Radware recently conducted its third annual State of Web Application Security survey, which surveyed 280 senior executives and security chiefs at companies with worldwide operations about their key concerns around IT security in their organizations. The study examines the state of application security, the security practices being followed, and the impact on organizations transitioning to microservice architectures. This blog outlines the report’s key findings around automated threats based on our analysis of traffic passing through our customers’ networks over the last 12 months.
Three statistics stood out in this year’s survey:
- Trust in cloud service providers’ level of security dropped from 86% in the 2018 survey down to 72% this year. This is possibly due to the growing number of high profile data breaches that have fueled large numbers of account takeover attacks which have been widely reported in recent months.
- Only 9% of respondents said that their organizations achieved greater than 99.9% of availability for application services. Even 99.9% uptime implies over 500 minutes of downtime in a year. When bot attacks that cause application DDoS and API abuse are factored in, such attacks, if successful, can lead to a range of negative consequences for organizations.
- Nearly half said that bad bots accounted for more than 40% of the total traffic to applications on their networks. This remarkable figure shows that it’s more crucial than ever to secure web and mobile applications from malicious bots.
AN OVERVIEW OF BOT ATTACKS, THEIR ORIGINS AND TARGETS
Bots are getting progressively better at passing off as humans in the way they perform taps, keystrokes, and mouse movements to evade conventional security measures. In addition, ‘low and slow’ distributed attack techniques that leverage a multitude of device IDs and IP addresses make it much easier for them to overcome basic security systems and carry out account takeovers, carding attacks, content scraping and DDoS attacks.
The most common attacks ─ at least once every day ─ that our respondents faced were web scraping, denial of inventory, and skewed analytics at 17% each. Denial of service attacks were experienced by 16%, while account takeover and payment card fraud were reported by 15% of those surveyed.
Bad bot volumes across our customer base have grown to 28% over the previous 12 months.
This year, Liberia and Thailand entered the ranks of the top five originating countries, and China came in at the top of the rankings. Last year, the Russian Federation ranked first, followed by Germany, the Netherlands, and China.
While second-generation ‘headless browsers’ (browsers that are operable in headless mode) continue to lead in bot volumes, fourth-generation humanlike bots grow in numbers.
Real estate, media, and classifieds are the industries most-attacked by bad bots, which heavily target them to scrape valuable content and listings.
A few months ago, Radware’s 2019 Executive Survey found that 72% of executives discussed cybersecurity at every boardroom meeting. We have good reason to anticipate that this figure is only going to increase with the proliferation of damaging bot attacks and the resultant media coverage around them. As Black Friday approaches, cybercriminals are gearing up to commit account takeover and carding attacks on consumers on a greater scale than ever before. In addition, fraudsters will be attacking e-commerce and travel sites to carry out cart abandonment and denial of inventory attacks.
Clearly, the growing cost of bad bot attacks and the harm they cause are not going unnoticed in C-suites around the world. Download your copy of the Radware 2019 State of Web Application Security survey here.