Software Under Siege 2025: Key Security Insights with Jeff Williams | Threat Report Video | Contrast Security

X

Contrast Security’s Software Under Siege 2025 report exposes a sharp rise in attacks targeting the application layer, fueled by AI-assisted adversaries. Unlike traditional industry reports that lack visibility into what’s happening inside applications and APIs, Contrast leverages in-app sensors to capture real attack data—not noise or false positives. The findings reveal how attackers systematically focus on high-impact vulnerabilities, providing organizations with a clearer picture of where to strengthen defenses.

Attackers now strike the application layer every 3 minutes
81 real attacks per app per month reach actual vulnerabilities
Most impactful exploits: method tampering, deserialization, command injection

About Jeff Williams

Jeff Williams

Jeff brings more than 20 years of security leadership experience as Founder and Chief Technology Officer of Contrast. In 2002, Jeff co-founded and became Chief Executive Officer of Aspect Security, a successful and innovative consulting company focused on application security. Jeff is also a founder and major contributor to OWASP, where he served as the Chair of the OWASP Board for eight years and created the OWASP Top 10, OWASP Enterprise Security API, OWASP Application Security Verification Standard, XSS Prevention Cheat Sheet, and many other widely adopted free and open projects. Jeff has a BA from the University of Virginia, an MA from George Mason, and a JD from Georgetown.

Transcript

Jake

Hey there. I'm Jake Milstein with Contrast Security joined by Jeff Williams, founder of Contrast Security. And Jeff, we are releasing the Software Under Siege twenty twenty five report.

And one of the really important things about this report is we've seen this year the Verizon DBIR and the Google M Trends used to be the Mandiant report. They both came out and they said, hey, the application layer is where the attacker is moving. And they said it in different ways. But what they couldn't do is give all of the in-depth information about why and what's actually happening at the application layer. Why can we do that when they can't?

Jeff

Well, they just really don't have the data. I mean, the bottom line is if you don't have sensors in the application layer, then you're not gonna be able to tell what's going on in the application layer. It's it's really just that simple

Jake

And for folks who don't know us, you know, what we do is we have sensors in the application layer, in your applications, in your APIs, and then we, as the company, can see all of that data. So when we create the report, what we're creating is a report of what's actually happening for all of our customers, for what's happening for us, and what we're seeing in the application layer and what the attacks are. And one of the things we have seen is with the advent of AI assisted attackers, we've seen a big jump in the number and the type of of attacks hitting the application layer. And, Jeff, this is this is getting bigger and bigger.

Jeff

Yeah. I mean, in the report, you can read about the details, but the number of attacks on applications and APIs is pretty staggering. I think it says one every three minutes.

And we actually watch the attacks that our sensors see and what they do and where they go. And eighty one attacks per month reach the vulnerability that they were trying to exploit. So a SQL injection attack that reaches a SQL query and tries to exploit that SQL query. So that's a significant amount.

That's per app. So if you're a company with hundreds or thousands of applications, it's an awful lot of attacks going on. And I think most companies are fairly blind to that. They don't see it from their EDR, and their WAF is probably blind to them in a different way.

Like, the WAF often over detects stuff, so it creates all this noise which prevents you from seeing the signal. And so most people just ignore the WAF signals.

Jake

Yeah. And I think another interesting thing, and you touched on it here, is the difference between our report and our data and some of the other reporting out there is the false positives. Right? What we're reporting on here, Jeff, because we have the visibility and because we can see what's actually happening are real attacks. So when we say there are eighty one real attacks on each application on average, we're saying these are real attacks where the attacker is reaching a vulnerability.

Jeff

Yeah. So I'd like to think about it in two big categories. There's all these noisy attacks that are generated by scanning tools and ScriptKitties and so on, and they're like the ambient noise of the Internet. They're just mosquitoes out there, and you can't. There's not much you can do about them.

You can't attribute them. You can't figure out where they're coming from. Like, they're just noise. But most of them, matter of fact, ninety nine point one percent of them don't hit the vulnerability that they're trying to connect with.

So they send path traversal attacks like crazy, millions of them. But only a small percentage of those actually gets to a file open or a file read or file write.

Jake

And that's true not just, you know, for, you know, applications, but also APIs.

And, you know, there's just so much time wasted right now between teams. And one of the things that, you know, we're taking a look at in this report is not just what's real, but what types of attacks are successful and what they're doing to make those attacks successful.

For example, you know, we see a ton of cross site scripting, but that doesn't necessarily mean that that's the number one attack that you should be defending against because a cross site scripting attack, you know, may or may not have a big impact.

What we're seeing is, like, there are actual, you know, impactful attacks, you know, method tampering, untrusted deserialization, OGNL injection. Right? I mean, these are Jeff, those could have real, real bad consequences.

Jeff

It's been really interesting to see the data from the vulnerability side and then combine it with the data from the attack side. And it is really I think it really completes the whole picture because you can see that attackers are very systematic, very practical about the types of attacks they go after. So command injection, we see very few of those vulnerabilities anymore. There's not tons of invoking the operating system.

But we see a massive amount of attacks on command injection because they're simple to identify. And if you hit one, you know it's gold.

Unstart deserialization is kinda the same way. And the attacks aren't that complicated, although it takes a little bit of expertise to create, like, a malicious serialized object to send over the wire. But we see a massive amount of those. Even though Log4jj, which was one of those, it's, you know, what, five years out now, some things.

But we still see lots of attacks on those kinds of vulnerabilities as well. But now, sort of putting together the calculus in the attacker's head is interesting. Big payoff, easy to find, easy to exploit. Like, that's the trifecta they're looking for.

Jake

Yeah. And alright. So, everybody, the report is on Contrast Security dot com. We look forward to you downloading it.

If you have questions about it, feel free to email us. We're always here for you. Hit us up on LinkedIn. Thanks, Jeff, for joining me for this.

And everybody, we look forward to seeing you at Black Hat. And if you're watching this after Black Hat, we'll catch you at the next conference. Thanks, everybody. Bye bye.