NEW TECH: Cequence Security deploys defense against botnets’ assault on business logic

By Byron V. Acohido

One way to grasp how digital transformation directly impacts the daily operations of any organization – right at this moment —  is to examine the company’s application environment.

Related: How new exposures being created by API sprawl

Pick any company in any vertical – financial services, government, defense, manufacturing, insurance, healthcare, retailing, travel and hospitality – and you’ll find employees, partners, third-party suppliers and customers all demanding remote access to an expanding menu of apps — using their smartphones and laptops.

This translates into a sprawling attack surface available to determined, well-funded threat actors. I had the chance at RSA 2019 to visit with Larry Link, CEO of Cequence Security, a Sunnyvale, CA-based startup that has secured $30 million in venture funding to help companies address this exposure.

Cequence’s technology detects and repels bot attacks designed to manipulate business logic. Such attacks can create or takeover accounts, detonate reputation bombs, scrape content, deny inventory and carry out extortion variants. For a full drill down on our discussion, give a listen to the accompanying podcast. Here are the big takeaways:


We live, work and play in a hyper-connected environment. Because we are constantly switched on and tuned in, organizations are now being forced by their customers to provide a much broader suite of access points into their application environment. Customers are all demanding access and requiring access from all of their devices, new and old.

Take the airline industry as an example. A decade ago, purchasing an airline ticket online was straight forward. You found the flight you wanted, bought the ticket, and it was either mailed to you, or a few years later, it arrived via email so you could print it yourself.


Today, the airline industry has been pushed into the hyperconnected environment, going well beyond ticket purchases, Link told me. Today’s airline interaction is centered around its smartphone app. You display your boarding pass on the app, get your internet access from the app, flight updates, checked-bag tracking, food and beverage ordering services, and inflight entertainment, all through that app.

In addition, the airline is connected to multiple sites, travel aggregators, through APIs so they can sell tickets through other sites like Expedia and Kayak.

“That’s part of doing business today,” Link told me. “But there is a downside to doing business in this hyperconnected environment. It also opens up the application attack surface, providing a lot more opportunities for hackers to get into your networks and compromise data.

Business-logic abuse

Internet-facing applications and APIs are a prime target for a broad range of sophisticated semantic and syntactic attacks, Link pointed out. “As you start moving and deploying in this environment, one of the things you see is very rapid change in the application framework.” Updates happen daily, not once every six months or so like they did on a mainframe system. It becomes difficult to build security into the application when you are doing that frequent of a change and you end up more exposed to risk.

One such risk is business logic abuse. Going back to the airlines, business logic abuse might be a bot attack using credentials that have been captured in the wild to try to compromise accounts, do an account takeover, and potentially steal points.

A new business logic abuse that has sprung up for airlines is called seat spinning. This is where the attackers use bots to get into the application through a compromised login or create a fake account, allowing them to “buy” a ticket – they’ll put it into their cart but not check out and then try to sell that ticket for a higher price through another service.

They are holding that seat inventory without actually buying it, and if they don’t resell the seat, release the seat too late for anyone else to buy it. The flight then departs at partial capacity and the airline loses money on the flight.

No going back

Legacy systems simply cannot address the security risks presented by APIs. Link argues that companies need to rethink the way they secure their application frameworks. That isn’t so simple, as organizations don’t want security tools to modify or change the apps in any way. On the security side, there are hundreds of moving parts within that app to deal with.

One approach is to create a layer of application security that deploys as your applications deploy within the organization. “The delivery vehicle is a container,” said Link, “and the Cequence Application Security platform is deployed within a microservice framework for flexibility and ease of deployment.”

Knowing the data and known good behavior also helps improve security. Analytic platforms that passively sit in the consumer environment can monitor the traffic logs and transactions — and leverage machine learning to cut through all the noise.

Clearly, businesses need to be hyper-connected because their employees, partners, suppliers and customers demand it. There’s no going back to those old days of getting the airplane ticket in mail delivery.

The burden is on the organization to acknowledge this expanded attack surface and be proactive about reducing credential theft and business logic abuse. It is encouraging to see by Cequence, and others, gaining traction. Talk more soon.


Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(Last Watchdog’s Sue Poremba contributing.)

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone