Tuesday, December 30, 2008

Silver Tail Systems tackles Business Logic Flaws

I first started blogging about business logic flaws back in 2006. At a time when there was an overemphasis on technical vulnerabilities such as XSS and SQLi. Issues black-box scanners could identify and the rest conveniently ignored. Many insiders knew serious vulnerabilities remained unchecked, albeit confidentially, even after a clean scan report. Bad guys could monetize heavily on the lack of visibility -- and they have, so it is no longer a secret. This type of fraud has resulted in the loss of 5, 6, and even 7 figure sums in particular instances. Organizations now want and need detection solutions on the back-end, in addition to vulnerability assessments on the front-end, capable of uncovering those taking advantage of business logic flaws.

That is where Silver Tail Systems, a new silicon valley start-up I’ve been following, comes into play. Founded by Laura Mather (Ph.D) and Mike Eynon, Silver Tail is an entire company solely dedicated to addressing what they call “business process abuse.” Basically the same as business logic flaws. If anyone has the pedigree to successfully apply technology to this problem, they do. Their backgrounds are no joke. Do not make the mistake thinking this is product is Web Application Firewall, its not. Something different entirely and more inline with business analytics with a focus on security.

Silver Tail Forensics exposes the way a website is being used – through user, page, and IP statistics. The tool allows a business owner to explore the use of his or her site by displaying the usage of the site on a per page, per user, or per IP level. A search interface provides deep access into the activity on the website using any dimension. When suspicious activity is identified, Silver Tail Forensics enables the business user or security analyst to obtain a full understanding of the bad actors and their specific behaviors and how those behaviors differ from legitimate users.”

This is a company worth tracking and a blog worth following.

3 comments:

Anonymous said...

Happy New Year Jeremiah :)

Can't say that I was bloging about it (dont think we had blogs), but certainly was "spreading the word" back in 2003 :)

http://www.bug-box.net/misc/SQE.avi

(you might need the techsmith codec - http://www.techsmith.com/download/codecs.asp)

Sounds like an interesting company, and certainly one I will track.

Rafal Los said...

Great post- spreading the word on this is important. Business logic flaws, as you point out, are conveniently ignored for the reason that everyone notes - they aren't detected by "scanners" and worse, most security folks are unable to detect them (since they aren't technically "security" issues)...

Great company to follow... let's hope they have a bright future.

Andrew said...

While people may have different views still good things should always be appreciated. Yours is a nice blog. Liked it!!!