-10

API security                                                   11-15

Software supply chain attacks                                 16-18

Conclusion                                                        19

About Barracuda  20

2   | Barracuda • THE STATE OF APPLICATION SECURITY IN 2021   APPLICATION AND CLOUD SECURITY
Introduction
The state of application security in 2021
Businesses are facing an array of challenges when it comes
to application security. Over the years, web applications have
been rising steadily as the top attack vector for breaches —                           Methodology
and the move to remote work in 2020 intensified this shift.
Many organizations had to expose internal applications to the
                                                                                       Barracuda commissioned independent
internet, and a significant number had to rapidly lift and shift
applications to the cloud.                                                             market researcher Vanson Bourne
As part of this survey, we asked organizations about the                               to conduct a global survey of 750
number of times they were breached in the past year as a
                                                                                       application security decision makers
direct result of a vulnerability in one of their applications, and
the worldwide average was two breaches in the past                                     responsible for their organization’s
12 months.
                                                                                       application development and security.
Respondents stated that the vast majority of these attacks
                                                                                       Survey participants from the U.S., Europe
were due to web application vulnerabilities. Bot attacks,
struggles with API security, and software supply chain attacks                         and APAC represented organizations
are among the main contributing factors to these breaches.
                                                                                       with 500 or more employees
Survey respondents readily admit that significant improvements
are required in all three areas — and while there were some                            globally. Since IT responsibilities and
interesting regional and sub-regional differences, the trends
                                                                                       cybersecurity threats vary by region,
were very similar globally.
                                                                                       respondents from a variety of job
                            Respondents by region
                                                                                       functions and industry sectors were
                                          300
                                                                 250                   surveyed, to get an understanding of
                   200
                                                                                       application security risks from multiple
                                                                                       perspectives. The survey was fielded in
                   US                     Europe                 APAC                  March and April 2021.

                         Respondents by job function

           219                      197               150            112      72

     IT security         Application development/design       Information technology
     Application security         Risk/fraud/compliance/governance

3   | Barracuda • THE STATE OF APPLICATION SECURITY IN 2021                                                     APPLICATION AND CLOUD SECURITY
Top global challenges
FINDING #1

On average, respondent organizations were successfully
breached twice in the past 12 months as a direct result
of an application vulnerability.
With 72% of respondents saying their organization suffered at                          cyberattacks have become. This is likely due to the huge range
least one security breach from an application vulnerability, it’s                      of security threats trying to harm organizations and the internal
plain to see how aggressive and pervasive application-based                            difficulties many organizations are facing.

In the past 12 months has your organization
suffered a successful security breach as a direct
result of a vulnerability in one of its applications?
(n=750)
                                                                                 38%
                                                              32%

                                                                                                                                  33%
                                                                     29%
                                                                           29%

                                                                                                         27%

                                                                                                                      27%
                                                                                       26%
                                                                                             26%
                                                                                                   25%

                                                                                                                            25%

                                                                                                                                        21%
                                           20%
                                     14%

                                                       14%
                                                 10%

                                                                                                                                                               2%
               1%

                                                                                                                                                    1%
                                                                                                                                                          1%
          0%

                    0%
                         0%

                                                                                                                                                                      0%
           Yes, more than              Yes, three times             Yes, twice               Yes, once                        No                         Don’t know
            three times

                                                               Total              US     Europe                APAC

4   | Barracuda • THE STATE OF APPLICATION SECURITY IN 2021                                                                                   APPLICATION AND CLOUD SECURITY
Top global challenges
FINDING #2

The range of application security-related challenges facing organi-
zations extends beyond difficulties securing multiple attack vectors.
While it’s clear that organizations are being troubled by specific   Which of these challenges does your organization
security threats against their applications such as bot attacks,     experience with application development and
software supply chain attacks, and securing their APIs, these        security?
aren’t the only challenges. Efficiency demands are also causing      (n=750)

an issue, as evidenced by the 35% who report that adding
                                                                                                                                             43%
security significantly slows application development time.                                           Bot attacks                            42%
                                                                                                                                               47%
                                                                                                                                           39%
The top five challenges from a worldwide perspective are bots,                                                                           39%
supply chain attacks, vulnerability detection, API security, and               Software supply chain attacks                              40%
                                                                                                                                      32%
security slowing down app development.                                                                                                       46%
                                                                                                                                           38%
There are some interesting regional variations. In the U.S.,                           Vulnerability detection                    27%
                                                                                                                                            42%
vulnerability detection doesn’t make the top five. Instead,                                                                                 43%
implementing security into continuous integration and                                                                                  37%
continuous development practices is a top challenge.                                         Securing our APIs
                                                                                                                                    30%
                                                                                                                                        40%
                                                                                                                                       37%
Europe, on the other hand, is less concerned about supply chain                                                                       35%
                                                                             Adding security significantly                           33%
attacks and app security slowing down development. Threat             slows application development time                           28%
remediation is seen as a bigger challenge.                                                                                                   44%

