[Owasp-leaders] Business Logic Cheatsheet

Jim Manico jim.manico at owasp.org
Thu Oct 24 11:13:32 UTC 2013

We are word-smithing the entire cheatsheet right now. I pushed it a bit
early but it's getting fixed (thanks for your help, Neil Smithline).

I'll send the list a note when it's really ready.

Jim Manico

On Oct 24, 2013, at 5:57 AM, Erlend Oftedal <erlend.oftedal at owasp.org>

Would you mind simplifying this sentence?
"Business Logic testing uses many of the same testing techniques used by
functional testers the automation of business logic abuse cases is not
possible and remains a manual art relying on the skills of the tester and
their knowledge of the complete business process and its rules."

I may have misunderstood that sentence (which is why I'm hoping you can
simplify it), but given my current understanding, I'm not sure I agree.
Automatic detection is likely not possible due to lack of required
knowledge of business rules, but there are ways of handling automated
testing. Tools like Cucumber (http://cukes.info/) are tools intended to
allow business to write acceptance criteria in natural language. This could
easily be used to write "negative" test cases. Also automation of web
browsers (like web driver) can be used to test for these things, or at
least automate regression testing. Another alternative is automated testing
of the service layer. It all depends on how well your code is rigged to
support testing.

Best regards,

On Wed, Oct 23, 2013 at 7:20 PM, Jim Manico <jim.manico at owasp.org> wrote:

> Hello folks,
> We just released a new cheatsheet, the business logic cheatsheet for
> developers. Kudos to Ashish Rao and David Fern for working on this together.
> https://www.owasp.org/index.php/Business_Logic_Security_Cheat_Sheet
> Feedback is always appreciated.
> Aloha,
> Jim Manico
> OWASP Board Member
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20131024/17ae89b5/attachment.html>

More information about the OWASP-Leaders mailing list