[Owasp-leaders] Business Logic Cheatsheet

Erlend Oftedal erlend.oftedal at owasp.org
Thu Oct 24 10:57:30 UTC 2013


Would you mind simplifying this sentence?
"Business Logic testing uses many of the same testing techniques used by
functional testers the automation of business logic abuse cases is not
possible and remains a manual art relying on the skills of the tester and
their knowledge of the complete business process and its rules."

I may have misunderstood that sentence (which is why I'm hoping you can
simplify it), but given my current understanding, I'm not sure I agree.
Automatic detection is likely not possible due to lack of required
knowledge of business rules, but there are ways of handling automated
testing. Tools like Cucumber (http://cukes.info/) are tools intended to
allow business to write acceptance criteria in natural language. This could
easily be used to write "negative" test cases. Also automation of web
browsers (like web driver) can be used to test for these things, or at
least automate regression testing. Another alternative is automated testing
of the service layer. It all depends on how well your code is rigged to
support testing.

Best regards,
Erlend





On Wed, Oct 23, 2013 at 7:20 PM, Jim Manico <jim.manico at owasp.org> wrote:

> Hello folks,
>
> We just released a new cheatsheet, the business logic cheatsheet for
> developers. Kudos to Ashish Rao and David Fern for working on this together.
>
> https://www.owasp.org/index.php/Business_Logic_Security_Cheat_Sheet
>
> Feedback is always appreciated.
>
> Aloha,
> Jim Manico
> OWASP Board Member
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20131024/79cbcf22/attachment.html>


More information about the OWASP-Leaders mailing list