                                                                                    Implementing continuous                         31%
                                                                                  integration and continuous                         32%
In APAC, security slowing down app development is a much                                                                              34%
                                                                                    delivery (CI/CD) practices
larger concern than in other regions.                                                                                              28%
                                                                                                                                   30%
                                                                                           Threat remediation                    25%
Vulnerability detection is a challenge with many relatively mature                                                                    35%
                                                                                                                                  27%
solutions available, and the challenge of implementing security in
the development phase, especially in DevOps environments, is                                                                       28%
                                                                              Lack of alignment between                           26%
in itself a complex subject.                                             development and security teams                            28%
                                                                                                                                     32%
                                                                                                                                 23%
In this report, we focus on the newer challenges of:                                                                           19%
                                                                               Visibility into application traffic
                                                                                                                                21%
                                                                                                                                    28%
• Bots
                                                                                                                     4%
• Supply chain attacks                                                 We don’t have any challenges with              5%
• API security                                                       application development and security            4%
                                                                                                                     3%

                                                                                           Total             US       Europe        APAC

5   | Barracuda • THE STATE OF APPLICATION SECURITY IN 2021                                                           APPLICATION AND CLOUD SECURITY
Top global challenges
FINDING #3

A wide range of application security risks are
causing concern, with the variations of bot-based
attacks being a particular worry.
It’s no secret that bots have become a growing problem for                                     focus on the importance of application security: One of these
organizations over the past few years, and this is reinforced by                               risks could easily exploit a vulnerability, and it could be hard to
the fact that bot-based attacks make up two of the top three                                   recover from the ramifications. This is illustrated by the number
application security risks most commonly cited by decision                                     of respondents choosing web application vulnerabilities/zero-
makers as part of their top three risks. This is closely followed by                           day attacks as one of the top risks.
API attacks and supply chain attacks. Organizations must not lose

Which AppSec risks are you most concerned
about at your organization?
(n=750)
       54%

                         50%

                          51%

                                                 51%
      49%

                         49%

                        46%

                                                                   46%
     46%
     45%

                                              42%

                                             40%
                                             39%

                                                                 39%
                                                                 39%

                                                                                      37%
                                                                                      36%
                                                                35%

                                                                                     35%

                                                                                                          34%
                                                                                                         32%
                                                                                    30%

                                                                                                                             30%
                                                                                                         31%
                                                                                                         31%

                                                                                                                             31%
                                                                                                                             31%

                                                                                                                             31%

                                                                                                                                                   25%
                                                                                                                                                 19%

                                                                                                                                                17%
                                                                                                                                                17%

                                                                                                                                                                 3%
                                                                                                                                                                1%
                                                                                                                                                                0%

                                                                                                                                                                0%
      Bot attacks     Web application      Bot attacks like      Supply chain           API abuse    Credential stuffing   Digital skimming    Cryptominers      We are not
    like scraping,       attacks            carding and       attacks, including                     and other account          attacks                       concerned about
         spam                               other fraud           Magecart                            takeover attacks                                         any application
                                                                                                                                                                security risks

                                                                  Total            US           Europe           APAC

6   | Barracuda • THE STATE OF APPLICATION SECURITY IN 2021                                                                                   APPLICATION AND CLOUD SECURITY
Bot attacks
FINDING #4

The range of bot attacks that
can exploit applications is a
real problem.
Three-quarters of decision makers confirm that the range            The varied range of bot attacks that could exploit
of bot attacks are causing genuine difficulties in their            our applications makes them increasingly difficult
organizations when it comes to protecting applications. It          to defend against.
appears organizations simply can’t keep up. With an entire          (n=750)

bot economy existing online, complete with bot marketplaces

                                                                                                     79%
and brokers to ensure that bot users themselves don’t get

                                                                                               76%
                                                                              75%

                                                                                       71%
scammed, this problem is only going to continue growing
over the coming years. Automated attacks cover such a wide
variety of vectors and intelligence on the tooling side that this
has become a massive issue worldwide

                                                                                                                 29%
Organizations will need external help from expert vendors for

                                                                                                           25%

                                                                                                                       24%
application and bot security to put up an effective resistance

                                                                                                                             21%
against bots targeting their applications. Without proper
defenses, they will inevitability be breached, or, in some cases,
breached again.

                                                                                            Agree                Disagree
In our data, respondents from organizations that were
                                                                                    Total            US    Europe            APAC
breached more than once were most likely to agree with this
statement, suggesting that bots were likely a cause of many of
these breaches.

7   | Barracuda • THE STATE OF APPLICATION SECURITY IN 2021                                                APPLICATION AND CLOUD SECURITY
Bot attacks
FINDING #5

Bot-based attacks are the most likely contributor
to successful security breaches resulting from
application vulnerabilities in the past 12 months.
The concern levels around bots are well founded, as they have                     The situation becomes even more concerning when considering
been particularly successful at breaching applications over the past              that more than a quarter (28%) report that employee error was a
year. But this certainly isn’t the only vector that has contributed.              factor in the most recent breach. Organizations can put as many
                                                                                  security tools in place as they see fit, but if an employee makes
On average, respondents report that there were two contributing                   a mistake that leaves the door open, then a bot-based attack,
factors to the most recent breach suffered by their business,                     software supply chain attack, or any other attack will be quick to
indicating the extent of the challenge.                                           exploit this vulnerability.

