The State of Application Security - Q3 2024

Q2 2024 Research Overview

The State of Application Security Q3 2024 annual report is based on a sample size of 1400+ websites and applications that were analysed between July 1, 2024, and September 30, 2024.

During this period, various enterprise, government, and SME websites were analysed. The below figure illustrates the diversity of industries represented in this report.

Apart from the above-mentioned analysis of the sites, Indusface also surveyed over 300+ CISOs, CTOs, and other security leaders to understand their pain points related to application security concerns and challenges faced due to DDoS, Bot, and API attacks.

Executive Summary

Here are some of the key findings from the report:

? Over 1.26 billion attacks were blocked from 1st July 2024 to 30th Sept 2024

? On average, 903K attacks were blocked per website

? Cyberattacks grew by 26% in the Q3 of 2024 compared to the Q3 of 2023

? 271+ million API attacks in Q3 2024, where each API witnessed over 3000% higher DDoS attacks as compared to the DDoS attacks per website

? Bot attacks rose by 145% in Q3 2024 compared to Q3 2023:

? 215+ million bot attacks in Q3 2024

? 377+ million DDoS attacks in Q3 2024

? 6 out of 10 sites witnessed a DDoS attack, whereas 9 out of 10 sites witnessed a bot attack

? 19K critical and high vulnerabilities were found - 33% of these vulnerabilities were open for 180+ days

? Attacks on vulnerabilities grew by 124% in Q3 2024 compared to Q3 2023. A big part of this could be because of the widespread use of LLM tools such as ChatGPT enabling novice hackers to easily find and deploy scripts that could exploit open vulnerabilities

? The cyberattacks in India grew by 92% in the Q3 of 2024 compared to the Q3 of 2023

? The Small and Medium Businesses (SMB) globally faced over 354 million attacks across a sample of 500+ websites in Q3 2024

? DDoS is the #1 attack vector for SMBs, where each website/app sees 175% higher no of DDoS attacks compared to the enterprise apps. This could be because DDoS attack monitoring requires either a managed WAAP or a specialised, 24x7 security operations centers (SOC) and SMBs can ill-a?ord them

? Power and energy companies faced up to 4X higher number of attacks than the industry average. This could be less regulated industries are softer targets

? SQL injection attack is the top vulnerability attack in the Banking, Financial Services, Insurance, Retail, and SMB sectors thereby reinforcing the importance of protecting critical customer data, including PII, credit card information and others that these applications host

? The banking, financial services and insurance sectors witnessed 2X higher bot attacks compared to the industry average

? 100% of healthcare sites witness a bot attack

Read the detailed State of AppSec Report by clicking here