It took me a while to hear about a recent research report from the Ponemon Institute regarding application business logic attacks.
2012 Web Session Intelligence & Security Report: Business Logic Abuse Edition, published in early October, describes the results of a survey of 425 United Kingdom IT and IT security practitioners with some responsibility for the security of their transactional website and who were familiar with logic abuse. A parallel report details the survey of 643 similar professionals in the United States of America. In these studies, business logic abuse is the mis-use of intentional web site functionality to "perpetrate cyber attacks, hacks or fraud".
The most interesting figure is that 90% of companies lost revenues due to the financial or brand impact of fraud (alone?), and 20-25% lost more than 5% of their total revenues. The business logic abuse scenarios presented are web scraping, account hijacking, click fraud, botnets causing denial of service, electronic wallet exploitation, coupon abuse, testing stolen credit cards, mobile device malware to take over customer accounts, app store/marketplace fraud, and mass registration.
However, I was most interested to see what these IT and IT Security practitioners considered ought to be the steps that are taken to detect or prevent business logic abuse. The answers appeared to be selected from a pre-defined list provided in the survey, with "Manual inspection and assessment of web pages" during development and in production seemingly being the two most "important or very important" methods (each by about 50% of those responding). This is not "business logic security testing" since "thorough testing of the website's functionality prior to production" was a different item and considered important or very important by 20-30% of those responding.
But there was no mention of defining security requirement in advance, secure design, threat assessment, manual and automated code analysis, etc, or of building attack detection and prevention into the web sites themselves. Yes, web application firewalls (WAFs) and "content aware firewalls" were mentioned, and it seems the surveys' authors and respondents are very biaised towards operational practices.
The reports' conclusions appear to have missed that the activities are generally too late (not just too little), and that a range of security practices are needed throughout the software development life cycle (SDLC). However, the reports' recommendation to assign responsibility for web site security is correctly the most important first step.