Application security practitioners are navigating a security landscape that has become increasingly complex in recent years with the adoption of cloud and containers and the growing use of APIs.

In a new survey on application security conducted by Forrester Research, nearly 40 percent of companies say that they have been victims of a security breach as a result of an external attack carried out by a web application exploit1:

web application security trends 2021

With all signs pointing to hybrid work as a post-pandemic norm, companies will further increase their adoption of web and SaaS applications to support remote employees. The expanded attack vector afforded by web and SaaS apps is the reason they have become the most common way in for attackers.

In the webinar 2021 Application Security Trends: Tips to Protect Your Apps and APIs, guest speaker Sandy Carielli of Forrester provides perspective on the newest web application exploits along with actionable advice to reduce your risk.

What is the top application security trend in 2021?

The top application security trend in 2021 is preventing external application attacks. Application security has become a priority for companies because:

  • Development teams are releasing more frequently, leading to errors that impact app security
  • Web app exploits are the most common type of external attack
  • Bot attacks have expanded to target applications that affect all functional areas within an organization
  • Improperly secured APIs are a prime target for attackers

The good news is that organizations are paying attention to application security. In a recent survey conducted by Forrester, 28 percent of security decision makers report that their top tactical priority is improving application security capabilities2.

It’s no coincidence that security is a chief concern for organizations that have accelerated their pace of application development. As they race to invent new ways to engage with their customers through their applications, security flaws are inevitable. And if they lack robust security practices to mitigate developer error, they can’t defend against ever-more sophisticated attackers and attacks.

No shortcuts for app and API security

Because modern software applications comprise code from many sources — including proprietary code and open source libraries — security checks must be embedded into the entire software development lifecycle. Skipping steps at any point, whether that’s failing to implement user authorization at the beginning or failing to scan for vulnerabilities later, exposes your applications and APIs to attacks.

The reality is that you can’t fix every security flaw before release. Instead, you must remain continually vigilant, especially for new zero-day attacks. But by building security into the development pipeline and improving threat intelligence, you can take effective steps toward establishing a comprehensive security posture.

APIs are the new way in

An API-first approach to application development enables more personalized ways to interact with your customers, provides new revenue streams, and increases speed to market. But the use of APIs also expands your attack surface. If your APIs are not properly secured with server-side validation and API authorization, breaches will happen.

Modern application architectures that leverage microservices and APIs are inherently more complex to secure. In addition to exposing application data and functionality to trusted third parties for integrations, APIs are also used for communication among microservices. Every API endpoint offers a way in for attackers if it is not properly secured.

A holistic approach to API security must include multiple layers of protection, including a web application firewall (WAF) and bot protection to sit in front of the application to protect north-south traffic into the application as well as east-west traffic between individual microservices within the application.

According to Forrester, companies are exposing more than 50 percent of their applications to the internet or to third-party services via APIs3, so the likelihood of your APIs being attacked is a matter of when, not if.

Bad bots on sale now

Bots are no longer accessible only to the technical experts who can build them. Today anyone can buy a malicious bot from online “bot-as-a-service” providers. The variety of available bots are as diverse as the applications they seek to attack.

Bot attacks are different than other types of web application attacks because they take advantage of your business processes and legitimate traffic. Bots can broadly impact an organization across functional areas from marketing (ad fraud) and e-commerce operations (inventory hoarding) to finance (credit card fraud) and IT ops (DDoS attacks that prevent customer transactions).

To protect your business from malicious bots, invest in a bot management solution that provides always-on protection and that continually adapts to the threat environment.

Tips for improving app and API security

While attackers are becoming more sophisticated with their methods of attack, many are successful at compromising your applications by using tried-and-true methods including cross-site scripting, SQL injection, and DDoS attacks. Safeguarding against these common types of attacks and the OWASP Top 10 vulnerabilities is table stakes in today’s security landscape.

To defend your applications and APIs from more sophisticated multi-vector attacks, you need multiple layers of protection. One of the best defenses is the use of a modern WAF that provides vulnerability scanning for the tens of thousands of new vulnerabilities that are identified every year. And modern WAFs use a single-pass architecture so that you achieve better application performance and lower latency in addition to gaining advanced security features.

Security must be incorporated earlier in the software development life cycle to be comprehensive and effective against more sophisticated threats like zero-day attacks. Application and API security is too critical to implement as an afterthought. The bottom line on app and API security: Everything that goes through a proxy must be secure.

New Webinar: The latest application security trends and tips for protecting your apps and APIs

For actionable advice on implementing layered app and API protection and to learn about the latest trends in application security, join Citrix VP of Product Abhilash Verma and guest speaker, Forrester’s Sandy Carielli in the webinar 2021 Applications Security Trends: Tips to Protect Your Apps and APIs.

Looking for more insights? Read the application security chapter of our Unified Security Guide.


  1. Sandy Carielli et al. The State of Application Security, 2021 (Forrester Research, Inc., March 23, 2021), page 2, figure 1.
  2. Sandy Carielli et al. The State of Application Security, 2021 (Forrester Research, Inc., March 23, 2021), page 4.
  3. Sandy Carielli et al. The State of Application Security, 2021 (Forrester Research, Inc., March 23, 2021), page 4, figure 4.