Why Government Must Revolutionize End-to-End Application Security MARKET TRENDS REPORT
Introduction Sometimes you have to watch a process unfold completely in order to recognize exactly what you’re looking at. In the same way that caterpillars, viewed in isolation, reveal little about the shape or behavior of butterflies, the early days of the internet did not make clear what form the application economy would take. Many of the early challenges that the original internet architects overcame were about enabling the transmission of human-structured information. Processing and storage were local tasks. For some time, it appeared to all but the most prescient that it would stay that way. And yet, in retrospect, we can see that as challenges at other levels of abstraction were solved, applications, specifically web applications, were always going to become the focal point for entities on the internet. The varied functionality that drives traffic on the internet — email, search, social media, e-commerce, audio and video streaming, online banking, and everything else — is nothing more than an increasingly interconnected ecosystem of web applications. As digital transformation efforts proceed apace, even application support functionality such as networking and infrastructure is increasingly being addressed through, and at the level of, applications.
Attacker techniques have become focused on apps to a greater and greater degree, exploiting either the vulnerabilities that inevitably crop up through their development and deployment, or the assumptions of the people using them. Any way you look at it — by targeted ports, the biggest or most newsworthy exploits, or the focus of the most advanced state-sponsored threat actors — applications are attackers’ most valued targets, just as they are system owners’ most prized assets. Agencies can block attacks and prevent breaches. By investing in technology solutions and approaches that can address this critical problem, agencies can adopt comprehensive application security, protect their data, reduce fraud and continue to serve the public. In this market trends report, GovLoop partnered with F5, a leader in application services and application delivery networking, to explore the future of comprehensive application security in government. We’ll also explore F5’s recent acquisition of Shape Security, which focuses on fraud and abuse prevention, and gain insights from Michael Plante, Vice President of Product Marketing in the Shape product group at F5.
The result is that applications have gradually but clearly become the internet’s defining structure. So it’s not surprising that, according to Gartner, 80% of all attacks are at the application security layer.
2
MARKET TRENDS REPORT
By the Numbers: Application Security
98%
29%
The F5 2020 State of Application Services report reveals that 98% of the study’s respondents listed their application portfolios as either missioncritical or providing competitive advantage.
Between 2017 and 2019, the average number of applications per enterprise grew from 765 to 983, a gain of 29%. Source: F5
71% $40 billion Applications have become the focal point for cybercriminals, who steal more than $40 billion in value and cost enterprises more than $105 billion in total losses annually. Source: F5
“Malicious attackers stand ready to target government agencies and their treasure trove of data. Applications remain the biggest external attack method, and government entities must aggressively protect applications to secure the data these apps create and access.” Source: The State Of Government Application Security, 2020
of breaches in 2019 were a result of an access or web attack. Source: F5
50%– 98%
of login traffic on web applications is automated attacks. Source: F5
Government entities are already behind in implementing static application security testing; at their planned adoption rate, they won’t reach the current adoption average for all industries. Source: The State Of Government Application Security, 2020
WHY GOVERNMENT MUST REVOLUTIONIZE END-TO-END APPLICATION SECURITY
3
The Challenge: Phishing and an Expanded Attack Surface Federal agencies face difficult challenges: cyberattacks, mobile access, data center consolidation, cloud deployments, complex application environments and constantly increasing network traffic. At the heart of it all, budget constraints demand smart, affordable solutions that make government systems more secure, resilient and flexible. Applications are one way that governments are rising to the occasion. This rapid increase in government applications has created significant benefits for the public sector. New applications help agencies better meet constituent demands for streamlined, multichannel experiences, without requiring costly hardware replacements. They can also be developed to provide employees with innovative digital tools to do their jobs more efficiently. “There’s no doubt: The government has heartily embraced digital transformation,” Plante said. “And applications are a central part of this critical era in government.” But as software applications transform government, they also expand its potential attack surface, and increase the potential for fraud and abuse, particularly phishing attacks.
