What Sets Cequence Apart from Anyone Else

May 20, 2019 | by Shreyans Mehta

prevent business logic abuse

Cequence Security prevents business logic abuse with our AI-based Application Security Platform that discovers all of your public facing web, mobile and API-based applications, then detects
any malicious transactions targeting those applications, allowing you to then apply policies to prevent the attack. As co-founder and CTO, I wanted to take a moment to highlight what I think are some of our key advantages.

What is Business Logic Abuse and why do you need protection?

The security market we participate in is defined by industry analysts as Bot Mitigation. A more accurate description is business logic abuse which is an automated attack that targets your public facing web, mobile and API-based applications with transactions that appear to be legitimate or syntactically correct. Bad actors will use stolen user credentials, infrastructure (e.g., proxies, compromised servers and devices, etc), and management toolkits (e.g., SNIPR, BlackBullet, SentryMBA, etc) available on the Dark Web to deliver the attack. Using bots, the attack will attempt to repeatedly complete account sign up forms, account logins, partially execute online purchases, travel or lodging reservations, etc. Their goals are to validate credentials for resale, steal something (e.g., goods, money, IP, data), or commit fraud by using the value of the of their target for their own purposes (e.g., loyalty points, airline miles). In many cases, bad actors will deconstruct the web or mobile app itself to find the APIs in use and target those directly to complete the attack.

Since these attacks appear to be legitimate, your existing security infrastructure (e.g., firewalls, IPS, WAFs, Security Gateways, etc.) cannot see or stop these attacks, yet research shows that roughly 35% of all internet traffic is from malicious bots. For some highly targeted customers in retail, financial services and social media, malicious bots represent 90% or more of their web traffic. The impact of these attacks is wide-ranging and includes infrastructure costs to handle the higher traffic volume, loss of revenue from stolen goods, loss of user confidence from lost loyalty points, and increased manpower for fraud and security teams.

Gaps in first generation solutions

Web Application Firewalls

Web Application Firewalls (WAFs) cannot protect against business logic abuse attacks because the traffic appears to be legitimate. WAFs look for anomalies in the web requests and there is nothing wrong in the structure of the request when someone tries to do login to an account or create a new account. In addition, WAFs are focused primarily on web applications, and often times bad actors will bypass the web form, targeting the mobile client or the back end APIs directly.

First Generation Bot Mitigation Tools

First generation Bot Mitigation tools attempt to address the business logic abuse problem using application instrumentation to collect signals from the client by injecting Javascript code into the web application. This is a partial solution because attackers will target the APIs or the mobile application directly, which typically interact using XML/JSON and do not support Javascript. The workaround for mobile apps is to re-compile it with the SDK so that it receives the missing signal. There is no workaround to address the application APIs. While first gen bot mitigation tools do a better job at protecting your public-facing apps, the task of instrumenting all of your public facing web apps, and their respective endpoints will add development and QA cycles, ultimately slowing the application release process.

The Cequence Story

Cequence takes a unique approach to prevent business logic abuse that sets us apart from all first generation solutions. At the heart of our Application Security Platform is our patented CQAI engine, a multi-dimensional machine learning analytics engine that characterizes all of your public facing applications, differentiating between human and machine interaction. But it doesn’t stop there, CQAI is also able to determine the intent of  the interaction. The result of the analysis is a behavioral profile that provides very high efficacy with low false positives in preventing business logic abuse. CQAI requires zero application instrumentation or SDK integration and continually analyzes all of your applications, detecting when updates or new versions are published. Every month, Cequence stops millions of credential stuffing, fake account creation, scraping, fake likes and other such business logic abuse attempts for our customers.

Here are three reasons why this approach is superior compared to the first generation Bot Mitigation solutions.

