As a current and former chief information security officer (CISO) many times over, I know from experience that it is a thankless and challenging role. Companies that employ CISOs possess lots of data and assets, and it is the CISO’s job to protect that data, ensure compliance and tend enable the business to grow efficiently.
Given my love of water, I often make the following analogy: the CISO is entrusted with ensuring that all of these parts fit like a swimmer’s cap. Any gaps will allow water to seep in and create inefficiencies, thus potentially causing a swimmer to lose precious time. And we all know water, like attackers, is pervasive; once it is in, it goes everywhere and wreaks havoc.
The role poses many challenges and requires excellent interpersonal skills, knowledge and experience. CISOs have to constantly be able to balance security concerns, operational requirements, business demands and compatibility specifications that could easily take everything in an entirely different direction. In this article, we will explore the main challenges CISOs face.
Ensuring an organization is defended
For the most part, the main challenges facing a CISO play a critical role in creating a comprehensive defense for complex and secure systems. A CISO must make a risk register based on a number of things that include the company's assets and how sensitive the information is. Then, they must choose the right tools to build a defense system against the constantly changing risks.
Within all of these layers lies the global concern of API security. It is usually accompanied by boundary-breaking graphs or overall doomsday predictions regarding the end of life, the universe and everything else as we know it. Nevertheless, the API security layer contains an additional, elusive tier that we will call Business Logic Security (Testing) – BLST, for short, which we’ll talk about in a minute.
A closer look at the CISO's role
The world of APIs has seen significant growth over the past few years and today plays a primary role, if not the main one, in information traffic. The volume and distribution of information has become exponentially larger. As a business grows, the number of business channels also increases alongside its exposure, ultimately increasing the risk for the company. The role of the CISO and their team in choosing the right tools to reduce or mitigate those risks has, therefore, become crucial.
When we look at the list of potential tools at an organization’s disposal, we can see that organizations often start out with a basic product, following the notion that what they require is defense against common attacks. But years of experience have taught us that common attacks do not penetrate these guards, and the defenses used against them are usually used as a baseline.
While there is a wide range of tasks and duties entrusted to the CISO, they are partially responsible for overseeing development, and ensuring that the work environment utilizes the extent of issues at the development and integration stages. Doing so minimizes the number of issues detected later at the production stage, when the cost of resources in labor and capital are significantly higher.
By focusing on this preliminary stage, the CISO also ensures that fewer security issues will arise at the development and integration stage and, better still, reduces the amount of security issues in later development stages such as production. Fixing a product at the working stage can, after all, be much costlier and require the diversion of valuable resources, resulting in lost time and reputational damage.
Focusing on the business logic attack vector
There are different products that examine writing style based on the code such as Synopsys’ Coverity or the solutions offered by Veracode. These alert to the presence of the issue and offer attack heuristics along with an examination of common attacks.
When it comes to business logic attacks, however, dealing with the problem remains mostly at the hands of the penetration tester and bug bounty teams (e.g., HackerOne), or left to the developers who review their own code by repetitively debugging it. Some call this process re/debug.
The list of business logic attacks is currently at the top of the OWASP list of broken access control. It is followed by a long line of subcategories. Every week, headlines feature a new attack or critical bug fix. Seeing as these API attacks are detected, we can deduce that they have become the primary attack vector of our time.
The difficulty in detecting them lies in the difficulty in understanding each API, how it behaves, how we work with it and what parameters each case presents.
One of the tools I frequently use and urge developers to incorporate into their working methods is BLST’s easy-to-use designated tool for detecting possible routes of attack within their business logic.
BLST recognized this problem as early as 2019 and has made it our mission to develop specialized tools that are incorporated into the SDLC development stage; our solutions incorporate several methodologies to examine logical issues at the early SDLC stage by scanning and integrating automation at the production stage. BLST studies API behaviors based on user habits, challenges the system with logical problems and anomalies, monitors them and produces easy-to-implement tools and reports for DevOps and AppSec teams to study and resolve.
With easy monitoring and fast, efficient presentation, BLST can save companies resources and offer them better results.
The abundance of regulations attests to the demand for full-system documentation, educating future developers on how to work with it. Still, this is a huge struggle, and many developers use multiple tools to scan their data and understand API relationships. BLST allows for fast and intuitive review and examination of these relationships, thereby saving precious time on finding different logic and connectivity between different API points.
In conclusion
The role of CISO is becoming increasingly challenging. It requires outstanding skills as new security threats emerge on a steady basis.
API usage is increasing as businesses of all sizes incorporate them into their day-to-day workflow. However, this brings a new threat of business logic security.
Having a smooth shift-left-oriented SDLC is one of the main goals every CISO should have, and incorporating a business logic security testing solution that is a smooth part of the SDLC is not something that belongs to the future. BLST Security, which has been protecting business logic since 2019, offers it now.
There are many business logic security testing solutions available for CISOs to choose from. The attack vector is already being used, so it is getting close to being too late to add a solution.