2025 STATE OF APPLICATION SECURITY PDF Free Download
1 / 27
/27
100%
2025
State of Application Security
CYBERATTACK TRENDS FROM 2024, SECURITY STRATEGIES FOR 2025
THE STATE OF APPLICATION SECURITY 03
START YOUR FREE TRIAL NOW
Indusface is a leading application security SaaS company, securing over 5,000 customers across 95 countries with
its award-winning platform. Funded by institutional investors, it has been a category leader in Gartner Peer Insights™
for the past three years.
The industry's only AI-powered, all-in-one AppSec platform helps businesses discover, detect, remediate, and
protect web applications and APIs at internet scale, backed by a 100% uptime guarantee.
ABOUT INDUSFACE
THE STATE OF APPLICATION SECURITY 04
UNDISPUTED CATEGORY LEADER
Technology Data,
Research, & Advisory
451 Research
Q4 Report 2024
The Web Application Firewall
Solutions Landscape
Cloud Web Application and
API Protection (WAAP)
Market Guide 2023
Website Security
Leader - G2 Grid
Application and
API Security (AAS)
Radar –Security & Risk
-
- On average, 5.5 million attacks were blocked per website
-
witnessed 166% higher DDoS attacks compared to websites
-
take advantage of reduced security monitoring, increased online transactions, and delayed patching due to holiday
code freeze.
-
-
◦6 out of 10 sites witnessed a DDoS attack, whereas 9 out of 10 sites witnessed a bot attack
-
patching vulnerabilities, driven by faster release cycles, reliance on third-party dependencies, and resource
constraints.
-
Banking and Financial Services:
•
•
•
• BFS sector sees the second-highest number of attacks blocked via custom rules after the healthcare sector
Insurance:
•
•
•
•
• 55% of attacks in the insurance industry are blocked by the custom rules
•
of protecting critical customer data, including PII, credit card information and others that these applications host
THE STATE OF APPLICATION SECURITY 05
EXECUTIVE SUMMARY
THE STATE OF APPLICATION SECURITY 06
Manufacturing:
•
•
•
• Manufacturing industries mainly were targeted to disrupt their internal functions such as supply chain
• In retail & E-commerce, each website faced over a million attacks
•
•
•
of bots aim to place orders and commit purchase fraud.
Healthcare:
• 100% of healthcare sites witnessed a bot attack
•
SMB:
•
responsibility that falls on the tech or DevOps teams.
Power & Energy:
•
SECURITY STRATEGIES FOR THE COMPANIES IN THE YEAR 2025
•
compliance, reducing risks, and enabling teams to focus on business growth and resilience.
•
season
•
•
•
AI-driven bot mitigation, and behavioral analysis to defend against bot attacks, zero-days, and sophisticated DDoS
threats.
• Automated API discovery and one-click protection will be key to enhancing API security with minimal manual
intervention.
• Managed WAAP services will play a vital role in improving patching accuracy and reducing false positives.
•
fatigue and focus on critical security gaps.
• Automated DAST scanners integrated into CI/CD pipelines will enable faster detection and remediation of API
vulnerabilities.
•
them reduce security challenges and operational burdens.
THE STATE OF APPLICATION SECURITY 07
On average, each site witnessed over 5.5 million attacks in the year.
PROTECTION TRENDS
THE STATE OF APPLICATION SECURITY 08
Total Attacks Count
7.70+ Billion
of reduced security monitoring, increased online transactions, and delayed patching due to the holiday code freeze.
provided by AppTrana.
THE STATE OF APPLICATION SECURITY 09
38%
62%
Attack in Billions
DDoS & BOT ATTACKS
As new DDoS and bot attack trends emerge against web applications and APIs, business continuity becomes very important.
◦
◦
and custom controls. Click here to know more.
We saw the following DDoS and Bot trends in the year:
DDoS Attacks
Here is a view of the last 90-day DDoS attack trend across all sites:
the remaining 60% were neutralized by AI-driven behavioral models on AppTrana WAAP, even in the cases where attackers
used millions of IP addresses to conduct low-rate attacks.
THE STATE OF APPLICATION SECURITY 10
60%
Total DDoS Attacks
2.46+ Billion
5%
18%
19%
RESOURCE DRAIN
FINANCIAL LOSSES
DISRUPTION OF SERVICES
REPUTATIONAL DAMAGE
0% 10% 50% 60% 70%
58%
their challenges in managing DDoS attacks. Here are the responses shared by these security leaders regarding their
attacks.