Which of the following contributed to the successful
security breach that exploited a vulnerability in one of
your organization’s applications in the last 12 months?
(n=541)
                                        55%
    49%
  44%
  43%

                                                          43%
 40%

                                                         40%
                                41%

                                                         39%
                               37%

                                                        36%

                                                                                                                       34%
                                                                           33%
                                                                          32%

                                                                                                  30%
                             31%

                                                                          31%

                                                                                                 29%
                                                                                                 28%

                                                                                                                     28%
                                                                                                                     28%
                                                                         27%

                                                                                                26%

                                                                                                                    23%

                                                                                                                                         0%
                                                                                                                                         0%
                                                                                                                                         0%
                                                                                                                                         1%
    Bot attack              Web application            Software supply    Flawed API             Employee               Account          We haven’t
                           vulnerability/zero-           chain attack       security               error           takeover attack       managed to
                            day vulnerability                                                                       like Credential   establish what the
                                                                                                                        Stuffing        causes were

                                                                 Total   US        Europe         APAC

8   | Barracuda • THE STATE OF APPLICATION SECURITY IN 2021                                                            APPLICATION AND CLOUD SECURITY
Bot attacks
FINDING #6

The wide array of bot attacks that target applications
makes it a struggle for defenders to block them.
With so much variety in this attack vector, it’s no surprise that so                        Any of these bots used in conjunction with one another increases
many organizations are struggling to defend their applications                              their chances of being successful. Multi-vector low and slow bot
against bots. While bot spam is more of a nuisance attack, it is                            attacks are at the core of the problem and most likely contributed
often used as a smokescreen to hide something more malicious,                               to successful breaches in the past year.
so it must be dealt with, not ignored. Depending on its frequency
and authenticity, bot spam can become really tricky to defend                               There are some interesting regional variations. APAC is the region
against and can evolve from benign annoyances to operational                                most worried about DDoS attacks, far exceeding other regions
problems quite easily.                                                                      and the worldwide average. Browser spoofing was top of mind
                                                                                            for the U.S., and software spoofing came out highest in APAC. In
Bots spoofing browsers and apps are also major problems. These                              Europe, sneaker bots are a concern.
spoofs range from simple to complex, from a user trying to hide
their real browser to bots running compromised versions of apps
in click farms for ad-fraud or other malicious purposes.

Which types of bot attack targeted at applications does
your organization find it difficult to defend against?
(n=750)
                                           42%
                        40%
                       38%
 35%

                                                       35%
 34%

 34%

                     33%
32%

                                     32%

                                                                     30%
                                     31%

                                                                                     31%
                                                     29%
                                                     29%

                                                                                    28%

                                                                                                     28%
                                                                    27%
                                                                    27%

                                                                                   27%

                                                                                                                   27%
                                                                                                                   27%
                                                                                                    26%

                                                                                                    26%

                                                                                                                  26%

                                                                                                                                   26%
                                   25%
                  24%

                                                                   24%

                                                                                                   24%
                                                                                  23%

                                                                                                                                              23%
                                                   22%

                                                                                                                 22%

                                                                                                                                20%

                                                                                                                                             20%
                                                                                                                                 21%

                                                                                                                                            18%
                                                                                                                                            18%
                                                                                                                               17%

                                                                                                                                                           5%
                                                                                                                                                          3%
                                                                                                                                                          3%
                                                                                                                                                         1%

 Bot Spam            Bots             Bots          Distributed     Ad fraud      Carding and      Account        Low and      Credential   Sneaker    We don’t find
                 pretending to    pretending to      Denial of     and similar   financial fraud   takeover     slow attacks    stuffing      bots    any bot attacks
                 be a specific    be a specific      Service                                                                                            difficult to
                   browser          software          (DDoS)                                                                                          defend against

                                                                  Total          US          Europe           APAC

9   | Barracuda • THE STATE OF APPLICATION SECURITY IN 2021                                                                         APPLICATION AND CLOUD SECURITY
Bot attacks
FINDING #7

Preventing, detecting, and identifying bots will be critical
functionality for vendors that help organizations defend
against bot-based attacks.
Whether organizations are struggling with spam bots,                                       These types of features would be critical for defending
fraudulent bots, or bots that can spoof software and browsers,                             against most attack types, but any vendor that can provide
they urgently require improvements when it comes to                                        these characteristics within a single solution will be improving
defending against this attack vector. After all, bots are the most                         the existing bot protection capabilities of most organizations
prolific contributor to successful breaches against applications                           beyond measure.
in the past year. According to respondents, there are three
clear areas that would be among the most desirable when                                    In these two key findings, Europe is consistently seeing
choosing a security solution to fend off bots: fraud prevention,                           account takeover detection and brute force detection as
spam detection, and bot identification.                                                    more important features than the U.S. and APAC. This is likely
                                                                                           due to the privacy protections, and the cost of a breach
Which features would be most important to your                                             in the GDPR regime. The fact that these attacks are being
organization when choosing a security solution to                                          performed by low and slow bots also makes them difficult to
help defend applications against bot attacks?                                              defend against.
(n=750)
    47%
   45%
  44%

