Five web application security predictions for 2022
Last year I made five web security predictions for 2021. I predicted stronger cybercrime communities and collaborations between them, which we’ve seen, and I predict we’ll continue to see that in the year to come. As I predicted, the increased adoption of GraphQL (a query language for APIs designed by Facebook) has led to more risk. I correctly predicted the increase in bot attacks on fad sales (a targeted marketing tool used to increase the incentive to purchase coveted items), and indeed the past year has seen advanced sophistication and an overall growth in attacks and tools designed to target these coveted items.
I also anticipated that the DevSecOps feature would become mainstream. Although not yet common, trends suggest that it is surely progressing in that direction. Finally, I hypothesized that “Buy Online Pickup In-Store” (BOPIS) would become one of the fastest growing types of fraudulent activity. Although a vehicle for fraud, it wasn’t at the level I thought it might be since many e-commerce merchants have adopted more secure authentication and verification methods to deal with at this risk. Now let’s look at the predictions I have for the coming year.
1. The priority of preventing supply chain attacks will increase
SolarWinds, the software company that primarily deals with systems management tools used by IT professionals, was hacked in December 2020 and was one of the most significant supply chain attacks. and most damaging in recent history. The attack affected up to 18,000 organizations, including Microsoft and the US government. Nobelium, the hacker group behind the SolarWinds attack, isn’t planning to take a break from hacking anytime soon. In late 2021, CNBC reported that Nobelium had “attempted to replicate the approach it has used in past attacks by targeting organizations integral to the global IT supply chain.”
The SolarWinds attack reminded us that strengthening software supply chains is critical to ensuring data protection and that no one, not even the government, is guaranteed to be safe. According to a recent survey, 92% of website decision makers lack complete visibility into their software supply chains. Obtaining this visibility will be a top priority for companies looking to protect their users’ data, avoid a major data breach, and avoid massive regulatory fines in 2022 and beyond.
2. Over 50% of the top 100 marketplaces will be hit by custom malware
In June 2021, researchers discovered a 1.2 terabyte database of stolen data. The information was collected from 3.2 million Windows computers by custom malware – code designed to cause disruption – which spread via compromised versions of Adobe Photoshop, pirated games and software tools. windows hack. The database included 6.6 million files, 26 million credentials and 2 billion web login cookies, 400 million of which were still valid when the database was discovered.
Custom malware is inexpensive and readily available on the dark web. Attack tools are becoming more commoditized and expert services are more widely offered by different hacker communities, making custom malware much more accessible and easier to create. Over the past year, I have detected several instances of custom malware targeting my own customers. Due to its low barrier to entry and high potential for results, custom malware will become a more popular attack vector in 2022.
3. Digital enterprises will pay more attention to post-login wasteland management
Traditional security solutions designed to prevent account takeover (ATO) attacks typically focus on one core activity: logging in. They ask for credentials, serve CAPTCHAs, and where possible leverage multi-factor authentication (MFA) to verify that the correct credentials are being used. Unfortunately, account fraud is not that easy to prevent. Once an account has been successfully accessed, downstream checks often do not exist. I call this the “post-login desert”. In 2022, I expect online businesses to adopt solutions that solve this problem. This means that understanding whether a user is who they say they are – and whether their post-login activity is legitimate – will be critical to maintaining account integrity. The key to solving this problem is to better analyze user sessions and behaviors and to create more accurate profiles to know if users are who they claim to be. A solution can recognize abnormal behavior patterns like accessing account data directly after logging in from a new device to identify possible instances of personally identifiable information (PII) collection.
4. Fraud will have a significant impact on the earnings per share (EPS) of a public company
Recent research has shown that bots can negatively impact 75% to 80% of online retailers’ operational costs, which translates to between 18% and 23% of net income. When fraud begins to impact earnings per share, it will act as a wake-up call for companies to become more proactive in implementing protective software solutions. This goes beyond payment fraud; fraud can be used to transfer funds, empty gift cards and open new credit applications. In 2022, businesses will recognize fraud at every entry point in the digital journey and adopt solutions that can mitigate this risk.
5. At least one major retailer will abandon user/password verification and switch to passwordless or device-based authentication
The 2021 Verizon Data Breach Investigations Report (DBIR) found that 61% of data breaches this year involved identifying data. In addition, fraudsters no longer have to go to great lengths to obtain them. There are several easy ways to get usernames, passwords, and other personal information. Hackers can buy billions of credentials for just $2 and test them in automated credential stuffing attacks. This means that preventing not only the theft of credentials, but also their validation and fraudulent use, is now a priority.
Many companies have already enabled identity management solutions, single sign-on, and passwordless verification to make credentials obsolete. After all, bad actors can’t steal your password if you don’t have one. I predict that in 2022, a few consumer-based companies will begin to follow suit and completely eliminate the need for credentials by adopting stronger solutions that don’t rely solely on credentials.
In anticipation of 2022
In summary, 2022 will be the year security and business leaders recognize just how varied fraud is. Digital businesses will move beyond a granular focus on one type of attack over another, and instead ensure the integrity of their customers’ accounts and identities are protected at every stage of their online journey. . This means adopting platforms that continuously learn and evolve in real time to detect and stop misuse of identity and account information on the web. Enabling Full Account Protection will be the only way to fight fraud on all fronts.
Written by Ido Safruti, Co-Founder and CTO, PerimeterX