The document discusses the increasing threats to application security, highlighting that 86% of cyber threats target applications and application identities. It emphasizes the need for enhanced visibility and orchestration in managing application portfolios, while also addressing various types of attacks such as DDoS, credential theft, and injection attacks. The report advocates for a proactive approach to security, ensuring applications are protected against a diverse range of vulnerabilities.

1. | ©2019 F5 NETWORKS1
Adopt an advanced
application security
approach
June 16, 2019
Karim Zguioui - Systems Engineer

2. Physical Capital
BP
Cadbury
Rio Tinto
Rolls-Royce
Human Capital
Deloitte
IBM
Legal & General
Application Capital
ASOS
Facebook
Netflix
Rightmove

9. The business
The reason people
use the Internet
The gateway
to DATA
the target
APPLICATIONS ARE
Data is the currency
Your Data has value

10. EXPANDING THREAT
SURFACE AREA
86%
of all cyber-threats
target applications and
application identities1*
APPLICATION
INVENTORY
0%
of customers can state
with confidence, the
number of applications
in their portfolio2
INADEQUATE
VISIBILITY
0%
of customers have the
visibility they need to
effectively manage their
application portfolio2
1F5 Labs Application Protection Report 2018
2F5 SOAS Report 2019
*Remaining 14% is physical attacks and “other” (including VPN, network, DNS and direct database and ATM attacks)

11. TLS
Access
Man-in-the-browser
Client
Session hijacking
Malware
Cross-site request forgery
Abuse of functionality
Man-in-the-middle
DDoS
Malware
API attacks
Injection
Cross-site scripting
Cross-site request forgery
Certificate spoofing
Protocol abuse
Session hijacking
Key disclosure
DNS hijacking
DDoS
DNS spoofing
DNS cache poisoning
Man-in-the-middle
App services
DNS
DDoS
Eavesdropping
Protocol abuse
Man-in-the-middle
Credential theft
Credential stuffing
Session hijacking
Brute force
Phishing
Network
DDoS
Cross-site scripting
Dictionary attacks

13. Man-in-the-browser
Client
Session hijacking
Malware
Cross-site request forgery
DNS hijacking
DDoS
DNS spoofing
DNS cache poisoning
Man-in-the-middle
DNS
DDoS
Eavesdropping
Protocol abuse
Man-in-the-middle
Network
TLSCertificate spoofing
Protocol abuse
Session hijacking
Key disclosure
DDoS
Cross-site scripting
Dictionary attacks
Access
Abuse of functionality
Man-in-the-middle
DDoS
Malware
API attacks
Injection
Cross-site scripting
Cross-site request forgery
App services
Credential theft
Credential stuffing
Session hijacking
Brute force
Phishing

15. DDoS Protection
TLS/SSL visibility &
Orchestration
Intelligent DNS
Web App and API
Protection
Access Management
Application Threats at Each Tier
Ensure your apps
are always up and
running, protected
against Multi-
vector DDoS
attacks
Go beyond visibility
with orchestration
of TLS/SSL
encrypted traffic
Secure your DNS
infrastructure
Enable secure
anytime, anywhere
access to apps
wherever they
reside
Protect against
application exploits and
fraud, deter unwanted
bots and other
automated threats, and
ensure appropriate
authentication and
authorization for APIs

16. Web App Attacks
are the #1 Source
of Data Breaches
2019 Verizon Data Breach Investigations Report
”Web Application Attacks remains the most prevalent”
“Use of stolen credentials against web applications was the dominant hacking tactic“

17. 58%
56%
6%
4%
3%
2%
2%
1%
1%
PHP
SQL
Exchweb
Comments
Cart
Betablock
Admin
Affiliates
Login
Application
Attacks
Injection à PHP & SQL

19. 1
Understand
Your
Environment
CISO’S
#1 MISSION
Prevent
Downtime
EVERYONE’S
#1 CHALLENGE
Visibility

20. Reduce
Your Attack
Surface
2
Sub domains hosting
other versions of the main
application site
Dynamic web
page generators
HTTP headers
and cookies
Admin interfaces
Apps/files linked
to the app
Web service
methods
Helper apps
on client
(java, flash)
Server-side features such as
search
Web pages
and directories
Shells,
Perl/PHP
Data entry forms
Administrative and monitoring
stubs
and tools
Events of the
application—triggered
server-side code
Backend connections through
the server (injection)
APIs
Cookies/state tracking
mechanisms
Data/active content pools—the data
that populates and
drives pages

21. Prioritize Defenses
Based on risk
3
Focus OpEx &
CapEx spend
Security
value
Effort by
organisation
”if you focus on
results,
you will never change.
If you focus on
change,
you will get results.

22. •
Please select one response.
1.
2.
3.
4.
5.

23. The most important gap when deploying an
application …
Bot Protection API Protection SSL Orchestration Zero Trust Access
Security Orientations
Source: State Of Application Services Report, F5 Networks, Janvier 2019
Protection WAF
66% 2019 – 56% in 2015
Protection DDoS
67% 2019 – 53% in 2015
Security adoption is increasing
Fraud
69% 2019 – 41% in 2015
32% 32%
39%
43%
60%
2015 2016 2017 2018 2019
Security