                                              43%
                                              42%
 40%

                       40%
                       40%
                       40%
                       40%

                                             40%

                                                                                    40%
                                                                 38%
                                                                36%
                                                                36%

                                                                                   36%
                                                                35%

                                                                                                                          34%
                                           34%

                                                                                  34%

                                                                                                          34%
                                                                                  33%

                                                                                                         32%

                                                                                                                                                31%
                                                                                                        29%

                                                                                                                        29%
                                                                                                                        28%

                                                                                                                                                             26%
                                                                                                                                              25%

                                                                                                                                                            24%
                                                                                                                      23%

                                                                                                                                             23%

                                                                                                                                                           22%
                                                                                                      22%

                                                                                                                                                          19%
                                                                                                                                           18%

  Bot fraud             Bot spam               Bot                Machine       Account takeover        Web and           Client           Brute force   Crowd-source
 prevention             detection          identification      learning based      detection         price scraping   fingerprinting        detection    d bot detection
                                                                bot detection                          protection

                                                                   Total        US          Europe            APAC

10   | Barracuda • THE STATE OF APPLICATION SECURITY IN 2021                                                                           APPLICATION AND CLOUD SECURITY
API security
FINDING #8

Public facing APIs are commonplace, making it
imperative they are properly secured.
Quite a large percentage of the surveyed organizations deploy                 applications, but they also create a large new attack surface
public facing APIs for their customers (B2C) and partners (B2B),              for cybercriminals. Flawed API security continues to be a big
which speaks to the fact that most organizations are moving to                contributor to significant data breaches in the past two years,
API-first development. APIs make development of newer versions                so organizations must ensure they cover all their bases when it
of applications much faster and extend the usability of these                 comes to protecting APIs.

What types of APIs does your organization deploy?                             How many public facing APIs does your
(n=750)                                                                       organization deploy?
                                                                              (n=642)
             65%

                                                                                                                            2%
                                 59%

                                                                                                                                         19

                                                                                                                                          %
                                                                                                                      Average:
                                                     26%

                                                                                                                      33 public
                                                                                                                     facing APIs
                                                                    2%

                                                                                                            79
                                                                                                                 %
      Public facing APIs    Public facing       Internal-only    We don’t
        for customers      APIs for partners        APIs        deploy APIs
                                                                                  1–50 public facing APIs            More than 50 public facing APIs   Don’t know

11   | Barracuda • THE STATE OF APPLICATION SECURITY IN 2021                                                                     APPLICATION AND CLOUD SECURITY
API security
FINDING #9

Security concerns are top of mind when it comes to APIs.
It should come as little surprise that decision makers across                            with direct access to all the sensitive data for the application.
all regions place security concerns atop the list of challenges                          Undoubtedly, the gaps in knowledge cited around where
that their organizations struggle with when deploying APIs.                              APIs are deployed or used, as well as API standards, will be
An API-based application is significantly more exposed than a                            contributing to these concerns.
traditional web-based application, due to the way it’s deployed

What are the main challenges your organization
experiences when deploying APIs?
(n=728)
                   69%

                               68%
             63%

                         54%

                                                                 52%
                                               44%

                                                           43%

                                                                                 42%

                                                                                                                           41%
                                                                           38%

                                                                                       37%

                                                                                                         37%
                                                                                              35%
                                                     35%

                                                                                                                     35%
                                                                                                               33%

                                                                                                                                               7%
                                                                                                                                          6%
                                                                                                                                     5%

                                                                                                                                                     2%
              Security concerns           Lack of knowledge of where        Uptime concerns             Lack of understanding        We don’t experience
                                           APIs are deployed or used                                       of API standards           challenges when
                                                 (API Discovery)                                                                       deploying APIs

                                                                   Total    US               Europe     APAC

12   | Barracuda • THE STATE OF APPLICATION SECURITY IN 2021                                                                     APPLICATION AND CLOUD SECURITY
Organizations have raced toward APIs, due to the benefits            The use of APIs has presented security
they can deliver, but security hasn’t fully kept up. This presents   challenges for my organization
increased opportunities for attackers to exploit flaws. Some         (n=728)

reasons for this are a lack of understanding of API security,

                                                                                                77%
configuration/employee errors, a misguided belief that the end

                                                                               75%

                                                                                                      75%
                                                                                        71%
user will not know that there is an API at work in the background,
and in many, many cases, application teams publicly deploying
test APIs with direct access to production data without any
security in place.

                                                                                                                  29%
We also asked the respondents if the use of APIs presented a

                                                                                                            25%

                                                                                                                              25%
                                                                                                                        23%
security challenge for their organization, and 75% agreed. Most
clearly understand the risks of APIs, and this is a good sign for
the future of API security.

