A new report from content delivery network provider Cloudflare Inc. today warns of a rapid rise in web threats dominated by distributed denial-of-service attacks, bot traffic and rapid zero-day vulnerability exploitation.

The State of Application Security 2024 report is based on the analysis of HTTP traffic patterns observed between April 1, 2023, and March 31 this year. The patterns were across Cloudflare’s global network, including data from more than 57 million HTTP requests per second and blocking 209 billion cyberthreats daily, so the report provides a comprehensive view of the current web threat landscape.

Among the top findings in the report are that DDoS attacks continue to increase in number and volume, with DDoS attacks comprising 37% of all application traffic mitigated by Cloudflare. The top targeted industries for DDoS attacks were gaming and gambling, information technology and internet, cryptocurrency, computer software, and marketing and advertising.

The second most common form of traffic mitigated by Cloudflare was bots, with bot traffic accounting for 31% of all traffic, with 93% of bots potentially malicious. The most targeted industries by bots were manufacturing and consumer goods, cryptocurrency, computer and network security, and the U.S. federal government.

The report highlights an increasing trend in zero-day exploits and vulnerabilities in software or hardware that are actively exploited by attackers before developers can release a patch to fix them. In 2023, 97 zero-day vulnerabilities were exploited in the wild, with some attacks occurring within minutes of a proof-of-concept being published. The report notes that more than 5,000 critical vulnerabilities were disclosed last year, with the average time to release a patch for a critical web application vulnerability being 35 days.

Organizations using outdated approaches to securing application programming interfaces also get a shout-out. Cloudflare noted that many are still using traditional web application firewall rules that use a negative security model — the assumption that most web traffic is benign. Far fewer organizations were found to be using the more widely accepted API security best practice of a positive security model — that is, strict definitions of traffic that are allowed and rejecting the rest.

Third-party software dependencies are also noted to pose a growing risk. Enterprise organizations were found to use, on average, 47 third-party scripts — code hosted by a third party to enhance website functions. They also were found to use 50 connections to JavaScript functions — a set of statements that performs a task and 12 cookies, which are text files with small pieces of data, such as usernames and passwords. The report argues that as web development has largely shifted to allow these types of third-party code and activity to load in the end user’s browser, organizations are increasingly exposed to supply chain risk and liability and compliance concerns.

The report concludes by noting that the data is clear: The complexity of securing an organization’s applications and APIs from new risks continues to grow.

“Enterprises often have a disjointed patchwork of legacy and point products for security that make it hard to connect and protect their SaaS apps, web apps and other IT infrastructure,” the reports authors write. “The IT sprawl makes it easier for attackers to find and exploit vulnerabilities. The broad nature of web application and API threats requires specialized approaches to stop specialized attacks. However, a consolidated approach helps ensure better security, latency-free connectivity and business growth.”

Photo: Wikimedia Commons