Imperva, Inc. warns that organisations must address attacks targeting an application’s business logic after a 2021 study revealed that 17% of attacks on application programming interfaces (APIs) came from automated traffic that exploits the vulnerabilities of business logic.
Business logic attacks (BLA)
Business logic dictates how an application operates and interacts with users and other systems Through Business logic attacks (BLA), cybercriminals exploit an application’s intended functionality and processes instead of its technical vulnerabilities. Some common types of BLA are function misuse, security controls bypass, and cross-user data leakage.
Tackling BLAs
“Traditional signature-based defences aren't enough to stop these targeted attacks. What's required is a fundamental shift in both mindset and security strategy to protect businesses more effectively. Organisations need a multi-layered approach that scans for vulnerabilities, monitors behaviours, and protects websites, applications, and APIs from BLA activities. Adding bot management and API security to existing WAF deployments is imperative for effectively identifying automated attack activity, even when it does not conform to known attack signatures,” says Reinhart Hansen, director of technology, Office of the CTO of Imperva.
Imperva recommends organisations understand their applications’ workflows, processes, and expected user behaviour to identify potential weaknesses and vulnerabilities, apply access restrictions tailored to user roles, implement anomaly detection, employ behaviour-based analysis techniques, and implement strong access controls and authentication mechanisms.