                                                                                             Agree                Disagree

                                                                                     Total            US    Europe            APAC

13   | Barracuda • THE STATE OF APPLICATION SECURITY IN 2021                                                APPLICATION AND CLOUD SECURITY
API security
FINDING #10

Organizations have put in place a number of solutions to secure
their APIs — both for inbound-outbound and inter-API traffic —
but a majority feel that significant improvements are required.
On average, organizations are using more than one tool to                        cannot enforce more than signature-based security, IP-based
secure their API traffic. However, clearly this hasn’t done much                 rate limiting or IP-based access controls for the APIs. They cannot
to ease concerns around API security, and it indicates that                      enforce positive security for the API or import an API spec to
the current solutions in place for securing all forms of traffic                 automatically configure controls. API gateways perform very well
either aren’t working to the desired level or aren’t integrating                 in the API management/traffic management sphere but may not
well together to secure APIs from all angles. API security is                    offer complete API security in their toolset. It is interesting to see
still very much an area that is in its growing stages, and many                  organizations evolving their multi-layered protections for APIs, but
of the solutions that are being used to protect APIs may not                     there is a lot of room to improve.
provide enough security. For instance, network firewalls

Which solutions does your organization use to secure
north-south API traffic (inbound-outbound)?
(n=728)
              64%
             62%

                                          62%
             61%

                                         57%

                                        56%
            57%

                                                                 55%
                                        54%

                                                                 53%

                                                                 53%
                                                                50%

                                                                                                             36%
                                                                                   32%
                                                                                   32%

                                                                                                            30%
                                                                                   31%
                                                                                   31%

                                                                                                           28%
                                                                                                           27%

                                                                                                                                   0%
                                                                                                                                   0%
                                                                                                                                   1%
                                                                                                                                   1%

            Network firewall            Web application           API gateway       RASP solution            ADC/Load           My organization does
                                           firewall                                                         balancer with       not secure north-south
                                                                                                           security module            API traffic

                                                               Total        US    Europe            APAC

14   | Barracuda • THE STATE OF APPLICATION SECURITY IN 2021                                                             APPLICATION AND CLOUD SECURITY
Which solutions does your organization use to secure
east-west API traffic (application-application and API-API)?
(n=728)
                                            66%
            63%

            63%
            61%

           58%

                                          58%

                                          56%
                                         53%

                                                                   53%
                                                                   52%

                                                                   50%
                                                                   51%

                                                                                            35%

                                                                                                                     33%
                                                                                           30%

                                                                                                                    29%
                                                                                                                    29%
                                                                                          28%
                                                                                          27%

                                                                                                                    27%

                                                                                                                                             1%
                                                                                                                                             1%
                                                                                                                                             1%
                                                                                                                                             1%
           Network firewall              Web application               API gateway         RASP solution              ADC/Load             My organization does
                                            firewall                                                                 balancer with         not secure east-west
                                                                                                                    security module              API traffic

                                                                 Total             US    Europe              APAC

What level of improvement do you believe is needed in
your organization when it comes to API Security?
(n=728)
                                                                                   53%
                                                                 44%
                                                                       39%
                                                                             39%

                                                                                                      37%
                                                                                                31%
                                                                                          30%
                                         28%

                                                                                                            23%
                                   22%

                                                     22%
                                               19%

                                                                                                                               5%
                                                                                                                     3%
                                                                                                                          3%

                                                                                                                                      2%

                                     Significant                     Notable                    Small                No improvements
                                improvements needed            improvements needed       improvements needed              needed

                                                                 Total             US    Europe              APAC

15   | Barracuda • THE STATE OF APPLICATION SECURITY IN 2021                                                                        APPLICATION AND CLOUD SECURITY
Software supply
chain attacks
FINDING #11

The use of third-party scripts for web applications is
fairly widespread, with organizations using varying
methods to deliver scripts to a browser.
The drive for efficiency when it comes to application                 as GitHub. If the code has been tampered with, a software
development is once again evident, with more than half of             supply chain attack, such as Magecart, could be just around
organizations, on average, using ready-made third-party scripts       the corner. Organizations should be wary of this approach to
for web applications. Security should be a big concern when           application development.
using third-party code. This is especially true when code is being
delivered to a browser directly from the source platform, such

Approximately, what percentage of                                     What are the ways your organization’s websites
your organization’s web applications                                  deliver client-side scripts to a browser?
use third-party scripts?                                              (n=750)

(n=750)
                                                                                        55%

                                                                                                           49%
                                          66%

                                                                                                                              45%
                               54%

                                                52%

                                                      48%

                                                                                 Directly from the     Own internal      CDN (Content
                    Total            US           Europe       APAC             source (GitHub, etc)    repository      Delivery Network)

16   | Barracuda • THE STATE OF APPLICATION SECURITY IN 2021                                                     APPLICATION AND CLOUD SECURITY
Software supply
chain attacks
FINDING #12

