AWS and F5 Address the Expanding Attack Surface of Cloud-Native Apps and APIs

Dave Morrissey

Digital transformation is no longer a buzzword but a reality for most organizations. According to the 2023 State of Application Strategy Report, nine out of ten organizations are actively engaged in a digital transformation program.¹ While initially focusing on customer-facing functions, modernization is progressively reaching inward to the back-office operations, leading to the development and deployment of copious new business and customer-facing applications. The same report previously indicated that a significant number (41%) of organizations manage between 200 and 1,000 applications.²

Recognize the Realities of Cloud-Native App Delivery

This increased complexity brings challenges, particularly regarding resource allocation, skills, and availability. The persistent skills gap continues to expand, with a staggering 98% of IT organizations admitting they lack the insights required to meet current business objectives:³

Such insights would focus on:

• Root cause of app performance degradations (39%)
• Possible attack (38%)
• Root cause of app issues and incidents (37%)
• Historical performance comparisons (35%)
• Business-relevant insights (32%)

The reality is that cloud-native apps are only as secure as the components on which they are built and the infrastructure on which they run.

Understand the Growing Threat to Application Security

The 2022 Verizon Data Breach Investigations Report (DBIR) highlights the increasing security risks associated with applications' growing volume and complexity. The primary assets affected in security breaches are servers, specifically web application servers, which account for 56% of all compromised assets.⁴

With their internet-facing nature, these web application servers present an attractive entry point for attackers to bypass an organization's defenses. In 2022 alone, the Verizon DBIR noted that there were 4,751 incidents, with 1,273 resulting in confirmed data disclosure involving personal data (69%), credentials (67%), other types of data (29%), and medical records (15%).⁵

Expect the Attack Surface to Continue to Expand

An application's attack surface comprises all the unique points—the “attack vectors”—on the system, an element in or on the system, or anywhere along its environmental boundaries. These points provide avenues for unauthorized users to attempt to exploit the system for data insertion, to effect a change or manipulate the data or system, or to extract data from the system. There are multiple ways an application attack surface can be exposed; these are just a few:

Infrastructure misuse: Cloud infrastructure can be misconfigured and vulnerable to data exfiltration, unauthorized container logins, and credential theft.

Software vulnerability exploitation: If the application has any vulnerabilities, like unpatched software, bugs, or misconfigurations, these can expose the application to potential attackers.

Third-party component compromise: Using third-party libraries or services without proper security scrutiny can introduce vulnerabilities in the application.

Application programming interface (API) manipulation: As applications often communicate through APIs, any insecurities in these APIs (such as lacking rate limiting, proper authentication, or encryption) can expose an application to attacks.

As organizations continue to modernize their app portfolio and innovate in the new digital economy, the number of APIs is projected to reach one billion by 2031.⁶ Like the growth of applications overall, this expansion in the API realm further exacerbates the challenges associated with successfully managing application security.

Get the Upper Hand on Application and API Security

When deploying applications via Amazon Web Services (AWS), a range of specialized and native security tools can aid in fending off attacks, safeguarding your data, and ensuring the safety of your customers’ data and transactions. To this end, nearly 90% of organizations employ a platform approach to accelerate security.⁷

However, to be effective, the platform must also support multiple integrated layers of protection to adequately cover the breadth of the attack surface noted above. The comprehensive collection of F5 and AWS capabilities protects against these attacks that target the vulnerabilities inherent in cloud-native applications and their APIs:

AWS Web Application Firewall (WAF) on Amazon CloudFront: Provides a native application protection layer that’s easily added onto your CDN.

F5 Advanced Web Application Firewall (WAF): Protects against the most prevalent attacks on your apps without having to update the apps themselves.

NGINX App Protect WAF: Combines the proven effectiveness of the advanced WAF technology from F5 with NGINX agility and performance to prevent downtime and breaches by securing your apps and APIs.

F5 Distributed Cloud WAAP and F5 Distributed Cloud Bot Defense: F5 Distributed Cloud Services offer a cloud-native SaaS solution that delivers consistent application, API, and bot security and performance at scale across cloud platforms.

F5 Security Threat Intelligence: A world-class team of researchers explores forums and third-party resources, investigates attacks, reverse-engineers malware, and analyzes vulnerabilities to determine effective detection and mitigation methods.

To learn more about protecting cloud-based applications from advanced threats using the natively integrated security layers from F5 and AWS, visit f5.com/aws.

Sources:

^1,7 2023 State of Application Strategy Report, F5, March 2023

^2,3 2022 State of Application Strategy Report, F5, April 2022

^4,5 2022 Data Breach Investigations Report, Verizon, June 2022

⁶ Office of the CTO Report: Continuous API Sprawl, F5, November 2021

About the Author

Dave Morrissey

More blogs by Dave Morrissey