[Owasp-leaders] Business Logic Cheatsheet

Jim Manico jim.manico at owasp.org
Thu Oct 24 11:52:30 UTC 2013


Sounds fair to me. Would you kindly jump into the cheat-sheet and make that edit? 

Thanks Mr. Fern.

- Jim

> I agree.
>  
> I perform automated functional invald testing all the time and can automate anything given the time and resources. 
>  
> But is it worth it?
> 
> However, I think that the spirit of the sentence is correct since the thought was "automated" security scanners in most cases will not find these business logic issues so a majority of this type of Pen Testing will be manual.
> 
> That said, how about something like:
> 
> "Business Logic testing uses many of the same testing tools and techniques used by functional testers. While a majority of Business Logic testing remains an art relying on the manual skills of the tester, their knowledge of the complete business process, and its rules, some testing can be automated using functional and security testing tools."
>  
> Any thoughts?
> 
> Thanks,
> David
>  
> 
> ________________________________
>  From: Erlend Oftedal <erlend.oftedal at owasp.org>
> To: Jim Manico <jim.manico at owasp.org> 
> Cc: "owasp-leaders at lists.owasp.org" <owasp-leaders at lists.owasp.org>; "Ashish Rao rao.ashish20"@gmail.com; dfern at verizon.net 
> Sent: Thursday, October 24, 2013 6:57 AM
> Subject: Re: [Owasp-leaders] Business Logic Cheatsheet
>   
> 
> 
> Would you mind simplifying this sentence?
> "Business Logic testing uses many of the same testing techniques used by functional testers the automation of business logic abuse cases is not possible and remains a manual art relying on the skills of the tester and their knowledge of the complete business process and its rules."
> 
> I may have misunderstood that sentence (which is why I'm hoping you can simplify it), but given my current understanding, I'm not sure I agree. Automatic detection is likely not possible due to lack of required knowledge of business rules, but there are ways of handling automated testing. Tools like Cucumber (http://cukes.info/) are tools intended to allow business to write acceptance criteria in natural language. This could easily be used to write "negative" test cases. Also automation of web browsers (like web driver) can be used to test for these things, or at least automate regression testing. Another alternative is automated testing of the service layer. It all depends on how well your code is rigged to support testing. 
> 
> Best regards,
> Erlend
> 
> 
> 
> 
> 
> 
> On Wed, Oct 23, 2013 at 7:20 PM, Jim Manico <jim.manico at owasp.org> wrote:
> 
> Hello folks,
>>
>> We just released a new cheatsheet, the business logic cheatsheet for developers. Kudos to Ashish Rao and David Fern for working on this together.
>>
>> https://www.owasp.org/index.php/Business_Logic_Security_Cheat_Sheet
>>
>> Feedback is always appreciated.
>>
>> Aloha,
>> Jim Manico
>> OWASP Board Member
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>



More information about the OWASP-Leaders mailing list