Regardless of the technologies in place for protecting against
software supply chain attacks, respondents are keenly aware that
their organization must improve in this area.
Software supply chain attacks have become increasingly mature,                               themselves, it appears that this attack vector, much like bot
with some scripts even able to avoid executing malicious code                                attacks, is always one step ahead. And with recent high-profile
if they detect that a web vulnerability scanner is running, making                           breaches in mind, most regions understand that considerable
them extremely difficult to defend against. This adds another layer                          improvements are needed when it comes to software supply
of complexity to the ever-evolving threat landscape. Although                                chain attacks.
organizations are deploying a range of technologies to protect

What level of improvement is needed in your
organization when it comes to defending against
software supply chain attacks?
(n=750)

                                                                                                                                       49%
                                                                                                              42%
                             38%
                                   36%

                                                                           35%
                                                                     34%

                                                                                                        32%

                                                                                                                                             30%
                                                               28%
                       20%

                                                                                                                                 19%
                                                                                                  17%

                                                                                                                    9%
                                         5%

                                                                                 4%

                                                                                                                                                   1%

                              Total                                    US                               Europe                          APAC

                   Significant improvements needed             Notable improvements needed          Small improvements needed      No improvements needed

17   | Barracuda • THE STATE OF APPLICATION SECURITY IN 2021                                                                      APPLICATION AND CLOUD SECURITY
Relatively standard protections are in place for supply chain                             scanners are the fourth most popular technology on this list,
attack mitigations. APAC respondents use specialized tools,                               but they are easily spoofed, as evidenced by the Baka skimmer
including client-side JS listeners, to detect attacks more than                           detected by Visa. Sub-resource integrity (SRI) is difficult to set up
other regions. Such listeners have a better chance of detecting                           and maintain, which could be a reason for its low popularity.
the more advanced attackers than website scanners. Website

Which technologies does your organization use to
protect against software supply chain attacks?
(n=750)
     59%

     59%

                                 58%
                                55%

                                                           54%
   53%

                               52%

                                                                                47%
                                                         47%
                                                        45%
                             44%

                                                        44%
 43%

                                                                               43%
                                                                               43%
                                                                              40%

                                                                                                          40%
                                                                                                        34%

                                                                                                        34%
                                                                                                       30%

                                                                                                                             2%
                                                                                                                             2%

                                                                                                                                                   2%
                                                                                                                                                   2%
                                                                                                                             0%

                                                                                                                                                   0%
                                                                                                                             1%

                                                                                                                                                   1%
  Software                     Content                 Specialized tools           Website             Sub-resource         We do not use any       Don’t know
 Composition                   Security               such as client-side          scanners            Integrity (SRI)    technology to protect
Analysis (SCA)                Policy (CSP)          JavaScript listeners to                                                  against software
                                                     detect these attacks                                                  supply chain attacks

                                                                   Total      US              Europe      APAC

18   | Barracuda • THE STATE OF APPLICATION SECURITY IN 2021                                                                     APPLICATION AND CLOUD SECURITY
Conclusion
With such a high portion of organizations getting breached                                         It is a good sign that organizations are moving to fill these gaps,
multiple times through their web applications in the past 12                                       but the more solutions they add, the more complex application
months, it’s clear more needs to be done to protect against                                        security becomes. To provide effective protection, an application
these threats, particularly to protect against newer threats like                                  security solution needs to be a platform that is able to protect
bot attacks, API attacks, and supply chain attacks.                                                customers against all of these attack vectors. A platform approach
                                                                                                   to application security can provide powerful protection against
Organizations seem to understand this, with many looking to                                        both traditional and emerging threats while remaining easy to use
deploy new solutions in the coming year such as bot protection                                     and manage.
(41%), API gateway (36%), and software supply chain
protection (scanning) (33%).

Which of the following solutions will your
organization be deploying in the next year?
(n=750)
        41%

                    36%

                                 33%

                                             33%

                                                          32%

                                                                         30%

                                                                                       29%

                                                                                                    29%

                                                                                                               28%

                                                                                                                          25%

                                                                                                                                      23%

                                                                                                                                                    20%

                                                                                                                                                                3%

                                                                                                                                                                             1%
Bot protection            Software supply                 Security                Application             Cloud WAF                 WAF on                  We are not
   solution               chain protection           information and           scanning solution            service               public cloud            deploying any
                             (scanning)            event management                                                                                       solutions in the
                                                      (SIEM) solution                                                                                        next year

               API gateway                Anti-fraud               Software supply           DDoS protection         Single sign-on         WAF hardware                Don’t know
                                                                  chain protection              service                  (SSO)                or virtual
                                                                (standalone service)

19   | Barracuda • THE STATE OF APPLICATION SECURITY IN 2021                                                                                     APPLICATION AND CLOUD SECURITY
About Barracuda
At Barracuda, we strive to make the world a safer place.

We believe every business deserves access to cloud-
enabled, enterprise grade security solutions that are
easy to buy, deploy and use. We protect email, networks,
data and applications with innovative solutions that
grow and adapt with our customers’ journey.