Impact on application user (customer) experience

Research from Google and others suggest that humans have a very short attention span, spending an average of less than 15 seconds on a web page. Web page load and first interactive time for desktop and mobile browsers are optimized to be as short as possible. Organizations will try to avoid adding any code to the application, particularly from a 3rd party, because it will negate the page load optimization efforts. Some customers will take the additional step of working with the CDN vendors to further optimize page load times. First generation Bot Mitigation systems provide their own Javascript for web applications and an SDK for mobile to collect client-side data to detect if it is a real device or not.  The injected Javascript is obfuscated to protect against reverse engineering and replay attacks. When the page loads, this Javascript executes by de-obfuscating first and then collecting the attributes it is looking for. This negatively impacts the load times and first interactive time.

prevent business logic abuse - performance benchmark website sample

Using Web Page Test (www.webpagetest.org), a popular performance benchmarking tool, the page load times for an online retailer login protected by a first generation Bot Mitigation tool shows that the bulk of the load time is consumed by JavaScript execution. It takes roughly 15 seconds for the page to become interactive and the majority of the time spent is on cnc_commons_v2.js, the third-party code from the Bot Mitigation vendor. Execution (and therefore page load impact) for the remaining code is minimal. As mentioned above, Cequence does not require instrumentation to your web or mobile applications because CQAI is implemented on the server side, continually analyzing your applications with zero impact on page load and first interactive times. Our customers can protect against business logic attacks without impacting the customer experience.

Cost of application development

Anytime an application is changed, it will go through test and QA cycles to ensure it works as designed. Adding 3rd party code that your team did not develop to introduces additional risk and testing cycles. As organizations move towards more rapid, iterative application development methodologies, this is an additional tax that the development team has to pay to make sure that the third party code has no impact on the functionality of the core application. An additional tax is the process of re-certification for all your applications when the third party code is updated.

First generation Bot Mitigation solutions instrument the application by injecting Javascript or recompiling the mobile app with an SDK, effectively introducing foreign code and the additional risk of breaking the application. This code is heavily obfuscated, requiring additional time and effort for application teams to fully understand as they execute code review. The result is an extended or delayed release of new or updated applications. Most organizations have hundreds of applications which increases the potential for errors, making it cost prohibitive from an application development perspective to instrument and re-test all these applications. The image below is a snippet of Javascript code from an existing Bot Mitigation vendor. The first image shows the inclusion of the script and the second image is the actual Javascript that gets downloaded because of that inclusion. It makes very difficult to validate and certify the application with more than 180 kilobytes of heavily obfuscated foreign code.

prevent business logic abuse - Javascript bot detection on login



prevent business logic abuse - traffic analysis

Cequence, on the other hand, uses CQAI to intelligently analyze the applications, eliminating the need to change the original application. That means that new applications and updates can be rolled out rapidly, without any added risk. CQAI passively and continually analyzes all your application traffic and determines if the traffic is generated from a human or machine. Once it identifies it is a machine, it then goes a level deeper to identify the intent of the automation – all without the need for any application instrumentation.

Keeping up with the ever-changing attack surface of Web, Mobile and APIs

In the last few years, enterprises have gone from connected to hyperconnected – many applications each with multiple entry points. For example, a login application can be invoked from the home page, shopping cart, a mobile app or a rest API for partners. Every entry point needs to be protected from business logic abuse attacks. If any entry point is left unattended, bad actors will find it and rapidly exploit it. As applications are updated, new entry points are created by the application teams; sometimes without the knowledge of the security team.

First generation Bot Mitigation solutions require instrumentation for every entry point for complete protection. Missing even one entry point is quickly detected and attacked. It is still possible to instrument a Web application with Javascript and a mobile application with an SDK but for the application APIs that are exposed for non-mobile communication, there is no way to instrument them.

prevent business logic abuse diagram

Cequence does not require any instrumentation to protect applications. The CQAI engine continuously discovers new applications across all of your web, mobile and API application channels allowing you to apply policies to prevent Business Logic Abuse. When the application team rolls out a new application, even without the knowledge of the security team, it is automatically discovered by CQAI and protected by our security platform.

To learn more about Cequence API Spartan and how it can protect your public facing web, mobile and API-based applications, please check out this on-demand presentation:

Shreyans Mehta


Shreyans Mehta

CTO & Co-Founder at Cequence Security

Additional Resources