web application threat trends by industry for 2016

Web Application Threat Trend (WATT) Report Released from 2016 by Penta Security Systems

Trends show that hacking attempts targeting web applications vary greatly by industry, with SQL Injection accounting for the highest percentage in Transportation and Manufacturing-related industries

web application threat trends by industry for 2016

Penta Security Systems Inc. has released its annual Web Application Threat Trend (WATT) Report from detection data gathered and analyzed in 2016. The report was compiled after thorough analysis of detection data from Penta Security’s Web Application Firewall (WAF), WAPPLES. The report analyzes web attack trends with the purpose of identifying the newest trends in web application threats, predicting future web attack patterns, and planning a holistic infosecurity strategy.

Covering attack trends that emerged under various data segmentations including industry type, continent of origin of attacks, and time of day, the report focuses on the analyses of five rules considered most important to the WAPPLES’ detection engine, with key elements from the OWASP (Open Web Application Security Project) Top 10: Cross-Site Scripting (XSS), SQL Injection, File Upload, Directory Traversal and Stealth Commanding. Penta Security’s security analysts found that not only did attack trends vary when data was segmented by continent of origin and time of day, but distinct web attack trends also existed across industries. Therefore contextual analysis is critical to effective optimization of security policies.

Different attack types were prominent for specific industries – for example, XSS showed to be prevalent in the Science & Technology industries as well as Social & Community industries as administration of websites belonging to this field tend to be relatively lax. Therefore, many attacks can be expected to target individual PCs and terminals that access these sites. However, File Upload attacks made up a significantly high proportion of attacks within Financial Services, as attackers tend to attempt to gain server system privileges or distribute malicious files to user PCs and terminals via the websites.

DS Kim, Chief Strategy Officer at Penta Security Systems, said, “It is interesting to see how the current web attack trends are not only changing according to different technological advances, but also that hackers are now strategizing to target different industries.” He continued, “The insights provided in the WATT report give corporations and organizations of all industries the information they need to anticipate attacks. By analyzing the data collected from our patented detection engine, we are able to offer valuable knowledge that can hopefully, reconstruct any organization’s security risk profile.

Other findings include:

  • Major attack type varies by continent. Analyzing trends from aggregate attack data is insufficient in revealing insights needed to inform an effective security strategy. While SQL Injection attacks accounted for the highest proportion of attacks overall, Cross-Site Scripting attacks were the most common in Asia
  • Primary attackers are launching persistent attacks against few targets. Primary attacker IPs worldwide were responsible for 30% of all attacks, utilizing SQL Injection and Cross-Site Scripting in three-quarters of their attacks.
  • The end of the work day is a peak time for attacks. During the window of time just after typical working hours, the intensity of web attacks more than double. Between 6pm and 7pm local time, the average rate of attacks was 9.4%, as compared to the hourly average of 4.2%.

The WATT report is a complete and detailed overview of detection data gathered from corporations and organizations currently using WAPPLES and Cloudbric. All participants consented to the gathering and dissemination of malicious traffic data during this particular study period (January 1, 2016 to December 31, 2016), and no additional customer information was collected.

The full report, as well as reports from previous years, is available for download here.


About us

Penta Security Systems Inc. is a leader in web, IoT, and data security solutions and services. With 20 years of IT security expertise in powering secured connections, Penta Security is the top cyber security vendor in Asia, as recognized by Frost & Sullivan, and APAC market share leader in the WAF industry.  Driving innovations across encryption, authentication, and signature-free firewall detection technology, Penta Security’s whole-system approach to security enables resilience in an era of hyper web integration and connectivity. For more information on Penta Security, visit For partnership inquiries, email

cloudbric website protection

Your Guide to the 3 Layers of Website Protection

Of course, it’s difficult to talk about completeness when it comes to information security. Even the professionals need serious resources for comprehensive protection, from architecture to operation, and even then, perfection still isn’t guaranteed. There are no standard web security measures, so every individual builds security depending on their own unique situation. Web security solutions need to fit each company’s IT system. This begins with understanding how a company’s IT system is structured.


Cloudbric free website protection

What’s the shortcut to website security?

The Three Layers of an IT System: Network, System, Application

Generally, an IT system consists of networks, systems, and applications. Each of these three layers need their own unique level of protection. The networks layer at the bottom of this stack deals with data transfer, while the systems layer (what we know as operating systems such as Windows or Linux) works as a platform that enables the applications layer to operate. The applications layer itself offer protocols and services with many features. Many kinds of server systems are just like this structure, so securing the server means all these three layers are safe.

IT system layer structure

IT system layer structure

Don’t Overlook Web Application Security

Despite the importance of web application security, most companies spend 10 percent on web application security compared to network security. The reason is simple: companies don’t know what to do about web application security. The application layer is technically more complicated and the kinds of applications also vary.

Most security professionals find it difficult to set up a security policy and apply security measures. What we think of as the ‘web’ actually consists of applications. Websites and mobile apps are all applications, and attacks on these also take advantage of the vulnerabilities of applications.

Web attacks such as SQL injection or XSS also target the vulnerabilities of website applications. Malicious code called a ‘web shell’ also consists of a type of web application. The Open Web Application Security Project (OWASP), famous in the web security industry, named 10 web vulnerabilities, all of which are web application attacks.

More than 90% of web attacks target web applications. A web application firewall (WAF) is what protects your website from unwanted visitors. Its role is like a fence. It monitors traffic, detects web attacks and protects your website. What’s important is that it prevents vulnerabilities from being exposed. From the outside shell, it limits access from malicious traffic. Also, it hinders malicious code from being uploaded to your web server.


cloudbric website protection

A Web Application Firewall blocks all sorts of web attacks

If you look into web application firewall solutions, there is a comprehensive yet free solution called Cloudbric. Cloudbric is the most advanced web application firewall, with algorithms that progressively learn from past experience. Go to the top of this page and click to get started with Cloudbric protection for your website!

