Executive Summary

Like coral reefs teeming with a variety of life, web applications are “colony creatures.” They consist of a multitude of independent components, running in separate environments with different operational requirements and supporting infrastructure (both in the cloud and on premises) glued together across networks. In this report, we examine that series of interacting tiers—application services, application access, transport layer services (TLS), domain name services (DNS), and the network—because each one is a potential target of attack.

To get an objective viewpoint on how applications are being attacked, F5 Labs looked at data from a variety of sources, including our own internal datasets, WhiteHat Security vulnerabilities, Loryka attack data, and a Ponemon security survey of IT professionals commissioned by F5.

In addition, we worked with faculty from the Whatcom Community College Cybersecurity Center to perform an extensive review of breach notification records in California, Washington, Idaho, and Oregon. (In each U.S. state, it is the state attorney general’s office that oversees and is responsible for enforcing state breach disclosure laws and notifications. Because of this role, some states publish data breach notification letters.)

In these four states, we analyzed 301 breaches in 2017 and Q1 2018 and found that web application attacks were the top cause of all reported breaches at 30%. Earlier research done by F5 Labs into 433 major breach cases spanning 12 years and 26 countries found that applications were the initial targets in 53% of breaches.

Protecting applications has always been a critical task and will continue to be in the future.

But, what do CISOs need to know now?

What Apps Do We Use and Where Are They?

Our F5 Ponemon survey, Web Application Security in the Changing Risk Landscape: Global Study, found that a majority of organizations have little confidence in their ability to keep track of all their applications. Thirty-eight percent of respondents said they had “no confidence” in knowing where all the applications were in their organization. Yet, at the same time, respondents reported that 34% of their web applications were mission critical. Among the most commonly used web apps were backup and storage (83%), communication applications like email (71%), document management and collaboration (66%), and apps in the Microsoft Office suite (65%).