There is a reason attackers use phishing: It works. After 10 security awareness training events, organizations saw their employee click-through rate on phishing emails fall from 33% to 13%. But that also means that even after extensive training, employees will still click a phishing email 13% of the time. When a phishing attack successfully installs malware, that malware is going to phone home over encrypted ports 54% of the time during the lull season and up to 68% during the peak U.S. holiday shopping season. If organizations are not unencrypting and inspecting traffic, there is a good chance malware is running undetected on their networks. Attackers are also opportunistic. Given that we are still in the midst of a pandemic, agencies should be on high alert for phishing attacks against employees and people who interact with their applications. Psychological attacks that prey on fear and anxiety and target people seeking health information or the status of financial transactions and essential supply orders can exponentially increase during a time of crisis.
The Solution: A Modern Application Protection Platform to Prevent Fraud and Abuse Anti-distributed denial-of-service (DDoS) solutions protect application infrastructure from being overwhelmed by volumetric denial-of-service attacks. And web application firewalls protect against injection flaws, cross-site scripting, known software vulnerabilities and the other attacks on the Open Web Application Security Project’s Top 10 risks list. But to stop credential stuffing, account takeover, fraudulent account creation and other invisible impersonation attacks against web and mobile applications, agencies need an additional defensive layer.
resources agencies need to deploy world-class online fraud and abuse protection.
That defensive layer must be able to uncover the lies that attackers tell in response to three basic questions: 1. Are you human? 2. Are you good or bad? 3. Are you who you say you are?
A modern application security platform must be able to maintain public trust by ensuring that sensitive data stored in accounts, including personally identifiable and benefits information, is safe. It needs to meet accessibility requirements, enabling universal access. Finally, it must be able to use AI so it can autonomously evolve ahead of attackers and provide actionable threat intelligence and security consultations.
The most accurate and effective solutions leverage highly sophisticated cloud-based analytics to discern good traffic from bad. Doing so dramatically reduces the time and
4
This shift must expand to include how criminals attack applications today — and an acknowledgment that this is different from how they attacked IT infrastructure in the past, Plante said. To address this problem, modern technology solutions must bring new capabilities, such as artificial intelligence (AI), to bear, he said.
MARKET TRENDS REPORT
Best Practices: Improving Application Security Agencies can take several critical steps to protect their applications:
1. Keep the app online DDoS attacks are a critical threat to keeping an application online. They are one of the most effective ways for malicious actors to violate an application’s availability, preventing legitimate users from connecting to the resources they should have access to. Your security solution must offer comprehensive protection and fit easily into the environment that makes sense for your agency so your app can stay online and available at all times.
2. Prevent hacking Attackers will probe any part of an application service that is visible on the internet, either directly or indirectly, for possible exploitation. This surface is broad, given an app’s multiple tiers and the ever-increasing use of application programming interfaces (APIs) to share data with third parties. All exposed pieces should be access-controlled, patched and hardened against attack. A modern web application firewall (WAF) can buy you time to do this. Some WAFs can perform “virtual patching” by scanning application traffic and blocking known exploit attacks. They know what to block from automatic signature updates from threat intelligence feeds and vulnerability scans of your environment.
3. Protect the app from fraud and abuse To successfully attack applications that are otherwise well coded and secure, attackers must blend in with legitimate users. A modern security platform uses AI and cloud-based analytics to accurately sort in real time automated attack traffic and human fraudsters from legitimate users, thereby protecting applications from credential-stuffing and other attacks, while maintaining a balance between usability and security.
4. Think broadly about and plan for holistic application protection “You must think about protecting every aspect of your application that might get attacked, not just login experience, though you can start there,” Plante said. “But make sure you know that cybercriminals may then shift focus to password reset or new account creation and other applications, like mobile apps or APIs. An agency must holistically think about all attack surfaces altogether.”
