The title of this report is not a typo. “The State of the State of Application Exploits in Security Incidents” is a meta-analysis of several prominent industry reports, each of which covers the state of application security, hence the name, “the state of the state of.” This report is both an attempt to stitch together a more complete view of application security and an attempt to assess our own understanding of application security in the process. More specifically, it examines published industry reports from multiple sources to develop a better understanding of the frequency and role of application exploits in security incidents. Along the way, it demonstrates the challenges of multi-source analysis and offer recommendations on how research producers can make it easier for those who want to piece together the bigger picture.
Data analysis for this report was done by the Cyentia Institute, a team of extraordinarily experienced analysts whose focus is advancing cybersecurity through rigorous scientific research. F5 Labs provided data and additional analysis.
The report breaks down methodologies and conclusions from industry reports that approach the core question of application security from slightly different angles. One key source of data used was Cyentia’s Information Risk Insights Study 20/20 “Extreme Edition” (IRIS Xtreme) which analyzes the 100 largest cyber loss events of the last 5 years, totaling $18 billion in reported losses and 10 billion compromised records.
For more “regular” security events, Cyentia analyzed Verizon’s Data Breach Investigations Report (DBIR) with its tens of thousands of security incidents from scores of diverse sources each year. There were 4,862 incidents (17% of all incidents) fitting under Application Security in the 2021 report and 1,384 were confirmed data breaches (26% of all breaches). That ranks web application attacks #2 for both incidents and breaches.
Analysis of multiple data sources corroborates what both the IRIS-X and DBIR showed: web application exploits are among the most common techniques observed in security incidents. Data from the F5 Security Incident Response team (F5 SIRT) from 2018 through 2020 was analyzed as well. F5 customers can escalate issues to this team, so it’s a good window into threats that can't be controlled with a simple internal solution
All these data sources and statistics range widely in terms of scope, methods, quality, etc., making it a real challenge to synthesize findings across them. But there’s “so-so” agreement among them that Web application security is a really big deal among really big incidents. In the details, overall injection attacks and cross-site scripting rank the highest.
- 56% of the largest incidents of the last 5 years tie back to some form of web application security issue, constituting 42% of all financial losses recorded for these extreme events.
- 254 days is the average time-to-discovery for incidents involving web application exploits—significantly higher than the 71-day average among other extreme loss events that were studied.
- 57% of all reported financial losses for the largest web application incidents over the last five years were attributed to state-affiliated threat actors. Organizations should update their threat models accordingly.
- Web application attacks were the leading incident pattern among data breaches for 6 of last 8 years.
- Exploit Public-Facing Application is the #1 or #2 technique for all sources that report Initial Attack tactics using MITRE ATT&CK.
- 12% of threat groups are known to use the MITRE ATT&CK tactic Exploit Public Facing Application and 42% leverage valid user accounts (often via web apps) to gain initial access to target organizations.