Application Protection

Application Protection Research Series

We focus on applications because your adversaries focus on applications.

Applications have become the focal point of the Internet, the workhorses behind organizations of all types. Attackers have figured this out, and they target applications more than anything else (besides people). This research series ties together trends and data from a number of perspectives to give an overall picture of the application security threat landscape.

July 22, 2019

INTRO EPISODE
2019 Application Protection Series

Why Application Security?

Find out why we care so much about application security, how applications have grown into the weird beasts that they are today, and how our work fits into the bigger picture of securing and running an application.

June 25, 2019

EPISODE 4
2019 Application Protection Series

2018 Access Attack Trends

The tactic that featured most prominently in U.S. data breaches in 2018 was access attacks, such as phishing or credential stuffing. We identified the patterns, noted how access attacks have changed, and provided some tips on how to prevent them.

May 16, 2019

EPISODE 3
2019 Application Protection Series

Web Injection Attacks Get Meaner

One of the tactics that accounted for a big chunk of U.S. data breaches in 2018 was injection. Even though injection has been around for a long time, new trends in web architecture made it particularly effective in 2018.

April 08, 2019

EPISODE 2
2019 Application Protection Series

2018 Breach Trends

We analyzed more than 700 U.S. data breach reports to understand what kinds of attacks were succeeding. We found two tactics that were responsible for most of the successes, and that there were patterns between organizations’ business models and how they got hacked.

March 25, 2019

EPISODE 1
2019 Application Protection Series

PHP Reconnaissance

As we reviewed untargeted reconnaissance traffic for 2018, one pattern stuck out so much that we had to report on it before anything else. It turned out that 37% of all the honeypot traffic we caught came from just two North American IPs seeking old PHP vulnerabilities.

See the Lifecycle of the 4 Major Attack Types:

Click through the animations below to understand how different attacks unfold.

2018 Application Protection Report

In this report, we demystify the complexities of apps, explore how and where they're attacked, and provide practical steps to take now to start winning the app protection battle.

July 16, 2019

2018 Application Protection Report Podcast Series

In this companion podcast, the researchers who created the F5 Labs Application Protection Report discuss their findings, and share the details and backstories that helped shape the final report.

December 04, 2018

The DNS Attacks We're Still Seeing

What hasn’t changed? F5 threat intelligence shows that attackers are still using DNS water torture DDoS, DNS reflection DDoS, expired domain takeover, and DNS requests for covert channels.

November 06, 2018

What Do You Mean by Storage Encryption?

Writing for Help Net Security, F5 Labs researcher Ray Pompon explains why establishing "storage encryption" isn’t the cure-all that some claim.

October 18, 2018

Will Losses from Cryptocurrency Exchange Hacks Hit a Billion Dollars In 2018?

Cryptocurrency exchanges and their supporting application systems are being attacked at an unprecedented level. As the value of cryptocurrency climbs, so does the incentive to steal.

October 11, 2018

Who Owns Application Security?

Writing for Help Net Security, F5 Labs researcher Ray Pompon discusses the dismayingly low number of firms whose CISO owns application security.

August 03, 2018

Apps Are Like Onions; They Have Layers

As a security professional, it’s critical to understand all the components of modern web apps so you can fend off attacks at multiple tiers.

June 05, 2018

The Little Mistake That Causes a Breach

One small error in security controls can have disastrous consequences. How common are these little mistakes, and how do you prevent them?

May 02, 2018

Breach Costs Are Rising with the Prevalence of Lawsuits

When calculating the total cost of a data breach, lawsuits figure prominently—along with repair costs, loss of reputation and sales, compliance penalties, and operational downtime.

April 26, 2018

How Secure Are Your Third-Party Web Apps?

You can't assume that third-party web apps are secure. Here’s how to assess them yourself, using this multi-step process.

April 10, 2018

Know the Risks to Your Critical Apps and Defend Against Them

Critical apps are the ones that must never go down or be hacked. Unfortunately, they’re also the hardest to defend: they’re often massive, ancient, and touch everything.

Attack types

App Infrastructure Attacks

DDoS Attacks

Client-side Attacks

Web Application Attacks

Reports All Reports