2. The threat less
mentioned
Analysis of some of the biggest breaches of this century finds a great deal
of attention paid to effect and less on causes. Of the top 25 breaches (as
identified by number of records exposed) a perhaps surprising
percentage (44%) were attributable to web application compromise.
2005 20102008 2009 2011 2013 2014
40M CC 134M CC 1.3M ID 112M PII 50M PII
150M CC
4.5M PII
Data Exposed by Top 25 Breaches 2000-2014
through web application compromise
The outcome of successful web application compromise is troubling, with
all three primary data types represented: credit card numbers, personal
information and credentials. This
stands in contrast to other
breaches arising from stolen
credentials or theft (human
element).
Similarly troubling is that the most
vocal security initiatives of late
have been SSL Everywhere and
two-factor authentication. Both
are certainly good practices and
help improve security postures but
neither address the web
application security needed to
prevent compromises that have
exposed over 600 million records
in the past 14 years.
SOURCES: Verizon DBIR 2014, trade publication reports
3. App layer
confidenceGiven the severity of outcomes experienced due to web application
compromise in the past it was somewhat surprising to find the majority
of respondents in our State of Application Delivery 2015 survey were
confident or very confident on the topic of web application security.
This led to further analysis of responses with careful attention paid to
security practices in this arena as reported by respondents. We asked
about very specific web application security practices with respect to
protecting data across three primary surfaces: the client, the request and
the response.
What we discovered was a high correlation of attention paid to all three
surfaces and the level of confidence in withstanding application layer
attacks as reported by respondents.
SOURCE: F5 State of Application Delivery 2015
4. Best Practices
Web application security best practices focus on making decisions
whether to allow or deny (or scrub) data at different points in the client-
app conversation:
• When the client first connects
• When a request from the client is received
• When a response from the app is received
Web application security services are able to make decisions regarding
the legitimacy of the client based on variables like geolocation, operating
system and device type, whether requests are malicious or not based on
the presence of signatures and other malicious tells, and whether
responses conform to expectations or contain sensitive data.
We asked respondents to categorize their protection at each of these
three potential attack indicator points as either “always”, “sometimes” or
“never”. Then we looked at these answers in relation to respondents
level of confidence. The correlation between the two was readily
apparent: organizations employing more comprehensive web application
security practices were highly confident in their ability to withstand an
application layer attack.
0% 50% 100%
Client
Request
Response
Low Confidence
Confidence
High Confidence
ALWAYS PROTECT
SOURCE: F5 State of Application Delivery 2015
5. High Confidence
Client Request Response
Always Protect 66% 69% 63%
Sometimes Protect 17% 13% 14%
Never Protect 2% 1% 3%
Confidence
Client Request Response
Always Protect 59% 55% 37%
Sometimes Protect 26% 27% 34%
Never Protect 2% 4% 8%
Low Confidence
Client Request Response
Always Protect 41% 18% 41%
Sometimes Protect 47% 65% 41%
Never Protect 6% 6% 6%
Comprehensive web
app security practices
lead to confidence
6. Thank you
You can download the full State
of Application Delivery 2015
report at http://f5.com/SOAD