As many businesses look to digitally transform, Sean Leach, Chief Product Architect at Fastly discusses how many are unprepared for the security issues this entails…
A year of transformation
The pandemic has accelerated many businesses’ need to digitally transform, from offering virtual services to clients to the sudden shift to remote working. This change has also triggered an increase in cybersecurity threats, with over 50% of organisations experiencing security breaches and cyber-attacks in 2020. Both of these developments have increased the vulnerability of businesses who have had to adjust their web applications and security tools quickly. In fact, recent research has found that nearly half (46%) of businesses reported that their security infrastructure was not prepared to handle the changes brought about by COVID-19.
This growing demand for digital transformation means that security is becoming more complex and costly for organisations, as they are increasingly required to protect both traditional and new architectures, in addition to cloud environments. As such, this article will discuss the current security issues facing those looking to digitally transform.
Web applications and API Security
The pandemic introduced a wave of new fraud trends, resulting in many businesses turning to more advanced web application and API security tools. The National Cyber Security Centre – part of the GCHQ – disclosed it had identified more scams on the Internet in the last year than in the previous three years combined. In a recent survey we carried out at Fastly, we found that more than half of organisations (54%) believe that most, if not all of their applications will use APIs in the next two years. As well as this, despite an anticipated increase in API implementation, 50% of organisations stated that web application and API security is more difficult than it was two years ago, indicating struggles to maintain adequate security across new application architectures. This is further substantiated by research from Salt Labs which found that 94% of organisations have suffered an API-related security problem in the last year.
But what’s driving these difficulties? Predominantly the shift to public cloud and API-centric applications without a modern security solution to support those innovations. As organisations rush to implement faster, more agile technology they are neglecting the security offerings which protect these technologies or using ineffective tools.
Ineffective tools leading to loss in revenue
Fastly found that, overall, UK businesses deploy an average of 11 web applications and API security tools, spending close to £365,000 on these assets. However, 40% of all security alerts are still false positives. What’s more, 1 in 4 (23%) UK businesses have suffered a loss of revenue in the past 12 months as a result of false positives from web application and API security tools. Rather than informing security experts of harmless attacks, these technologies are blocking them altogether and incorrectly reporting them as critical events.
Similar trends can be seen across the sector. Infosecurity Magazine found that 37% of correspondents said they receive over 10,000 alerts every month and over 52% of these alerts were false positives. To put this into perspective, it usually takes a SOC analyst 10 minutes to assess a false positive and the time necessary to assess 52,000 false positives on a yearly basis would take around 866 hours. Security experts need to rethink how they’re using these tools and technology to detect critical vulnerabilities, which are no longer able to cope with the demands of the internet.
If not web tools and API, what security is needed?
The past year has made it clear that web app and API security solutions are neither efficient nor successful security tools for a business to base their digital service on. Whilst companies are keen to advance their technology, the security solutions which form the foundation of any successful business are being left behind. Given the legacy practice of bundling security tooling onto the end of the deployment pipeline in an effort to save time, it is clear that convenience can often come before functionality.
The result of this is, predictably, that security teams have limited time to identify weaknesses and implement protection. A better-rounded solution to ensure proper implementation of secure DevOps is to shift the perception of what this actually requires, changing it from a bolt-on to an integral part of the software development cycle. This will allow teams to focus on shipping secure software, as well as empower security professionals who had not previously been seen as integral parts of the team.
Experts should consider the higher security risk factors in their business infrastructure which have been driven by the pandemic. They must ensure Development, Security and Operations are collaborating efficiently enough to deal with new challenges. Alongside this need for more effective teamwork, businesses have to start employing a new breed of web app and API security tools, that are able to distinguish real attacks from false ones. If not, they will continue to waste time on an overwhelming number of false positives. Those businesses who are able to build this fortified environment quickly will be the ones who are successful in their digital transformations.
Read the latest edition of PCR’s monthly magazine here: