Application security

This article is based on the Imperva 2025 Malicious Robots Report, which reveals three core trends:
The New Normal of Automated Traffic: Automated traffic surpassed human traffic for the first time in 2024, accounting for 511 TP3T, of which 371 TP3T were malicious bots, and growing for six consecutive years, marking a structural change in Internet interaction patterns and a new stage in enterprise security challenges.
AI-enabled attack evolution: the proliferation of Artificial Intelligence (AI) and Large Language Models (LLMs) has significantly lowered the attack threshold, fueling the scale and sophistication of malicious automated attacks. ai is not only used to generate bots, but it also drives them to analyze, learn, and optimize escape techniques, spawning advanced bots that are more evasive, and leading to an increase in business logic attacks.
APIs Become New Focus of Attacks: With the popularity of microservices and mobile apps, APIs have become a prime target for malicious bots due to their concentrated value, relatively weak defenses, and ease of automation.44% of advanced bot traffic was directed to APIs, and the financial services and telecom industries were the most severely attacked, with data scraping, payment fraud, and account takeover being the main attack tactics.
In addition, the article analyzes in detail the resurgence of account takeover (ATO) attacks, noting their year-over-year growth of 40% in 2024, and explores the drivers of the surge in ATO attacks, the most impacted industries, and the regulatory penalties they may face. Finally, the paper proposes a multi-layered, adaptive defense-in-depth strategy, including going beyond traditional WAFs, strengthening API security, countering ATOs, building a unified security view, and continuous monitoring and threat intelligence, which is designed to help enterprises effectively counter the increasingly intelligent and scaled threat of malicious bots and protect digital assets and business continuity.

The Global State of DevSecOps Survey Report 2024 reveals key trends and challenges in the DevSecOps space, based on a survey of more than 1,000 global developers, security, and operations personnel, with key data highlights

82% organizations use 6-20 security tools.
Test results for 60% contain noise from 21%-60%.
Only 24% of respondents were "extremely confident" in AI code protection.
Organizations in 86% believe that security testing slows down development.

This report provides an overview of the current state of global DevSecOps practices, strategies, tools usage and their impact on software security in 2023. It covers the results of a survey of 1,000 IT and AppSec professionals from various professional backgrounds, from the US, UK, France, Finland, Germany, China, Singapore and Japan.

This article introduces the actual vulnerability mining of mobile APP third-party SDK conducted by security researchers Li Bo and Zhang Xin of 360 Vulpecker Team. 360 Vulpecker Team focuses on the field of Android system and application security attack and defense, and has a self-developed automated system for Android application security auditing. This article starts from the security status of third-party SDKs, discusses the security risks brought by SDK integration, and introduces in detail the vulnerability risks and attack methods of different SDKs. The vulnerability exploitation methods of push SDK and sharing SDK are analyzed through examples, and the scope of impact of relevant vulnerabilities on applications is pointed out. Finally, some thoughts are put forward to arouse readers' attention and in-depth thinking on the security of mobile APPs.