“There’s no doubt: The government has heartily embraced digital transformation. And applications are a central part of this critical era in government.” Michael Plante, Vice President of Product Marketing in the Shape product group at F5
WHY GOVERNMENT MUST REVOLUTIONIZE END-TO-END APPLICATION SECURITY
5
Case Study: Reducing Fraud and Protecting Citizen Info The U.S. government serves more than 100 million households and processes more than $2 trillion in payment and benefits. It makes sense, then, that cybercriminals view government agencies as prime targets for large-scale automated attacks. Using credentials stolen from other websites, attackers use automation to test large numbers of usernames and passwords to take over accounts and steal valuable information and assets. Cybercriminals using automated techniques and stolen credentials were able to take over half of the accounts they targeted at one U.S. government agency. Attackers succeeded even though the agency authenticated website visitors by challenging them with a series of questions based on information that was supposed to be uniquely available to the agency and that only the account holder should be able to answer.
The agency needed a new approach to fighting fraud. It evaluated anti-automation options and chose Shape for the company’s ability to effectively and transparently stop unwanted automation at the agency’s operational scale. The agency needed to meet public demands for technology that was backward-compatible with legacy web applications and also complied with accessibility regulations. Shape’s implementation team offers deep skills in browser technologies. They worked closely with the agency’s security team to test and verify backward-compatibility. Using Shape, the government agency stopped the attacks within two days of deploying Shape countermeasures, thereby preventing costly cyber fraud.
HOW F5 AN D SHAP E S ECURIT Y CA N HE L P Recently F5 completed the acquisition of Shape, a leader in online fraud and abuse prevention, adding protection from automated attacks, botnets and targeted fraud to F5’s world-class portfolio of application services. F5 and Shape offer comprehensive multi-cloud application security that slashes fraud and abuse, prevents reputational damage, and eliminates disruptions to critical applications. This acquisition brings together F5’s expertise in protecting applications across multi-cloud environments with Shape’s fraud and abuse prevention capabilities to transform application security. “Today, the bad guys are weaponizing data and AI and are becoming very sophisticated in their attacks,” Plante explained. “Shape has an AI platform to detect fraud and abuse. With this acquisition, this now gets extended across our entire application security portfolio.” Learn more at: www.F5.com/federal and www.ShapeSecurity.com
6
MARKET TRENDS REPORT
Conclusion As digital transformation continues to reshape government, agencies must not forget a critical underpinning of this era: application security. It is not lost on attackers of all stripes — criminal, nation-state, terrorist or hacker — that governments increasingly rely on applications to engage with and serve their constituents. Protecting applications must be the No. 1 mission for agency security teams today. Special consideration should be extended to emerging types of application attacks that bypass mainstream security controls — attacks that don’t require any coding flaws or vulnerabilities in your application. This class of application attacks even works against correctly coded applications that have undergone code scanning and are part of a well-run, secure software development lifecycle. These attacks involve fake traffic: synthetic identities and the emulation of real users. The valuable data and information exchanged between agencies and the public must be kept secure now more than ever to protect our population and our infrastructures. To do that, a shift toward modern application security platforms and mindsets is needed.
ABOUT F5
ABOUT GOVLOOP
F5 powers applications from development through their entire lifecycle, across any multi-cloud environment, so our government customers can deliver differentiated, highperforming, and secure digital experiences.
GovLoop’s mission is to “connect government to improve government.” We aim to inspire public-sector professionals by serving as the knowledge network for government. GovLoop connects more than 300,000 members, fostering cross-government collaboration, solving common problems and advancing government careers. GovLoop is headquartered in Washington, D.C., with a team of dedicated professionals who share a commitment to connect and improve government.
For more information, go to f5.com/federal. You can also follow @f5networks on Twitter or visit us on LinkedIn and Facebook for more information about F5, its partners, and technologies.
For more information about this report, please reach out to info@govloop.com.
WHY GOVERNMENT MUST REVOLUTIONIZE END-TO-END APPLICATION SECURITY
7
1152 15th St. NW Suite 800 Washington, DC 20005 P: (202) 407-7421 | F: (202) 407-7501 www.govloop.com @GovLoop