OWASP Announces BLADE Business Logic Attack Framework to Give Enterprises Better Tools to Fight Sophisticated Bots
Update to attack framework announced to coincide with recognition as an industry standard
The Open Worldwide Application Security Project (OWASP) announced today that the Business Logic Attack Definition Framework (BLADE Framework) has become The OWASP BLADE Framework Project. The name change reflects the acceptance of the attack framework as an OWASP project and recognition of the framework as an industry standard.
The BLADE Framework was launched as an open-source project in 2022 by Netacea, a specialist in bot management and cyberfraud threat intelligence. BLADE is a “MITRE ATT&CK style” framework to help cyber defenders understand and respond to business logic abuse through a matrix of tactics, techniques and phases (TTPs).
“The OWASP Foundation is proud to welcome the BLADE Framework as an official project. This resource, grounded in years of rigorous research and practical application, represents a significant advancement in the fight against business logic abuse. We are excited to support the continued development and adoption of this framework within the global cybersecurity community,” commented Starr Brown, Director of Open Source Programs and Projects at OWASP.
Business logic attacks, known to cybersecurity experts as bot attacks or automated online fraud, are one of the biggest threats to online enterprises today and the OWASP BLADE Framework Project maintains a globally accessible knowledge base of adversary tactics and techniques based on real-world observations of business logic abuse.
Matthew Gracey-McMinn, VP Threat Services, Netacea, said: “Highly organized criminal groups are spending considerable time and effort learning how to manipulate the logic of enterprise websites, mobile apps and APIs in their favor, generating millions of dollars in profit for themselves and causing billions of dollars in damage through cyberfraud, increased infrastructure costs and lost reputation.”
Automated threats like Account Takeover (ATO), scalping and bonus abuse are all too familiar to enterprise security analysts. But new threats and kill chains are appearing every day and are increasingly driven by offensive AI.
Updates to the OWASP BLADE Framework Project announced today include details of several new TTPs, along with linked kill chains and a number of AI-specific business logic threats, including scraper bots that steal content to train AI models.
Experts from the Netacea Threat Intel Center are available to supplement this open-source content with detailed explainers on these new attack vectors along with real world case studies. Netacea also demonstrates how it has battled these attacks successfully on behalf of customers and shows how to apply the OWASP BLADE Framework to help enterprises understand the scope of their bot or automated fraud problem and how to employ cybersecurity tools to mitigate these attacks.
About The OWASP BLADE Framework
The OWASP Business Logic Attack Definition (BLADE) Framework is an open-source knowledge-base created to help cybersecurity professionals identify the phases, tactics and techniques used by adversaries to exploit weaknesses in the business logic of web facing systems (websites and APIs). There are a range of attack frameworks (such as MITRE ATT&CK and Lockheed-Martin Kill Chain) available to cybersecurity experts to model and respond to traditional cyberattacks which aim to exploit technology weaknesses. But these frameworks are not well suited for modelling business logic focused attacks. However, business logic attacks are becoming increasingly common and impactful.
About OWASP
The Open Worldwide Application Security Project (OWASP) is an online community that produces freely available articles, methodologies, documentation, tools and technologies in the fields of IoT, system software and web application security. Led by a non-profit called The OWASP Foundation, OWASP provides free and open resources. The OWASP Top 10 – is the published result of recent research based on comprehensive data compiled from over 40 partner organizations. The OWASP Foundation, a 501(c)(3) non-profit organization in the U.S. established in 2004 in the U.S., supports the OWASP infrastructure and projects.
About Netacea
Netacea, a bot detection and response specialist, provides a better way to stop bot attacks at scale. Netacea is a recognized leader for its innovative use of threat intelligence and machine learning to deliver better detection of bot attacks across websites, apps and APIs. Netacea’s patented server-side integration analyzes all web traffic at the edge, providing comprehensive real-time protection through a single, lightweight integration that is invisible to attackers.
