Runtime testing platform provider StackHawk today announced it is adding BLT (Business Logic Testing) to its AppSec menu. This new testing capability addresses business logic flaws such as broken object level authorization (BOLA) that an OWASP report said account for 34% of security breaches, the company said in its announcement.
The new functionality was built for AI, in that it can identify BOLA and broken function level authorization security concerns that SAST and DAST tools cannot. The only option for AppSec teams has been to do manual penetration testing, but that can’t keep up with the speed of modern software development. With pen testing, a surface scan is run to spot obvious problems, but to make associations – does this go with this – is expensive, and with the speed of today’s software iteration cycles, testers could face burnout.
“What’s exciting about what AI is enabling us to do is take that kind of human brain of what is this API supposed to be doing, this application… and using that to understand how we can test it to make sure it’s behaving the right way?,” Scott Gerlach, CSO and co-founder of StackHawk, told SD Times in an interview. “It’s not only are we making sure that we don’t have any SQL injection and command injection, those kinds of problems, but also in the case of an API that, for instance, has a password reset, making sure that I can’t reset your password. Both of those things look kind of the same when you define them in code, but making sure that I can’t reset your password is the thing that you can only test when that API is running.”
The probabilistic nature of AI allows users to understand the structure and behavior of an API, while then making the deterministic finding of whether it is broken or not, Gerlach explained.
Among the features in StackHawk BLT are the ability to test for vulnerabilities from a configuration of multiple user roles; and to generate intelligent test sequences from OpenAPI specifications without manual configuration of test flows. According to the company announcement, “StackHawk understands how your APIs relate: what order endpoints should be called, what data from one response feeds into the next request, and how to generate contextually appropriate test data.”
Further, the platform offers a visual view of test sequences to find the chain of steps to discovery of business logic flaws.
StackHawk, Gerlach told SDTimes, specializes in being able to integrate into the automation cycle and see what has changed. “So now this whole understanding of the business intention of that API also changes, and that also changes what the testing engine then goes to try to test. And again, is it broken or not?”