THE STATE OF APPLICATION SECURITY 11
What’s the biggest problem your business faces due to DDoS attacks
How confident are you in your organization’s ability to mitigate a large-scale DDoS attack?
SOMEWHAT CONFIDENT
NOT CONFIDENT
HIGHLY CONFIDENT
0% 10% 50%
36%
38%
26%
Bot Attacks
A view of the last 90-day bot attack trend across all sites:
THE STATE OF APPLICATION SECURITY 12
90%
Total Bot Attacks
765+ Million
Bot Attacks in Millions
137
203
48% increase
THE STATE OF APPLICATION SECURITY 13
API Attacks
Total API Attacks
1.53+ Billion
How confident are you in your organization's ability to detect and mitigate bot threats?
5% 10% 15% 50%
NOT CONFIDENT 30%
0%
SOMEWHAT CONFIDENT 48%
HIGHLY CONFIDENT 22%
48%
17%
SERVICE DISRUPTIONS
FINANCIAL LOSSES
EROSION OF CUSTOMER TRUST
REPUTATIONAL DAMAGE
10% 50% 60%
22%
0%
What’s the biggest problem your business faces due to bot attacks?
13%
THE STATE OF APPLICATION SECURITY 14
A view of the last 90-day API attack trend across all sites:
-
◦
-
protection against advanced DDoS attacks and have limited defenses against bot attacks, zero-day vulnerabilities,
and other related threats.
-
intervention.
71%
29%
Total no. of critical and high vulnerabilities found in the application: 26K
VULNERABILITY EXPLOITS
THE STATE OF APPLICATION SECURITY 15
Attacks on Website Vulnerabilites in Millions
450
874
94% increase
Attacks on API Vulnerabilites in Millions
1.43
13.9
873% increase
Top 5 critical and high vulnerability categories found in web applications:
Ageing trend of the website/application vulnerabilities
THE STATE OF APPLICATION SECURITY 16
needed to resolve them. This allows the security team to function as an enabler of business rather than a blocker.
industry.
Vulnerability Type
Possible Blind SQL Injection
Server Side Request Forgery
HTML Injection
Cross-Site Scripting (XSS)
SQL Injection
#
1
2
3
4
5
34%
33%
33%
No of vulnerabilities open for < 90 days
THE STATE OF APPLICATION SECURITY 17
This could be because most WAF/WAAP solutions typically do not include an integrated Dynamic Application Security
Testing (DAST) scanner, which is essential for vendors to accurately identify how vulnerabilities are detected before
implementing patches.
Another reason could be that most of these companies do not opt for managed services, where the WAAP vendor writes the
rules and removes false positives.
In contrast, we observe nearly 100% adoption of virtual patching among our customers, primarily due to the false positive
testing conducted by managed services included in AppTrana subscription plans.
challenge for organizations, as illustrated in the following graph:
Do you use virtual patching on WAF/WAAP?
NO
YES
0% 10% 50% 60% 70%
68%
32%
Do you face the problem of vulnerability fatigue?
NO
YES
0% 10% 50% 60% 70% 90% 100%
12%
88%
THE STATE OF APPLICATION SECURITY
18
time-consuming.
vulnerability patching is delayed:
Why does it take time to patch a vulnerability in your organization?
5% 10% 15%
Lack of clarity on ownership 16%
0%
Lack of developer bandwidth 42%
Too many open vulnerabilities 42%
API Vulnerability Type
A5: Security Misconfiguration
A7: Identification and Authentication Failures
A3: Injection
A2: Cryptographic Failures
A1: Broken Access Control
#
1
2
3
4
5
THE STATE OF APPLICATION SECURITY 19
automated Dynamic Application Security Testing (DAST) scanners, which are one of the easiest ways to identify the
vulnerabilities in APIs.
While performing penetration testing is considered a best practice, it is often costly, time-consuming, and typically done
only once a year.
Another useful feature is CI/CD integration, which allows for automatic triggering of scans upon code check-in and enables
the assignment of open vulnerabilities to the development team for timely patching.
We also tried to understand which types of API attacks concern the security leaders the most, and broken authentication
emerged as the top attack vector across organizations.
How do you perform API Vulnerability Testing?
WE DON’T SCAN APIS
MANUAL PENETRATION TESTING
DAST SCANNER
SAST SCANNER
10%
0%
12%
7%
50% 60%
36%
45%
THE STATE OF APPLICATION SECURITY 20
Which Types of API Attacks Concern You The Most?
