SecurityBrief Asia - Technology news for CISOs & cybersecurity decision-makers
Story image
Imperva warns of escalating business logic attacks in APAC enterprises
Tue, 24th Oct 2023

Imperva, a cybersecurity expert that protects critical applications, application programming interfaces (APIs) and data, has issued a warning about the escalating threat from attacks targeting the business logic of applications in APAC enterprises.

Business logic forms the backbone of any application, determining how it operates and interacts with users and other systems. Imperva has noted a rise in Business Logic Attacks (BLA) where cybercriminals take advantage of an application's intended functionality rather than exploiting technical vulnerabilities.

Last year, 17% of attacks on APIs, critical components of digital modernisation, were from bad bots or automated traffic exploiting business logic vulnerabilities.

Security using traditional web application firewalls (WAF) has mainly proven ineffective against these attacks as they tend to apply generic security rules based on common signatures. Business logic vulnerabilities differ between individual applications and APIs, making them hard to detect. Furthermore, minor tweaks in software releases could unintentionally introduce vulnerabilities that were initially non-existent, adding to the complexity of the issue.

In an era where firms in the Asia-Pacific region are accelerating their journey towards digital automation and connectivity, vulnerabilities in business logic pose an insidious danger that cannot be overlooked.

Business logic is exploited in three typical ways: function misuse, security controls bypass, and cross-user data leakage. This type of security breach can result in severe financial loss, reputational damage, erosion of customer trust, and, in some cases, irreversible harm.

Reinhart Hansen, Director of Technology, Office of the CTO at Imperva, says: "Today, most attacker reconnaissance is automated. They rapidly cover extensive ground and scan application environments for their target markers. Most attacks are automated, and many of them target the business logic exposed by an API endpoint. APIs and API-driven applications are crucial business enablers for all online enterprises."

Hansen stresses that traditional signature-based defences cannot tackle these highly targeted attacks. To protect businesses more effectively, a significant shift in both mindset and security strategy is needed.

Organisations should implement a multi-layered approach focusing on scanning for vulnerabilities, monitoring behaviours, and defending websites, applications and APIs against BLA activities. Incorporating bot management and API security into existing WAF deployments can assist in identifying automated attack behaviour, even when it doesn't align with known attack signatures.

Moreover, organisations can combat BLAs by understanding their business logic, applying access controls in line with user roles, monitoring for anomalies and implementing strong access controls and authentication. Understanding workflows and employing anomaly detection and behaviour-based analysis can help them identify potential business logic weaknesses and vulnerabilities. Security measures like runtime application self-protection (RASP) and interactive application security testing (IAST) can further assist in this endeavour.

Imperva is a cybersecurity firm that assists organisations in protecting critical applications, APIs and data. Imperva shields businesses throughout their digital journey using an integrated approach that combines edge, application security and data security. With the aid of Imperva Threat Research and a global intelligence community, the company stays ahead of the threat landscape, seamlessly integrating the latest security, privacy and compliance expertise into its solutions.