New research from Fastly, Inc., based on insights from information security and IT professionals from 250 UK companies and 500 global companies, revealed growing concerns around adequately securing the rapidly rising number of mission-critical cloud services and API-centric applications that enterprise businesses are relying on. Outdated offerings, false positives, and ineffective blocking are among the main causes driving this global concern.
The research highlighted that on average, UK businesses use 11 web application and API security tools and spend close to £356,000 on them but that 40% of all security alerts are still false positives. Security is becoming more complex and costly for organisations as they are increasingly required to protect traditional architectures, in addition to new architectures and cloud environments.
1 in 4 (23%) UK businesses have suffered a loss of revenue in the past 12 months as a result (at least in part) of false positives from web application and API security tools, with an average revenue loss of 12%. The downtime, due to these false positives, frequently causes similar vulnerability to actual attacks, which suggests that current security tools may be causing more problems than they solve.
The research demonstrated that more than half of organisations believe most, if not all, of their applications will use APIs in the next two years. Despite an anticipated increase in API implementation, half of organisations stated that web application and API security is more difficult than it was two years ago and indicated struggles to maintain adequate security across new application architectures. Driving these difficulties is the shift to public cloud and API-centric applications without a modern security solution to support those innovations.
Perhaps most strikingly of all, 47% of UK businesses run tools in log or monitoring mode and only switch to blocking mode when they are confident detections are accurate, due to the occurence of false positives.The global report also shows that businesses are running their web application and API security tools in blocking mode a mere 9% of the time, because current tools frequently block harmless traffic, impeding business and impacting their bottom line.
“One of the biggest security challenges we are seeing today is that technologies are rapidly evolving to better serve the growing demand for digital experiences, but the security offerings that protect those technologies are not experiencing that same level of transformation — and often erode the benefits of modern technology stacks,” said Kelly Shortridge, Senior Principal Technologist at Fastly. “Security tools should fuel innovation, actively support service resilience, and minimise disruption to software delivery workflows, rather than slowing build cycles and producing disjointed, unactionable, or irrelevant data.”
“The responsibility for protecting enterprise assets, data, and users from cyber threats no longer falls solely on the security organisation, even as the threat landscape becomes increasingly complex. Application security in particular, is a team sport that requires input and cross-functional collaboration across many parts of an organisation,” said John Grady, Senior Analyst at ESG. “As a result, security professionals have become frustrated with the complex and siloed nature of traditional application security solutions that fail to address these issues. Modern businesses require uniform tools and approaches that can minimise vulnerabilities between their public cloud infrastructure, microservices-based architecture, and legacy applications, while supporting a variety of personas.”
Read the latest edition of PCR’s monthly magazine below: