The Case for Business Logic in Software Development

Finding a security solution for your company can be a daunting journey through security tool categories filled with buzzwords and acronyms like SAST, DAST, and pentesting. Making matters interesting is the new kid on the block: BLST. Let’s demystify the terminology.


Static Application Security Testing (SAST):

Most cyberattacks related to software vulnerabilities occur within the application layer. Testers can conduct a SAST-based scan without the application being deployed, i.e., it analyzes source code, binaries, or byte code without executing the application. SAST tools only scan static code; they are unable to detect run-time vulnerabilities.

SAST solutions can be integrated directly into the development phase, allowing developers to monitor the code on a regular basis. They cover all stages of the continuous integration (CI) process, from security analysis in the application’s code to automated scanning of code repositories to testing the built application. As a result, security vulnerabilities in the application are quickly identified and fixed.

Although the application can be run on the developer’s machine, it is typically run on a test server, delaying the identification of security vulnerabilities until later stages of development.

Dynamic Application Security Testing (DAST):

This tool enables the tester to detect security vulnerabilities in the application in a run-time environment, i.e., once the application has been deployed. Dynamic testing helps identify potential vulnerabilities, including those in third-party interfaces.

 As DAST requires a running application, it needs to be deployed at a later stage in the development phase. On the other hand, DAST will help identify vulnerabilities that will not be caught by static code scanning.

Penetration Testing:

The major problem with pentesters is that they are people, just like me and you. That means their effectiveness is constrained by their need to take breaks to eat, sleep, etc. Moreover, human error can be a factor. In order to overcome those weaknesses, multiple pentesters need to be employed. While pentesters are capable of doing everything that DAST and BLST do, and in some instances, even doing the same tasks as SAST, they are always constrained by time and are capable of doing only a small percentage of the work done by the automated tools.

Business Logic Security Testing (BLST):

Business logic refers to the logic layer of the application. Business logic attacks are unique since they exploit a function or feature specific to each application. An example would be a shopping cart that grants a volume discount but doesn’t remove the discount when the number of items is reduced. Of course, in reality, it’s much more complicated, but vulnerabilities due to missing sanity (i.e., logic) checks are possible and, in fact, relatively common.

In the past few years, the world has witnessed an exponential growth of business logic savvy applications, including many APIs. This growth has been accompanied by a rise in insecure API implementations that can expose companies to hackers, DDoS attacks, and data loss. The security of your APIs is a critical part of your company’s success.

BLST helps identify patterns and logic attacks in real-time. It is a generic tool and functions as an automated penetration tester, which means it never gets tired, does not need to take the kids from school, and basically, it’s not human. It can be integrated into the development process from the first moment that there is a built version of the API.

Vulnerability Analysis and Coverage

SAST:

Authentication, access control, and cryptography issues are difficult to detect automatically in pre-production source code. Obviously, it cannot cover run-time or configuration issues, necessitating the use of additional security testing tools by organizations, like pen-testing. It can only identify potential vulnerabilities, leaving it up to developers to confirm whether or not a suspected flaw is actually a security risk.

DAST:

Assists in identifying security vulnerabilities in an application while it is running in a testing environment, but they do not provide the precise location of those vulnerabilities. It has no access to the code base of an application and can’t point developers to problematic code for remediation. In addition, It has no visibility into an application’s code base and no control over how data is accessed by incoming APIs.

Related:   Opinion: Deprioritize social media for peace

BLST:

APIs can be continuously scanned and security vulnerabilities can be accurately identified and located, allowing development and security testing to detect and remediate vulnerabilities more quickly.

It helps you investigate the faulty flow and understand the problem that stands behind it, ultimately helping you find vulnerabilities faster.

Cost Efficiency

SAST:

Assists in identifying security issues before the application code is ready to deploy. While this is very helpful, SAST does need to know the programming languages, and many newer frameworks and languages are not fully supported. Finding and resolving security issues at this stage saves organizations the time and money it would take to address them closer to the release date or, worse, after the release. Obviously, SAST cannot cover run-time or configuration issues, necessitating the use of additional security testing tools by organizations, like pentesting.

DAST:

Assists in identifying security vulnerabilities in an application while it is running in a testing environment, but they do not provide the precise location of those vulnerabilities. It is implemented after the code has been compiled and the application is in a run-time environment, so it may not discover vulnerabilities until later stages of the SDLC. Missing these security vulnerabilities, along with a delayed identification of existing vulnerabilities, can lead to a cumbersome process of fixing errors.

Pentester:

Low efficiency due to the short time frame they operate in. Their findings are usually at a later stage of the SDLC, so the costs of remediation are extremely high.

BLST:

Applied at the first build and helps with debugging the problematic flows, so the costs of remediation are pretty low in comparison to DAST and penetration testers.

BLST is the new kid on the block, offering an automated penetration testing solution without the downsides of regular pentesting, plus some additional benefits: BLST solutions do not get tired and will not ask for a break. More importantly, by offering inherent observability, BLST will identify business logic flaws, an advantage that other application security testing tools do not provide.

This article has been taken from our Special Edition on API security. If you want to read the other articles on API security, you can download a copy of our issue here:

Download your copy here:






Nathan Sitbon practices IT security with a focus on applications. Nathan received his CEH certification in 2018 and has since worked in the cybersecurity industry. He began his career in the field of computer forensics and data recovery. From there, he advanced to the field of penetration testing and was among the first to join the team at BLST Security, performing penetration tests for the company's customers, among them international companies and government agencies, and actively contributing to the company's core product using his knowledge of implementing complex API attack vectors. In addition, he writes many articles in this field.

Leave a Reply

Your email address will not be published. Required fields are marked *