More than 200,000 organizations worldwide trust
Barracuda to protect them—in ways they may not
even know they are at risk—so they can focus on
taking their business to the next level.

Get more information at barracuda.com.

THE STATE OF APPLICATION SECURITY IN 2021 • US 1.0 • Copyright 2021 Barracuda Networks, Inc. • barracuda.com
Barracuda Networks and the Barracuda Networks logo are registered trademarks of Barracuda Networks, Inc. in the United States. All other names are the property of their respective owners.
You can also read
Release Notes for AsyncOS 12.0 for Cisco Content Security Management Appliances
Release Notes for AsyncOS 12.0 for Cisco Content Security Management Appliances
2015: Time to Rethink Enterprise IT Security
2015: Time to Rethink Enterprise IT Security
Dublin City Council Weekly Planning List 23/21 - Dublin Docklands
Dublin City Council Weekly Planning List 23/21 - Dublin Docklands
FAQs for the AGPT program - 2018 Cohort
FAQs for the AGPT program - 2018 Cohort
WEB APPLICATION ATTACK STATISTICS - 2017 IN REVIEW - Positive Technologies
WEB APPLICATION ATTACK STATISTICS - 2017 IN REVIEW - Positive Technologies
Application and Funding Guide - NRF Freestanding, Innovation and Scarce Skills Postdoctoral Fellowships 2019
Application and Funding Guide - NRF Freestanding, Innovation and Scarce Skills Postdoctoral Fellowships 2019
Companion Guide for Enterprises - Renewal of authorization to enter into a public contract/subcontract - Autorité des marchés ...
Companion Guide for Enterprises - Renewal of authorization to enter into a public contract/subcontract - Autorité des marchés ...
APPENDIX A Distributing Applications Through the App Store
APPENDIX A Distributing Applications Through the App Store
Student visa - Application guide - For students applying outside the UK - May 2021
Student visa - Application guide - For students applying outside the UK - May 2021
Cisco Jabber IM for BlackBerry - Administrator's Guide - Version 1.0
Cisco Jabber IM for BlackBerry - Administrator's Guide - Version 1.0
Spider IV Edit Basic User Guide
Spider IV Edit Basic User Guide
Back to Work Incentives Payments - Guidelines for Funding 2021-22
Back to Work Incentives Payments - Guidelines for Funding 2021-22
Grants Management and Systems Administration NRF-TWAS Postdoctoral Fellowship Application and Funding Guide 2018 - CPUT
Grants Management and Systems Administration NRF-TWAS Postdoctoral Fellowship Application and Funding Guide 2018 - CPUT
Tyof ublin Community Soccer Field Use Policy
Tyof ublin Community Soccer Field Use Policy
Building Resilience in Grocery: Looking Beyond COVID-19 RFID bridges the physical and the digital, enabling retailers to have a more connected ...
Building Resilience in Grocery: Looking Beyond COVID-19 RFID bridges the physical and the digital, enabling retailers to have a more connected ...
THE STATE OF THE AMAZON MARKETPLACE 2018 - A REPORT BASED ON A SURVEY OF 1,200 AMAZON SELLERS - Feedvisor
THE STATE OF THE AMAZON MARKETPLACE 2018 - A REPORT BASED ON A SURVEY OF 1,200 AMAZON SELLERS - Feedvisor
Opening Doors for Automation with Python and REST: A SharePoint Example
Opening Doors for Automation with Python and REST: A SharePoint Example
Open Daylight Tutorial For Developers - February 2014 Thomas D. Nadeau, Brocade Madhu Venugopal, Red Hat Luis Gomez, Ericsson ...
Open Daylight Tutorial For Developers - February 2014 Thomas D. Nadeau, Brocade Madhu Venugopal, Red Hat Luis Gomez, Ericsson ...
Red Hat AMQ 2021.q3 Release Notes for AMQ Streams 1.8 on RHEL - For use with AMQ Streams on Red Hat Enterprise Linux - Red Hat ...
Red Hat AMQ 2021.q3 Release Notes for AMQ Streams 1.8 on RHEL - For use with AMQ Streams on Red Hat Enterprise Linux - Red Hat ...
Recruiting Trends 2018-2019 48th Edition - Part I: Hiring Outlook Fall, 2018 - Collegiate Employment Research ...
Recruiting Trends 2018-2019 48th Edition - Part I: Hiring Outlook Fall, 2018 - Collegiate Employment Research ...
Amplifying Community Stories - Radical Imagining: Communities shaping health as we emerge from the Pandemic - Empire Health Foundation
Amplifying Community Stories - Radical Imagining: Communities shaping health as we emerge from the Pandemic - Empire Health Foundation
Fostering Youth Commitment towards World Heritage - UNESCO World ...
Fostering Youth Commitment towards World Heritage - UNESCO World ...
Enhancement (ECE-WE) - FAQs
Enhancement (ECE-WE) - FAQs
Health Maintenance Organization HMO Schedule of benefits - DC Health Link
Health Maintenance Organization HMO Schedule of benefits - DC Health Link
To what extent does Airbnb affect house prices in Amsterdam?
To what extent does Airbnb affect house prices in Amsterdam?
