Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Requesting Clarifying Definition in the Business Logic Section Header #1869

Open
craig-shony opened this issue Feb 12, 2024 · 3 comments
Open

Requesting Clarifying Definition in the Business Logic Section Header #1869

craig-shony opened this issue Feb 12, 2024 · 3 comments
Assignees
@craig-shony
Labels
V11 _5.0 - draft This should be discussed once a 5.0 draft has been prepared.

Comments

@craig-shony
Copy link

I think Section 11: Business Logic could use a basic definition. I'll include a first iteration-
In the context of application security, business logic refers to how security controls protect business rules from being bypassed or abused
@elarlang elarlang added the V11 label Feb 13, 2024
@tghosth tghosth added _5.0 - prep This needs to be addressed to prepare 5.0 4b Major-rework These issues need to be part of a full chapter rework labels Feb 18, 2024
@csfreak92 csfreak92 assigned csfreak92 and craig-shony and unassigned csfreak92 Mar 1, 2024
@jmanico
Copy link
Member

jmanico commented May 5, 2024
edited

Good idea. Here is my first cut of a definition:

Business logic in application security refers to the customized rules and processes that safeguard an application in accordance with its specific requirements or the needs of the business it serves. These rules dictate various aspects such as user interactions, data handling, and system behavior, tailored to suit the unique characteristics of each application, business, or industry.

Some examples of business logic vulnerabilities:

Business Rule: Products should only be provided to customers after their transactions are successfully verified to prevent loss due to fraud or non-payment.
Vulnerability: If an attacker can manipulate the application to deliver a product before the purchase is verified, there's a risk of providing goods without receiving payment, leading to financial losses for the business.

Business Rule: High-value transactions above a certain threshold should be manually reviewed to ensure accuracy, legitimacy, and compliance with business policies.
Vulnerability: If an attacker can manipulate the application to skip the review process for high-value transactions, then fraudulent or erroneous transactions may go unnoticed, increasing the risk of financial losses or compliance violations.

@elarlang
Copy link
Collaborator

elarlang commented May 5, 2024

There are some things to keep in mind:

For all extra texts there must exist clear goals - why it exists, what (potential) confusion it eliminates, or what (potential) problem it solves.

@tghosth tghosth added the next meeting Filter for leaders label May 6, 2024
@tghosth tghosth mentioned this issue May 7, 2024
Open
@tghosth tghosth added _5.0 - draft This should be discussed once a 5.0 draft has been prepared. and removed 4b Major-rework These issues need to be part of a full chapter rework _5.0 - prep This needs to be addressed to prepare 5.0 next meeting Filter for leaders labels May 9, 2024
@tghosth
Copy link
Collaborator

tghosth commented May 19, 2024

@elarlang I believe the added text makes sense and is not too long, I agree that before the draft we will need to decide how much text we want there and ensure there is consistency

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@craig-shony craig-shony

Labels
V11 _5.0 - draft This should be discussed once a 5.0 draft has been prepared.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@jmanico @csfreak92 @tghosth @elarlang @craig-shony