INJECTION ATTACKS
BROKEN AUTHENTICATION
BOT ATTACKS
DDOS/DOS
10%
0%
24%
17%
50% 60% 70%
19%
40%
remaining 5% were covered by custom rules. As a result, resulting in 100% protection from zero-day vulnerabilities
throughout the year.
Zero Day Vulnerabilities
THE STATE OF APPLICATION SECURITY 21
Month
Parameters
Total
Vulnerabilities
Jan 24 Feb 24 Mar 24 Apr 24 May 24 Jun 24
169
Value % Value % Value %Value % Value %
Protected by
96% 175 96% 160 96% 175 96%
Protected by
9%
Value %
160
10
Month
Parameters
Total
Vulnerabilities
Jul 24 Aug 24 Sep 24 Oct 24 Nov 24 Dec 24
101
Value % Value % Value %Value % Value % Value %
Protected by
96% 100% 100% 97% 96% 101 100%
Protected by
11 0 0% 0 0 11 0 0
Amidst known vulnerabilities, we observed several critical zero-day vulnerabilities, such as:
-
- Apache OfBiz Auth bypass
-
-
•
•
•
•
these sectors means that their applications typically have robust cybersecurity infrastructures in place. This could
and can be utilized for a range of malicious activities, such as vulnerability scanning, account takeovers, credit card
scams, and so on.
• The BFS sector sees the second-highest number of attacks blocked via custom rules after the healthcare sector
•
•
•
•
• 55% of attacks in the insurance industry are blocked by the custom rules
•
protecting critical customer data, including PII, credit card information and others that these applications host
•
for application attacks. This is especially challenging for SMBs, as security is usually a part-time responsibility that falls
on the tech or DevOps teams.
-
SMBs typically have smaller security teams, and an increase in vulnerabilities may lead them to face alert fatigue as well
as spend more time patching them
INDUSTRY SPECIFIC ATTACK TRENDS
THE STATE OF APPLICATION SECURITY 22
THE STATE OF APPLICATION SECURITY 23
monitoring, reduces issues related to alert fatigue, and provides support for virtual patching of open vulnerabilities.
• In retail & E-commerce, each website faced over a million attacks
•
•
•
bots aim to place orders and commit purchase fraud.
•
•
•
• Manufacturing industries mainly were targeted to disrupt their internal functions such as supply chain management,
• Unlike BFSI and healthcare, which typically host sensitive PII and other data, the manufacturing industry has less
and making ways for them to demand a ransom
•
• This increase can be attributed to hackers who are now pursuing ransom opportunities and targeting less regulated
industries that have strong revenue streams.
• 100% of healthcare sites witnessed a bot attack
•
Industry
BFSI
25%
IT Services & IT Consulting
24%
SaaS 14%
Manufacturing
8%
Retail & E-Commerce
10%
Telecommunications
2%
Healthcare
6%
Marketing and Advertising
3%
Others
8%
THE STATE OF APPLICATION SECURITY 24
were analyzed between Jan 1stst
diversity of industries represented in this report.
Company Sizes
1M - 10M
42%
10M - 100M
20%
100M - 1Bn
23%
>$1 Bn
15%
THE STATE OF APPLICATION SECURITY 25
leaders to understand their pain points related to application security concerns and challenges faced due to DDoS, Bot, and
API attacks.
• Cross-Site Scripting –
◦
end-users via trusted websites. Typically, this type of attack is successful due to a web application's lack of user
• HTML Injection -
◦
session cookies that could be used to impersonate the victim, or it can allow the attacker to modify the page
content seen by the victims.
•DDoS Attack –
◦A distributed denial of service (DDoS) is a type of cyberattack where target web applications/ websites are
slowed down or made unavailable to legitimate users by overwhelming the application/ network/ server with
•Bot Attack –
◦A botnet is the collection of malware-infected computers and networked devices (IoT, smart devices, etc.) that
work together under the control of a single malicious actor or an attack group. Such a network is also known as a
zombie army, and each infected device is called a bot/ zombie.
THE STATE OF APPLICATION SECURITY 26
Contact Us - +1 866 458 3058 | +91 265 6133000
Email - sales@indusface.com | Website - www.indusface.com
![[Performance Review] Species Blindness: Is There a Role For a Quoll?](https://s3.us-east-1.amazonaws.com/outstation.idea/pdf-mt/2044687444045656064/pdf/e8ee5948-a1ac-4f1d-9ec3-719a4cead12a/imgs/page1.png)
