Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

Enterprises Struggle With Business Logic Attacks, Survey Finds

A new survey underscores how business logic attacks can slip under the radar of development teams and cost enterprises time and money.

A new survey underscores how business logic attacks can slip under the radar of development teams and cost enterprises time and money.

The study, which was commissioned by Silver Tail Systems and performed by the Ponemon Institute, fielded answers from more than 600 IT professionals. According to the survey, 88 percent said business logic abuse is equally or more important than any other security issues facing their company today.

Business logic attacks used the permitted behavior of an application to the advantage of an attacker. In a whitepaper earlier this year, security vendor NT OBJECTives listed some of the more common business logic flaws found today, including: authentication flags and privilege escalations as well as critical parameter manipulation and access to unauthorized information/content.

“Business logic abuse is growing in sophistication and precision, with hackers and criminals using the same features as a ‘good’ user to commit their attacks and cover their tracks,” said Dr. Larry Ponemon, chairman and founder of the Ponemon Institute, in a statement. “Clearly IT security practitioners are concerned with the amount and frequency of business logic abuse that their company’s face each day, but our research also shows that most do not feel adequately equipped to defend against such attacks.”

Ninety percent of the organizations interviewed reporting revenue losses due to business logic abuse in the past 12 months. Compounding the problem is the fact that 74 percent say it is difficult to distinguish between the “real” customer and a criminal accessing the company website. Two-thirds said their organizations lost between one percent and four percent in revenue, while some 25 percent said their organizations lost more than five percent.

Additionally, almost 70 percent said they do not have the technology to deal with the problem, with 50 percent stating that real-time visibility into website traffic is not being incorporated into their security posture. In addition, nearly two-thirds of respondents said they do not have sufficient in-house personnel to deal with business logic issues. In more than 20 percent no one person has the overall responsibility for protecting against such attacks.

“This research casts a bright light on a problem that the market has been wrestling with but has struggled to successfully address,” said Nick Edwards, vice president of marketing at Silver Tail Systems, in a statement. “Many organizations represented in the study have experienced multiple incidents of business logic abuse and in order to protect their users and their organization they need real time visibility and intelligence to understand the nature of their web traffic.”

Related: Brothers Who Attacked Nordstrom’s eCommerce Site Face Jail Time

Written By

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.

Application Security

Many developers and security people admit to having experienced a breach effected through compromised API credentials.

Application Security

A new report finds that barely 1% of all SBOMs being generated today meets the “minimum elements” defined by the U.S. government.

Application Security

A security vulnerability identified on AliExpress, the wholesale marketplace owned by the Chinese e-commerce giant Alibaba, could have been exploited by hackers to hijack...

Application Security

Application security startup ArmorCode today announced that it has received $8 million in additional seed funding, which brings the total raised by the company...