[Owasp-board] [Owasp-codereview] code review guide reboot (CRG V2.0)

Eoin eoin.keary at owasp.org
Thu Jul 22 23:18:55 UTC 2010


Hey,
End of the day its about reviewing code which may implement somwe business
logic and the approach one takes to performing such a review. The guide can
not cover off all logic models but news to cover off how to review etc.
Eoin

On 22 Jul 2010 23:17, "Donovan, Frederick" <fdonovan at estee.com> wrote:

 Hey Jeff.  Perhaps my short response could have been broadened. Lot of
Blogic issues and examples that can be covered here for sure.  This is
definitely an important area.



You are right, wasn’t mentioning access control and yes business logic is
first understood by the business customer.  Developers I’ve worked with are
not generally in the position to understand the business nor do they have
much (if any) report with the customer – hence some of the issues.  Frankly,
project managers can be just as unreliable on this topic.  And although the
business customer would be fresh on the business needs, I would not expect
them to understand how their business rules can or are being broken.



Understanding business logic flaws is much less about attacks (although I’m
sure one might argue that changing a step ID in a query string is breaking
business logic) and certainly not things a “scanner” would find.  Those
implementing it (b logic) first need to understand anticipated business
requirements and yet also need the ability to discern things that would not
generally be anticipated by the developers code,  developer or perhaps even
expected by the business customer.  (I liked you’re example)



I have developers who desire libraries and frameworks, business customers
who desire functionality and increased security, but I expect the AppSec
engineer to be able to see where the business logic can be bettered or
smashed.





*From:* Jeff Williams [mailto:jeff.williams at owasp.org]
*Sent:* Thursday, July 22, 2010 4:28 PM
*To:* Donovan, Frederick
*Cc:* Eoin; OWASP Foundation Board List; Owasp-codereview at lists.owasp.org
*Subject:* Re: [Owasp-codereview] code review guide reboot (CRG V2.0)






>
>
>
> I’d like to volunteer with the business logic code review – been putting
it into wo...



THIS E-MAIL IS INTENDED ONLY FOR THE ADDRESSEE(S) AND MAY CONTAIN
CONFIDENTIAL INFORMATION. IF Y...
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20100723/259e9794/attachment-0002.html>


More information about the Owasp-board mailing list