Application security

The State of AppSec in 2024: Expanded use, expanded attack surface


In 2024, application security is a balance of two opposing forces. One is the rapid expansion of APIs cybersecurity professionals must protect, coupled with an expanded attack surface that includes the cloud. On the other side is threat actors taking advantage of both these Achille’s heels and the slew of vulnerabilities and supply chain weaknesses that come with them.

An SC Media analysis of current challenges, threats and solutions  — that of course include AI  — paints a hopeful but challenging picture for the state of AppSec. As always, the state of AppSec is in flux with companies scrambling to manage too many APIs, struggling to keep track of them and playing catch up to secure them.

What follows are mid-year insights gathered from the RSA Conference and recently published reports from industry leaders.

AppSec threats and challenges grow

With up to 91% of web traffic now comprising APIs, and the average enterprise using more than a thousand applications, according to Akamai, the sheer size of the application attack surface is a core security challenge.

Compounding the problem, organizations are deploying applications at a faster rate and at a higher volume than they can reasonably secure them, creating a ripe situation for security vulnerabilities to go overlooked and unresolved. In 2024, despite AI and automation being all the rage, Crowdstrike found that most organizations were still keeping track of their apps and APIs manually via documents (74% of orgs) and spreadsheets (64%). Additionally, Cycognito’s 2024 State of Web Application Security Testing report published June 5, found that 70% of survey respondents said the number of web apps in their environment was too high to be able to adequately test them all. Nearly three-fourths of respondents said they tested their web apps monthly or even less frequently, leaving more than 40% of their attack surface untested at any given time.

Between 2023 and 2024, cyberattacks targeting APIs have more than doubled, and 29% of web attacks now target APIs, Akamai Senior VP and CSO Boaz Gelbord said during his keynote presentation at RSAC 2024 titled “Securing the Modern Application: From Code to Infrastructure.”

“It’s getting more and more complex for us as defenders to spot that malicious traffic and easier for attackers to do what they need to do,” Gelbord said.

The supply chain challenges continue

Throwing another wrench in the challenge of AppSec is an increase in supply chain attacks, which includes both hacking of organizations through the third-party apps they use, and attacks leveraging third-party code dependencies in one’s own applications, such as the infamous XZ utils backdoor that was fortunately caught before it could cause any major damage.

Verizon’s 2024 Data Breach Investigations Report counted a 68% increase in the proportion of breaches involving supply chain interconnection between 2023 and 2024. Open-source software has a large role to play in this, with ReversingLabs finding in its State of Software Supply Chain Security 2024 report that open-source package threats rose a staggering 1,300% from 2020 to 2023.

Meanwhile, open-source adoption is increasing, with OpenLogic finding more than two-thirds of organizations increased their use of open-source software in 2023.

As with the sprawl of managing hundreds or thousands of applications, teams are finding it hard to catch up with a growing number of open-source dependencies, with 79% of respondents to OpenLogic’s survey saying they found maintaining open-source security challenging and 27% saying they were not even aware of what open-source security tools their organization was using.

At RSAC 2024, Veracode SRO Chris Eng and Cyentia Institute Co-founder and Chief Data Scientist Jay Jacobs noted that 79% of open-source libraries are never updated. Their session, “Quantifying the Probability of Flaws in Open Source,” offered guidance for using the OpenSSF ScoreCard to asses open-source supply chain risk, while also pointing out flaws and limitations in its implementation.

AI to the rescue?

Artificial intelligence (AI) has been largely discussed as both a risk and a benefit in cybersecurity, including application security. AI may enable threat actors to automate attacks on API endpoints, but this was already the case prior to the AI boom of the last couple years. The larger risk may be the rapid adoption of AI in applications without organizations taking the needed time to assess new risks and vulnerabilities it may introduce.

However, AI is likely to be more of a boon than a threat when it comes to application and API defense. In the RSAC 2024 session “The Next Application Security Frontier: AI-Ready API Defense,” Charles Herrin, field CTO of API security, and Byron McNaught, principal technical marketing manager, F5, described three ways defenders can use generative AI to manage their APIs and better understand API threats.

Firstly, large-language models (LLMs) can be used to train and refine machine learning (ML) detection models for API defense by quickly creating accurate classifiers and signatures. Secondly, AI models can be used to generate visualizations of API activities using plain language prompts, such as "How many times did that attack happen in the last week?”

Finally, LLM-driven virtual assistants, or chatbots, can simplify searches, make recommendations and help with troubleshooting.

“How we’re going to simplify complexity, mitigate risk and deal with the staffing shortages — that’s going to be where generative AI comes in and leads the pack,” said McNaught.

Hardening AppSec defenses, beyond AI

Adopting reliable ways to keep track of applications and their components, and mitigating vulnerabilities as early as possible, will also be key to improving AppSec in 2024.

Vulnerability management is especially crucial as data breaches involving vulnerability exploits increased 180% between 2023 and 2024. But vulnerability management is far from easy, with Crowdstrike’s 2024 State of Application Security Report finding 60% of respondents struggled with prioritizing and triaging vulnerabilities, and Cycognito’s web app testing report finding more than half of respondents face difficulties remediating vulnerabilities discovered in web app security tests.

The pressure to deploy applications quickly and disjointment between development and security teams are major factors in the scourge of vulnerabilities. Checkmarx’s Future of Application Security 2024 found that a whopping 91% of respondents reported knowingly deploying vulnerable apps, with businesses deadlines cited as the most common reason. Palo Alto Networks also reported in its 2024 State of Cloud-Native Security paper that 71% of respondents cited rushed deployment as the root cause of security vulnerabilities.

Conflict between DevOps and SecOps teams is rampant, according to Palo Alto Networks, with 92% of survey respondents saying this conflict slowed down development and deployment and 86% seeing security as a “gating factor” that hindered software releases. These results should be a sign that organizations must work harder to foster a culture that better harmonizes DevOps and SecOps priorities and embraces secure-by-design principles.

“If you don’t deliberately, strategically, 100% commit to building a DevSecOps culture, your business outcomes are at risk,” the paper states.

(Editor's Note: This is part of a series of articles to feature the 15 Top Cybersecurity Trends of 2024 & 2025)

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.