SAN FRANCISCO (WHN) – Runtime testing platform provider StackHawk is rolling out Business Logic Testing (BLT) to its application security (AppSec) toolkit, aiming to catch vulnerabilities that traditional Static Application Security Testing (SAST) and Dynamic Application Security Testing (DAST) tools miss. This move targets what StackHawk identifies as a critical gap in securing modern APIs, particularly focusing on flaws like broken object level authorization (BOLA), which an OWASP report cited as responsible for 34% of security breaches.
The addition of BLT signals a pivot towards AI-driven security analysis, a capability StackHawk claims can understand the intended behavior of an API, not just its code structure. This allows the platform to detect issues like the inability for one user to reset another’s password – a scenario that might look benign in code but represents a significant security flaw when the API is active.
Traditional penetration testing, while effective, struggles to keep pace with rapid software development cycles. Scott Gerlach, CSO and co-founder of StackHawk, explained to SD Times that manual pen testing often involves surface scans for obvious issues. “Making associations – does this go with this – is expensive,” he noted, adding that the sheer speed of iteration cycles can lead to tester burnout.
StackHawk’s approach leverages AI’s probabilistic nature to map API structures and behaviors. This understanding then allows for deterministic findings on whether those behaviors are secure. Gerlach elaborated on the AI’s role: “What’s exciting about what AI is enabling us to do is take that kind of human brain of what is this API supposed to be doing, this application… and using that to understand how we can test it to make sure it’s behaving the right way?” The goal is to go beyond detecting common code-level vulnerabilities like SQL injection and command injection, to verifying that the application’s functional logic is sound.
Key features of StackHawk BLT include the ability to test vulnerabilities across multiple configured user roles. This is crucial for applications where different user types have varying levels of access and permissions. The platform can also generate intelligent test sequences directly from OpenAPI specifications, eliminating the need for manual configuration of test flows.
The company stated that StackHawk understands API relationships, including the correct order for calling endpoints, how data from one response feeds into subsequent requests, and how to generate contextually appropriate test data. This deep understanding of API interdependencies is what enables the detection of complex business logic flaws.
StackHawk emphasizes its integration into the automation pipeline. Gerlach highlighted this aspect, telling SDTimes, “So now this whole understanding of the business intention of that API also changes, and that also changes what the testing engine then goes to try to test. And again, is it broken or not?” This adaptability is designed to keep security testing relevant as applications evolve.
The platform also offers a visual representation of test sequences, allowing security teams to trace the steps leading to the discovery of business logic vulnerabilities. This visual feedback can be invaluable for understanding the attack path and for remediation efforts.
The shift towards testing business logic at runtime is a significant development in application security. While SAST tools analyze code before deployment and DAST tools probe running applications for known vulnerabilities, they often struggle to interpret the nuanced workflows and permission structures that define an application’s core business functions. BOLA, for instance, occurs when an application allows users to access or modify objects they shouldn’t, often due to insecure direct object references or insufficient authorization checks.
By focusing on how APIs are *used* rather than just how they are *written*, StackHawk aims to provide a more comprehensive security posture. The ability to simulate realistic user interactions across different roles, and to understand the data flow between API calls, represents a step towards a more intelligent and automated approach to AppSec, especially as APIs become the primary interface for many modern applications.
The successful implementation of BLT could mean faster detection of critical vulnerabilities that often slip through traditional security gates. This is particularly important for organizations dealing with sensitive data or complex transaction processes where the integrity of business logic is paramount.
The company’s announcement positions this as a necessary evolution in AppSec, driven by the increasing complexity and speed of software development. The challenge remains in how effectively AI can generalize its understanding of business logic across diverse application architectures.