5 Predictions to Help You Focus Your Web Application Security Resources in 2022
This is the year business leaders will learn just how innovative online criminals have become, and it will take a rethink of how we think about account security to fight it, says Ido Safruti, CTO of PerimeterX.
The past year in web application cybersecurity has been anything but calm, and if PerimeterX Ido Safruti’s CTO’s forecast for the coming year is correct, it will be another year of struggles to protect web applications. .
Safruti predicts a 2022 in which tailor-made malware, bot attacks and post-login fraud increase, forcing executives to finally face the reality of online fraud: it varies widely, becomes more selective in its targets and is present everywhere from before logging in to well after entering a username and password. “For this reason, we believe 2022 will be the year of full account protection,” Safruti said.
SEE: Password Breach: Why Pop Culture and Passwords Don’t Mix (Free PDF) (TechRepublic)
By “full account protection”, Safruti means security that goes beyond verifying the identity of the perimeter or old-fashioned moats. “This means approaching security from a user’s account integrity perspective and providing multiple levels of protection throughout the application journey and the account lifecycle,” said Safruti. Consider zero trust and other forms of identity verification that track behavior and record actions to look for suspicious behavior.
Safruti and PerimeterX make the following five predictions for web application security in 2022, and the full picture looks like one in which a security storm with limited solutions is on the horizon.
In case you are curious whether these forecasts are reliable or not, Safruti points to their report card for last year’s forecasts. Three out of five, that cybercrime communities would grow stronger, GraphQL would become a security risk, and flash sales would be dominated by bots, were rated correct. DevSecOps going mainstream was seen as ‘hard to call’ and the idea that online shopping-in-store pickup would be a major new type of fraud has been branded as bogus.
Expect supply chain attack prevention to become more important
Nobelium, the group behind the SolarWinds attack, has already resurfaced to attack additional targets using similar methods, themselves supply chain attacks taking advantage of weaknesses in third-party software. Combined with increasingly stringent data protection regulations, Safruti predicts a year in which companies will begin to treat downstream vendor weaknesses as a serious liability issue instead of just a cost to do. Business.
“92% of website makers don’t have full visibility into their software supply chains. Obtaining this visibility will be a top priority for companies aiming to prevent a major data breach and avoid massive regulatory fines in 2022 and beyond, ”said Safruti.
Custom malware will hit over 50% of top 100 markets
The fact that malware can be found on the Internet for sale and ready to be personalized, sold and supported by its developers is well known, and over time the developers of such malware only become capable of one. more personalized setting to make their malware more effective.
Standardized attack tools are cheap, and free videos are available online to help aspiring cybercriminals learn how to use their tools, Safruti said. “We are seeing the rise of a ‘Crime as a Service’ (CaaS) ecosystem, which is fueling a slight increase in custom malware targeting specific applications or websites. With its low barrier to entry and high potential for results, custom malware will become a more popular attack vector in 2022, ”said Safruti.
The post-login environment will start to draw attention to security
We live with our feet in two worlds of security: the old one, which relied on login to verify identity, and the new one in which a username and password are far from secure enough to verify. that a person is who they say they are. Even multi-factor authentication only adds to the security of the perimeter, making it a beneficial but not permanent solution.
“In 2022, we expect online businesses to adopt solutions that address this problem. Understanding whether a user is who they claim to be – and whether their post-login activity is legitimate – will be critical to maintaining the ‘integrity of the accounts,’ Safruti said. .
Fraud will lose value for a large business this year
“In the past, many companies have brushed aside fraud as a simple cost of doing business,” Safruti said. This is no longer the case, as he predicts that global fraud against online businesses will increase to the point of having a big impact on a business.
SEE: Google Chrome: Security and UI Tips You Should Know (TechRepublic Premium)
“Recent research has shown that bad bots negatively impact 75-80% of the operating costs of online retailers, which represents between 18% and 23% of net sales. When fraud results in an impact of a few cents on earnings per share (EPS), it will serve as a red flag for companies to become more proactive, ”said Safruti.
At least one major retailer will drop the password
There are a lot of credentials available for sale on the dark web. As an example, Safruti cites a 1.2TB database released in June 2021 that contained information from over 3.2 million Windows computers, including over 400 million valid web connection cookies.
“Because stolen credentials are so widely available, obtaining usernames and passwords is no longer a cybercrime deterrent. Companies must therefore rethink their fraud prevention strategy, ”said Safruti. He predicts that 2022 will be the year when one or more large consumer-oriented companies “completely eliminate the need for credentials by adopting more robust solutions that do not rely on credentials alone.”