Viewed in this way, our research illuminates some interesting aspects of the current state of security. In 2018, to the extent that new attack techniques and approaches emerged, it was largely in response to changes in how organizations design, create, and manage applications. The context that makes old attack techniques like injection and phishing newly relevant is the pattern of decentralization and disintegration that applications have been experiencing over the last few years. While this trend offers business advantages for organizations, it also transfers known risks into relatively less well-known or well-understood forms that the industry will take time to process.

In other words, attackers have not needed to come up with new tricks. They were able to wait until application owners changed things, usually in the direction of greater complexity and abstraction, and then exploit the resulting visibility challenges using slightly modified versions of attacks that are already well-known and understood. This is why formjacking, API hacking and phishing have the prevalence that they do today.