Our Field CTO, Michael Smith, recently hosted a webinar, Future-Proofing Your Web Application Firewall (WAF), with Guest Speaker Sandy Carielli from Forrester. He reached out to Sandy to elaborate on a few of the issues they discussed regarding how to ensure your WAF has what it takes to meet future challenges. We believe that it is important to consider the changing threat landscape as your security plans evolve.
At Neustar Security Services, we see a lot of the more traditional WAF attacks in our logs: SQLi, XSS, etc. What are you seeing as the latest macro trends in web application attacks over the past 12-24 months?
Traditional WAF attacks remain a concern, certainly, but in 2022, software supply chain attacks and software vulnerabilities were the top causes of external attacks that led to breaches. Traditional web application flaws were also in the top ten. What it all means is that attackers continue to leverage flaws in applications and in the software supply chain to exploit organizations. The good news is that firms recognize the challenge – improving application security is the top tactical priority among security leaders for the next year.
If we go back 10 years ago, the main reason that people were buying WAF was because of compliance, and PCI-DSS is listed quite frequently. But our experience with Log4J shows that virtual patching is very mainstream. What other use cases have you seen for WAF and bot management solutions?
While compliance is a use case for web application firewalls, it is not the most critical use case – customers expect WAFs will meet their compliance requirements, but they look for WAFs to protect their applications against a range of application based attacks, including zero-day attacks. Many customers also expect WAFs to protect their APIs and mobile applications. Customers look to bot management solutions to protect themselves from a range of business logic attacks, including credential stuffing, inventory hoarding, ad fraud, card fraud, and web scraping.
We’re used to seeing the usual eCommerce inventory scraping and hoarding bots. According to your research, which types of bot attacks and corresponding use cases for protection are the most prevalent?
Inventory hoarding bots remain popular, as you noted, and they adapt to go after whatever the most desirable inventory is – gaming systems, graphics cards, toilet paper, NFTs. The bot attack of most concern for security leaders remains credential stuffing, attackers buying up stolen credentials and attempting to use them on another website. Other attack types include web scraping and ad fraud. Attackers will also use bots to conduct web recon, looking for standard app sec flaws and CVE exposures and then using that information to mount a more sophisticated attack later. As firms look to protect themselves from bot attacks, they are also prioritizing solutions that minimize friction for legitimate human customers – no one wants a bot management solution that frustrates and turns away your real customers as it blocks the bots.
Since this is about attacks of the future, what kind of currently emerging web application attacks do you think will be prevalent 6 months from now? What are your customers seeing?
As applications evolve, attacks evolve with them. We will continue to see a lot of attacks leveraging APIs because API security is still emerging, and customers struggle to address it holistically. In the last year, we have seen many attacks on Web3 applications, and we expect this to continue – note that most of these attacks are not on the distributed aspects of the Web3 app but on the centralized components.
Our Web Application Firewall and Bot Management supports CAPTCHA, but we’ve had mixed responses from customers on if they want to use it or not. Can you tell us a little more about what web visitors think of CAPTCHAs?
Our research into Captchas was surprising. Traditional Captchas have a bad reputation as very frustrating – who likes finding all the traffic lights in a picture? Some customers shared that have abandoned transactions due to frustrating Captchas or challenges. However, it’s worth noting that customers will also abandon a site if it appears unresponsive, so if your frictionless challenge causes the site to respond slowly, that will also frustrate customers. In addition, some customers shared that Captchas make them feel safer on a site – whether that’s because of the Captcha itself or because it might be a sign that the site owner takes security seriously in other areas, we’re not sure. But it speaks to the value of some low friction visual indicator that shows how we are battling the bots.
