Managed security service providers -- of the telecom and cloud variety -- have a significant opportunity to help enterprises tackle the rising number of application-level attacks, according to new research from Radware. (See Radware Report Highlights Application Security .)
The cybersecurity vendor's second annual web application security report, Radware Ltd. (Nasdaq: RDWR) 2018 State of Web Application Security, says application-level attacks are on the rise and growing more complex with 89% of respondents experiencing attacks against web applications or web servers in the past year, and 59% reporting daily or weekly attacks.
"There is definitely some cognitive dissonance here," says Mike O'Malley, Radware's vice president of carrier strategy and business development. On the one hand, enterprises admit they haven't done a good job of protecting at the application layer, including APIs, nor have they addressed encryption very well, he notes. "But at the same time, they say they are fairly confident they can handle things going forward which on the face of it doesn't make a lot of sense."
More companies are opening up their APIs to third parties, but most of those APIs aren't encrypted nor are enterprises requiring authentication, which is creating a major point of vulnerability, he adds. O'Malley points to the massive breach involving Facebook's API as a good example of what enterprises could be facing, especially given how little attention they are currently paying to the threats there.
And that's where the opportunity for managed service providers comes in, he says. Eighty-six percent of those surveys trust service providers to provide a high level of security so managed security service providers should be able to increase sales by offering application-layer protection, he says.
"By and large, the majority aren't doing much in terms of APIs, 62% are not encrypting APIs, and 70% say they have no authentication, so anyone can get in," he says in an interview.
Managed service providers are in a position to both educate customers about this growing source of vulnerability and provide them with reasonable options, O'Malley says. Of course, Radware has a stake in that game, since it sells to service providers as well as enterprises. Key to Radware's pitch is the machine learning and intelligence built into its systems to help application security adapt to updates on applications, which today happens daily or even hourly, he adds.
"Companies need to build application security in a framework where you can easily update and change applications," O'Malley says. Without intelligent applications protection that enables rapid changes and allows security applications to learn the new behavior of an app, "the economic model breaks down, based on the operational cost alone."
Even high-profile attacks such as what happened to Facebook may not convince enterprises of the need to be proactive in protecting their APIs and applications, O'Malley says.
"The chances are unless a company is hacked or a competitor or someone in their industry is attacked, they aren't going to do anything," he says.
— Carol Wilson, Editor-at-Large, Light Reading