Application Protection

Application Protection Research Series

We focus on applications because your adversaries focus on applications.

Applications have become the focal point of the Internet, the workhorses behind organizations of all types. Attackers have figured this out, and they target applications more than anything else (besides people). This research series ties together trends and data from a number of perspectives to give an overall picture of the application security threat landscape.

May 11, 2020

2019 APPLICATION PROTECTION REPORT

The Virtue of Visibility

This is the most in-depth version of the 2019 Application Protection Report. It contains research and data from all of the 2019 episodes, updated with 2019 breach trends that paint a clearer picture of where application threats are heading. Cancel some afternoon meetings and take a deep dive with us!

February 25, 2020

SUMMARY, 2^ND EDITION
2019 Application Protection Series

The Virtue of Visibility

Now updated with data from US breach trends in 2019 in the 2^nd Edition, this is the quick espresso-style rundown on the 2018 threat landscape. This summary boils down the trends in the application threats, as well as our recommendations for managing application risk as it evolves.

October 22, 2019

PODCAST SERIES

2019 Application Protection Report

In this companion podcast, the 2019 F5 Labs Application Protection Report researchers examine how both apps and threats are changing, and what security practitioners can do to stay ahead of these changes.

Previous Episodes

INTRO EPISODE
2019 Application Protection Series

Why Application Security?

Find out why we care so much about application security, how applications have grown into the weird beasts that they are today, and how our work fits into the bigger picture of securing and running an application.

July 22, 2019

EPISODE 1
2019 Application Protection Series

PHP Reconnaissance

As we reviewed untargeted reconnaissance traffic for 2018, one pattern stuck out so much that we had to report on it before anything else. It turned out that 37% of all the honeypot traffic we caught came from just two North American IPs seeking old PHP vulnerabilities.

March 25, 2019

EPISODE 2
2019 Application Protection Series

2018 Breach Trends

We analyzed more than 700 U.S. data breach reports to understand what kinds of attacks were succeeding. We found two tactics that were responsible for most of the successes, and that there were patterns between organizations’ business models and how they got hacked.

April 08, 2019

EPISODE 3
2019 Application Protection Series

Web Injection Attacks Get Meaner

One of the tactics that accounted for a big chunk of U.S. data breaches in 2018 was injection. Even though injection has been around for a long time, new trends in web architecture made it particularly effective in 2018.

May 16, 2019

EPISODE 4
2019 Application Protection Series

2018 Access Attack Trends

The tactic that featured most prominently in U.S. data breaches in 2018 was access attacks, such as phishing or credential stuffing. We identified the patterns, noted how access attacks have changed, and provided some tips on how to prevent them.

June 25, 2019

EPISODE 5
2019 Application Protection Series

API Breaches and the Visibility Problem

API use has grown tremendously as applications grow more decentralized. Some large apps have hundreds of APIs, and mobile apps depend on them completely. API security, however, is lagging, creating easy targets for attackers.

August 13, 2019

See the Lifecycle of the 4 Major Attack Types:

Click through the animations below to understand how different attacks unfold.

2018 Application Protection Report

In this report, we demystify the complexities of apps, explore how and where they're attacked, and provide practical steps to take now to start winning the app protection battle.

July 25, 2018

2018 Application Protection Report Podcast Series

In this companion podcast, the researchers who created the F5 Labs Application Protection Report discuss their findings, and share the details and backstories that helped shape the final report.

July 16, 2019

The DNS Attacks We’re Still Seeing

What hasn’t changed? F5 threat intelligence shows that attackers are still using DNS water torture DDoS, DNS reflection DDoS, expired domain takeover, and DNS requests for covert channels.

December 04, 2018

What Do You Mean by Storage Encryption?

Writing for Help Net Security, F5 Labs researcher Ray Pompon explains why establishing "storage encryption" isn’t the cure-all that some claim.

November 06, 2018

Will Losses from Cryptocurrency Exchange Hacks Hit a Billion Dollars In 2018?

Cryptocurrency exchanges and their supporting application systems are being attacked at an unprecedented level. As the value of cryptocurrency climbs, so does the incentive to steal.

October 18, 2018

Who Owns Application Security?

Writing for Help Net Security, F5 Labs researcher Ray Pompon discusses the dismayingly low number of firms whose CISO owns application security.

October 11, 2018

Apps Are Like Onions; They Have Layers

As a security professional, it’s critical to understand all the components of modern web apps so you can fend off attacks at multiple tiers.

August 03, 2018

The Little Mistake That Causes a Breach

One small error in security controls can have disastrous consequences. How common are these little mistakes, and how do you prevent them?

June 05, 2018

Breach Costs Are Rising with the Prevalence of Lawsuits

When calculating the total cost of a data breach, lawsuits figure prominently—along with repair costs, loss of reputation and sales, compliance penalties, and operational downtime.

May 02, 2018

How Secure Are Your Third-Party Web Apps?

You can't assume that third-party web apps are secure. Here’s how to assess them yourself, using this multi-step process.

April 26, 2018

Know the Risks to Your Critical Apps and Defend Against Them

Critical apps are the ones that must never go down or be hacked. Unfortunately, they’re also the hardest to defend: they’re often massive, ancient, and touch everything.

April 10, 2018