web app security practices of the highly confident
TRANSCRIPT
Web App
Security
Practices of
the Highly
Confident Security findings from F5 State of Application Delivery 2015
The threat less
mentioned
Analysis of some of the biggest breaches of this century finds a great deal of attention paid to effect and less on causes. Of the top 25 breaches (as identified by number of records exposed) a perhaps surprising percentage (44%) were attributable to web application compromise.
2005 2010 2008 2009 2011 2013 2014
40M CC 134M CC 1.3M ID 112M PII 50M PII 150M CC
4.5M PII
Data Exposed by Top 25 Breaches 2000-2014 through web application compromise
The outcome of successful web application compromise is troubling, with all three primary data types represented: credit card numbers, personal
information and credentials. This stands in contrast to other breaches arising from stolen credentials or theft (human element). Similarly troubling is that the most vocal security initiatives of late have been SSL Everywhere and two-factor authentication. Both are certainly good practices and help improve security postures but neither address the web application security needed to prevent compromises that have exposed over 600 million records in the past 14 years.
SOURCES: Verizon DBIR 2014, trade publication reports
App layer
confidence Given the severity of outcomes experienced due to web application compromise in the past it was somewhat surprising to find the majority of respondents in our State of Application Delivery 2015 survey were confident or very confident on the topic of web application security.
This led to further analysis of responses with careful attention paid to security practices in this arena as reported by respondents. We asked about very specific web application security practices with respect to protecting data across three primary surfaces: the client, the request and the response. What we discovered was a high correlation of attention paid to all three surfaces and the level of confidence in withstanding application layer attacks as reported by respondents.
SOURCE: F5 State of Application Delivery 2015
Best Practices
Web application security best practices focus on making decisions whether to allow or deny (or scrub) data at different points in the client-app conversation: • When the client first connects • When a request from the client is received • When a response from the app is received
Web application security services are able to make decisions regarding the legitimacy of the client based on variables like geolocation, operating system and device type, whether requests are malicious or not based on the presence of signatures and other malicious tells, and whether responses conform to expectations or contain sensitive data. We asked respondents to categorize their protection at each of these three potential attack indicator points as either “always”, “sometimes” or “never”. Then we looked at these answers in relation to respondents level of confidence. The correlation between the two was readily apparent: organizations employing more comprehensive web application security practices were highly confident in their ability to withstand an application layer attack.
0% 50% 100%
Client
Request
ResponseLow Confidence
Confidence
High Confidence
ALWAYS PROTECT
SOURCE: F5 State of Application Delivery 2015
High Confidence
Client Request Response
Always Protect 66% 69% 63%
Sometimes Protect 17% 13% 14%
Never Protect 2% 1% 3%
Confidence
Client Request Response
Always Protect 59% 55% 37%
Sometimes Protect 26% 27% 34%
Never Protect 2% 4% 8%
Low Confidence
Client Request Response
Always Protect 41% 18% 41%
Sometimes Protect 47% 65% 41%
Never Protect 6% 6% 6%
Comprehensive web app security practices lead to confidence
Thank you You can download the full State of Application Delivery 2015 report at http://f5.com/SOAD