Application Security – Solving the Hardest Problem First

June 5, 2019 | by Shreyans Mehta

business logic abuse - app firewall

Today we announced Cequence App Firewall, the second security module for our Application Security Platform that leverages CQAI, our patented AI-powered analytics engine, to prevent data loss and compromise brought on by vulnerabilities exposed in your web, mobile, API-based applications. App Firewall is not a WAF in the traditional sense. Yes, it has the necessary features to address OWASP Top 10 and PCI DSS Section 6.6 requirements – those are table stakes features.

App Firewall is founded upon our previous efforts to use intelligence and machine learning to help organizations stop automated business logic abuse – commonly known as malicious bot attacks – with Bot Defense. Business logic abuse is a massive problem for many customers particularly those in financial services, retail, and social media. It’s made more difficult because the attacks appear to be legitimate login attempts, account registrations, or shopping purchases. This meant we needed to be able to distinguish between machine and human-generated transactions hitting ALL of your public facing web, mobile and API-based applications – not just web, or mobile – all three types. To accomplish this herculean effort, we approached the problem with three design principles in mind –

  • Understand all of the transactions hitting your public facing applications WITHOUT requiring any application modification or SDK updates.
  • Design the product with cloud-centric application development methodologies in mind to ensure that security can be “baked” into your iterative application development process.
  • Utilize leading edge software components and technologies like Docker Containers, Kubernetes, and Kafka to create a modular architecture that scales as needed, and can be deployed quickly, in literally any environment.

The result of our design and development efforts is our Application Security Platform (ASP) which is founded upon CQAI, a patented machine-learning analytics engine that fully understands all of the transactions hitting your public facing applications. CQAI is deployed out of band and focused specifically on distinguishing between machine and human intent to uncover automated business logic abuse and prevent it through Bot Defense, our initial security module. In some customer environments, we are analyzing billions of transactions per day, blocking as much as 90% of them due to their malicious nature.

Cequence ASP is typically deployed in front of all other application security elements, on the front lines so to speak. CQAI sees everything hitting your public apps – even before your WAF does. Without diminishing the effort required to create a WAF, extending ASP into application firewalling, for all types of applications was easier than solving the problem of business logic abuse.

API-based applications account for a large portion of today’s web traffic and it is expected to continue to grow as organizations build feature-rich applications to interact with customers and partners. Unlike traditional Web Application Firewalls (WAFs) that are focused on protecting web applications, App Firewall is designed to protect all applications alike web, mobile or API-based. As the development teams roll our new applications or update existing ones, Cequence ASP automatically detects and analyzes them, ensuring security does not inject delay into the deployment. – App Firewall and Bot Defense are all managed via a unified dashboard, providing you with a single pane of glass for all application security.

Most enterprises are on their journey to the cloud, but they are in different phases of their journey. Some have totally embraced it while others are still running a good portion of their applications in data centers. App Firewall is designed with cloud-native architecture grounds up to protect applications wherever they reside – data center, private cloud, public cloud or even a container cloud like Kubernetes. This allows our customers to move application security with the applications, without worrying about where they are running, easing their journey to the cloud.

WAFs cannot understand the applications well for two primary reasons –

  1. WAFs are signature based
  2. WAFs are deployed inline, which means they are unable to learn the application behavior because of the latency/delay it will inject into the user experience.

And that’s one reason why WAFs struggle to effectively protect against Zero-Day exploits. As the number of signatures increase, so too does the latency, which negatively impacts customer experience. In contrast, CQAI applies machine learning to understand normal application and user behaviors, building a positive security model to prevent Zero-Day exploits – without the need to apply and manage signatures. CQAI is deployed out-of-band, allowing it to continuously learn and adapt to application changes without impacting latency or customer experience. CQAI engine then feeds these behavioral profiles to App Firewall to defend against vulnerability exploits in real time. This application-centric approach provides scalpel-like precision to prevent attacks without impacting users. The CQAI intelligence-based approach also ensures that customers don’t need to worry about overloaded WAF signature sets. The dashboard provides visibility and builds confidence in the effectiveness of App Firewall, without the need for constantly keeping up with the changing applications.

As the newest ASP security module, App Firewall takes full advantage of the ongoing customer feedback, threat research and feature enhancements we have made over the past three years in CQAI and Bot Defense. With the two security modules deployed together, sharing signals with each other, customers will reap an opportunity to consolidate application security in a single pane of glass, effectively achieving a “1+1 = 3” effect.

Want to learn more about App Firewall? Read the datasheet today.

Shreyans Mehta

Shreyans Mehta

CTO & Co-Founder at Cequence Security

Additional Resources

Get an attacker’s view of your API attack surface now. Free, no obligation API assessment Arrow icon