Housing Market Review - JULY 2021 - IBEC
Housing Market Review - JULY 2021 - IBEC
DECC Fossil Fuel Price Projections - July 2013
DECC Fossil Fuel Price Projections - July 2013
2019 Cyber Security's Impact on SMEs and the Supply Chain - SADILP Jonathan Frank - Defence Teaming Centre
2019 Cyber Security's Impact on SMEs and the Supply Chain - SADILP Jonathan Frank - Defence Teaming Centre
Integration, Incentives and Innovation - Nike's Strategy to Improve Social and Environmental Conditions in its Global Supply Chain
Integration, Incentives and Innovation - Nike's Strategy to Improve Social and Environmental Conditions in its Global Supply Chain
The Future of EDI: An IBM Point-of-View - Watson Supply Chain - ECOM-Specialist
The Future of EDI: An IBM Point-of-View - Watson Supply Chain - ECOM-Specialist
Summary of Benefits Optional Supplemental Benefits - Senior PharmAssist
Summary of Benefits Optional Supplemental Benefits - Senior PharmAssist
Saudi Arabia Real Estate Market Review - Q2 2021 - A quarterly review of the residential, office, retail and hospitality markets across Saudi ...
Saudi Arabia Real Estate Market Review - Q2 2021 - A quarterly review of the residential, office, retail and hospitality markets across Saudi ...
Drinking Water Management of Jaipur City Issues & Challenges - SATISH JAIN Presented by Executive Engineer, City Division I (North), Jaipur
Drinking Water Management of Jaipur City Issues & Challenges - SATISH JAIN Presented by Executive Engineer, City Division I (North), Jaipur
WHITEPAPER Introduction To The Two-Wire Transmitter And The 4-20mA Current Loop - Acromag
WHITEPAPER Introduction To The Two-Wire Transmitter And The 4-20mA Current Loop - Acromag
Carbon Price Floor: Support and Certainty for Low-Carbon Investment Consultation Response by CoalImp - Association of UK Coal Importers
Carbon Price Floor: Support and Certainty for Low-Carbon Investment Consultation Response by CoalImp - Association of UK Coal Importers
The supply side matters: Guns versus butter, COVID-style
The supply side matters: Guns versus butter, COVID-style
WATER PURIFIER OWNER'S MANUAL - Please read this manual carefully before operating your set and retain it for future reference - LG
WATER PURIFIER OWNER'S MANUAL - Please read this manual carefully before operating your set and retain it for future reference - LG
Zappos.com: Developing a Supply Chain to Deliver WOW! Case Study: How to Alleviate Inbound Transportation Congestion - LSCM 4560.001 by Cassandra Hale
Zappos.com: Developing a Supply Chain to Deliver WOW! Case Study: How to Alleviate Inbound Transportation Congestion - LSCM 4560.001 by Cassandra Hale
Air-Conditioning of Parked Aircraft by Ground-Based Equipment
Air-Conditioning of Parked Aircraft by Ground-Based Equipment
DISTRIBUTION AUTHORITY - ERGON ENERGY CORPORATION LIMITED
DISTRIBUTION AUTHORITY - ERGON ENERGY CORPORATION LIMITED
Event Detection through Lexical Chain Based Semantic Similarity Algorithm
Event Detection through Lexical Chain Based Semantic Similarity Algorithm
Modern Slavery Statement 2018 - Bettys & Taylors
Modern Slavery Statement 2018 - Bettys & Taylors
Submission by IDA Ireland to the Commission for the Regulation of Utilities (CRU) Consultation on 'Proposed Direction to the System Operators ...
Submission by IDA Ireland to the Commission for the Regulation of Utilities (CRU) Consultation on 'Proposed Direction to the System Operators ...
Total Logistics 2018 - report sample - An introduction to the global logistics industry and the trends and innovations that shape it - The Loadstar
Total Logistics 2018 - report sample - An introduction to the global logistics industry and the trends and innovations that shape it - The Loadstar
ABP UK Modern Slavery Statement September 2020 - Making the difference - ABP Food Group
ABP UK Modern Slavery Statement September 2020 - Making the difference - ABP Food Group
OUTDOOR POWER EQUIPMENT 2021 - 2022 CATALOG - Makita Latin América
OUTDOOR POWER EQUIPMENT 2021 - 2022 CATALOG - Makita Latin América
Beyond the Quarry: Extracting More Value from the Energy Transition - Nolans Project - Arafura Resources
Beyond the Quarry: Extracting More Value from the Energy Transition - Nolans Project - Arafura Resources
Untangling the supply web - Managing third-party and supply chain risk - RiskBusiness
Untangling the supply web - Managing third-party and supply chain risk - RiskBusiness
Usability Problems in GI Web Applications: A lesson from Literature - AGILE-GISS
Usability Problems in GI Web Applications: A lesson from Literature - AGILE-GISS
AVG Free / Reference Guide
AVG Free / Reference Guide
We use cookies. Please refer to the Privacy Policy.