Cloud based WAF

Using a Cloud-Based WAF as a Service for Better Web Security

Before the advent of the cloud-based WAF, Web Application Firewalls (WAF) usually came in the form of hardware. These WAF appliances were great for big businesses and enterprises. They provided flexibility, fast accessibility to the device and  did not depend on external connections for functionality. However, they also had a few disadvantages.

Hardware WAFs were very difficult to install and deploy since they are heavy and take up a lot of space. They can be hard to maintain, and lastly they’re on the costly side. Only large enterprises can actually afford hardware WAFs. Meanwhile, small and medium companies were left to fend for themselves.

The Birth of the Cloud-Based WAF

Thankfully, this has changed rapidly over time. Since the birth of the cloud, many innovative WAF vendors have turned these same enterprise level security features into a cloud-based WAF as a service specifically aimed at SMBs. The shift from hardware to cloud based WAF as a service have proven to be beneficial for three reasons.

1. Fully Managed Security

WAF as a service doesn’t require any hardware to operate. All one needs to do is configure their DNS information to start securing a website. This provides great accessibility for small and medium sized businesses. It also reduces any resources needed to setup and customize a traditional enterprise solution.

2. No Technical Knowledge Needed

A cloud-based WAF as a service also handles and manages all of your HTTP and HTTPS traffic. WAF vendors have detection technologies in place that can automatically detect and filter malicious attacks. This means you can focus on what’s most important for your business—gaining customers. The need for specialized security staff or technical experts is unnecessary when using a WAF as a service.

3. Easy to Understand Analytics

We make providing web security to SMBs our top priority. That being said, many WAF as a service vendors want to cater to the SMB market by providing easy to understand web traffic analytics. There is absolutely zero need to have a specialist scrub your web traffic data to look for any inconsistencies and how many attacks were actually blocked. These days, almost all security vendors provide great metrics and analytics that can help any business owner see the impact of their WAF.

most cloud-based waf solutions will give analytics

Cloud-based WAF as a service solution has made it possible for more people to secure their websites with zero hassle and at a much lower cost. Implement a WAF today so you can focus on growing your business while we take care of the rest.

pokemon go and pikachu dolls

Authorization, Authentication, and Pokemon-Go

When I opened up my news feed last week, 80% of the updates and news headlines were about the phenomenon that is Pokémon-Go.

For those of you that have no idea what this is, Pokemon-Go is a game that was started by a Google internal startup called Niantic. Within the game you can use AR (augmented reality) to catch, battle, and train Pokémon (fictional animals, or “pocket monsters”) throughout the real world.

The game has millions of users on both Android and iOS devices, and the numbers will continue to increase. This isn’t surprising as much of the millennial population grew up watching the cartoon, playing the video game, and collecting the merchandise like there was no tomorrow.

Despite the excitement of it all, unfortunately, some issues have come up as there have been muggings by criminals at popular game meetup locations and trespassing at memorial sites like the Holocaust museum. Furthermore, the story has taken a new turn as it has now stepped into the realm of cyber security.

The Authorization Problem

The (potentially catastrophic) problem of this game is regarding Authorization and Authentication. These two concepts are often mixed up, but let’s explore them a bit within the context of the game itself.

Authentication verifies who you are – that you’re not a robot trying to access the game. In order to do this, the game application requires you to authorize Niantic to access your information. Authorization happens just once, but that one-time authorization determines how much information you’re granting the application.

So the problem for this game ultimately lies in the authorization. You can authenticate your account via two ways within the application: through a account or through your Google account. Then normally, Google would show the level of permissions the application requires. However, before July 12, when authenticating through your Google account, when you clicked the button it automatically switched to the log-in screen meaning full permissions was handed over automatically – that means that all of your information related to the Google account were handed over to Niantic.

“Well, I’m just going to play the game. So it should be ok.”

But this kind of mindset is why it’s so dangerous to buy into the trend. The reality is, because this is your Google account, your account may contain payment information, your address, and your passwords. Millions have signed off their information to the application, and thus the database is now becoming a prime target for hackers.

Did Niantic mean for this to happen? Probably not – it was an oversight, and the error was corrected on July 12. Now, the application requires limited permissions, so that it will only maintain your basic information. If download the application now, you get this:


But the game isn’t over, because when there is data of any kind (even if it’s limited), there is value. The game is at 10 million accounts now, and experts say that when they hit 20-25 million records there is no doubt that there will be a data breach.

So, Pokemon Go or No?

Realistically, people will continue to play the game, and it’s likely to make its way into other parts of the world. What can you as the player/user do to protect your information?

First, be aware of the authorization you’re granting applications when following this kind of phenomenon. When an application first comes onto the scene, there’s a lot that can go wrong. It may have vulnerabilities that have yet to be discovered, and malware-infected versions that have been released.

Second, ask for transparency as the user. Any company, especially one that requires so much of your information, should openly state what security measures it is taking. As stated before, Niantic probably didn’t mean for this to happen. However, as AR and VR (virtual reality) are becoming increasingly prevalent within technology, more and more companies may inadvertently or intentionally seek higher levels of permissions in order to access your information. However, when society as a whole demands transparency, this can be mitigated to a significant degree.

Lastly and perhaps most importantly, stay safe in real life. Augmented reality, virtual reality – none of it matters if you’re not aware in physical reality of what’s going on.

Visit for more information on other web and data security products, news, and blog posts.