Products
Contrast Application Detection and Response (ADR)

Contrast Application and API Security Testing (AST)

Contrast One^TM

Contrast Runtime Security Platform

Contrast Protect (RASP)

Contrast Assess (IAST/DAST)

Contrast Scan (SAST)

Contrast Software Composition Analysis (SCA)
Developer Central

Log4j Response

Pricing

How We Compare

Languages

Integrations
Solutions
BY USE CASE

Why IAST?

DevSecOps

Automated Penetration Testing

AppSec Monitoring

API Security

Software Supply Chain Security

Runtime Protection

Software Bills of Materials (SBOMs)

GitHub CI/CD

Compliance Testing

Services

BY DEPARTMENT

Dev and DevOps Teams

Security

DevSecOps

CISO

BY INDUSTRY

Government

Financial Services

Healthcare

Others
Partner
Technology Partners

Systems Integrators

Ecosystem Integrations

Managed Security Services Providers

Channel Partners Overview

Cloud Partners

GitHub
Partner Program Overview

Become a Partner

Find a Partner

Visit Partner Portal
GITHUB ACTIONS BLOG SERIES, PART 1: PIPELINE NATIVE CODE ANALYSIS

Read the Blog
Customers
Company
About Us

Leadership Team

Culture & Careers

Women of Contrast

Contact Us
Blog

Events & Webinars

Newsroom

Podcast

Awards
Contrast Security recognized as a Visionary by Gartner in Application Security Testing.

Learn More
Resources
Contrast for Developers

Contrast Secure Code Learn Hub

Contrast Community

Resource Center

OWASP Top 10

Accountability & Transparency

SBOMs

ContrastLive

Support

Services

Trust Center

Documentation

Product Release Notes

Blog

Podcast

Events

Glossary
Contrast Incident Response Hub

Spring4Shell Vulnerability

Log4j Vulnerability

Weekly CISO Update

Trust Center
Developers

November: The top attacks ADR caught on the brink of exploit

December 11, 2024

Attackers targeted applications and application programming interfaces (APIs) with an average of 50 confirmed attacks per app in the month of November 2024. That’s down from the previous month, but an alarming number of attacks continue to circumvent other defenses, and are only caught by Contrast Application Detection and Response (ADR). Every 30 days, Contrast Security publishes data about the detection and response of real-world application and API attacks with ADR.

Context

First, some context to explain how we use the word “attack.” We are talking only about attacks that are confirmed to reach their intended vulnerability and are about to launch the exploit, not “the noise of the internet” type attacks that would never have turned into a noteworthy breach. Contrast tunes out the noise clarity, filtering out the false positives.

When we talk about “probes,” we mean active reconnaissance by attackers who are doorknob rattling in a search for weakness, misconfigurations and vulnerabilities open to exploit. While the probe may have made it past the web application firewall (WAF), many of the resulting attacks are obvious, get caught by a WAF and don’t result in a serious threat.

Contrast’s attack data is measured directly from real world running applications and APIs. Our attacks aren’t measured in millions, billions or even trillions, because that’s part of the problem: too much noise. Because Contrast Security instruments the code, we’re not reporting on signatures or theoretical attacks, only what’s actually a dangerous anomaly.

False positives are exhausting. Here’s how to shut them up.

November numbers

The November numbers for probes and attacks are in the charts below. As you can see, there were over 4K probes and more than 50 real attacks per app/API. That means that real attacks were about 1% as frequent as probes.

Analysis

The important message for November is that the average app/API was hit with over 50 attacks that were able to navigate the maze of code and find their way to the exact kind of vulnerability they targeted.

Notice that the distribution of probes is wildly different from the distribution of real attacks. Strong risk management means focusing on the attacks that are the most likely and have the worst consequences. Don’t get distracted by all those probes. For example, despite 3.4 million path traversal probes in November, only 1.27 of those were actually able to reach the file system.
Focus on the attacks that lead to remote code execution (RCE). Despite pretty low numbers of probes, the average app/API is getting hit with over 12 confirmed unsafe deserialization, expression language (EL) injection, and Java Naming and Directory Interface (JNDI) attacks every month. Remember, these are real attacks that successfully bypassed traditional controls and reached the vulnerability. You may be getting hit and not even know it.
Remember the classics: SQL injection and command injection. These are the second- and third-highest probed attack vectors. The numbers are relatively low, but you shouldn't ignore them. SQL injection resulted in 3.09 real attacks per app/API, which is concerning. Command injection, despite obvious attacker interest, only yielded 0.08 real attacks per month.

What’s next:

Since we publish data monthly, we’ll be keeping an eye on trends. Attackers know that there are a lot of vacations in December. We will be keeping an eye on attack volume, which typically goes up at this time of year. If the pattern holds, we will see criminals continue to shift toward the types of attacks that bypass WAFs and endpoint detection and response (EDR) tools.

Most organizations using data from perimeter tools are surprised when they see how many dangerous attacks are making it through to their applications and APIs. Contact Contrast Security if you’d like to see what’s really happening in your application layer.

Contrast blog: Why Contrast Security is making the case for Application Detection and Response (ADR)
Contrast blog: Contrast Security founder Jeff Williams explains how to fix AppSec in production
Contrast blog: Understanding ADR’s detection and response layers
Contrast blog: Why application detection and response is sparking excitement in cybersecurity

Contrast Marketing

Cybersecurity Insights with Contrast CISO David Lindner | 12/06/24

BY USE CASE

BY DEPARTMENT

BY INDUSTRY

GITHUB ACTIONS BLOG SERIES, PART 1: PIPELINE NATIVE CODE ANALYSIS

Contrast Security recognized as a Visionary by Gartner in Application Security Testing.

Contrast Incident Response Hub