[Owasp-topten] Feedback on OWASP 2010 Top 10 (Sec. Misconfig)

Dave Wichers dave.wichers at aspectsecurity.com
Mon Nov 16 21:13:17 EST 2009

Regarding Business Logic flaws. Let me try to provide you my
definition/thoughts on this term, since people define it differently.

I understand that custom code is needed to enforce various types of
business rules, and so I would call this business logic. However, many
of the business rules that need to be enforced are related to access
control, for example:

* if a manager is allowed to access data about their immediate
subordinates, but not others outside their sphere of management, then it
probably requires custom code to enforce this. I would call this access
control, not 'business logic', even though it requires custom code to
enforce. (In this example, all managers would have access to the same
functionality, but not to the same set of data).

* if certain conditions must be met before an update to a particular
data element was allowed, this would be a business rule enforced with
custom code, but I would again call this an 'access control' decisions
(i.e., is write allowed by this user under these conditions) and a flaw
for this would be an access control flaw (to me).

* if a customer can only withdraw $500 / day from the ATM, then this
would be a business logic rule. I wouldn't call this access control, so
a flaw in this mechanism would be a 'business logic flaw', to me.

My point is that most of the 'business logic' flaws that can occur in
applications really belong (in my opinion) in one of the existing Top 10
categories, rather than in a separate category called 'business logic

And this is why we have not strongly considered adding that type of
category of flaws to the OWASP Top 10.

Regarding your 2nd idea: Auditing.

I agree with you this is a major issue that deserves attention and focus
by most organizations, and agree most do this poorly. This particular
topic (in my opinion) was covered by the (now dropped) Error Handling
and Logging area. The reason it didn't make the list is that it doesn't
introduce as much risk as a direct flaw in the application, which all
the rest of the top 10 introduce.

We have spent a huge amount of effort in ESAPI to making good security
logging automatic within that library because we recognize its
importance, but we didn't feel it made it as a top 10 risk.


-----Original Message-----
From: owasp-topten-bounces at lists.owasp.org
[mailto:owasp-topten-bounces at lists.owasp.org] On Behalf Of McGovern,
James F. (eBusiness)
Sent: Monday, November 16, 2009 10:05 AM
To: owasp-topten at lists.owasp.org
Subject: Re: [Owasp-topten] Feedback on OWASP 2010 Top 10 (Sec.

Any thoughts on:

- Business Logic Flaws: Not just about stealing credit card or other one
field attributes
- Bad Audit Practices: most folks don't get it right upfront and at
least should have the ability to use forensics after the fact. Mention
what should be in log

This communication, including attachments, is for the exclusive use of
addressee and may contain proprietary, confidential and/or privileged
information.  If you are not the intended recipient, any use, copying,
disclosure, dissemination or distribution is strictly prohibited.  If
you are not the intended recipient, please notify the sender immediately
by return e-mail, delete this communication and destroy all copies.

Owasp-topten mailing list
Owasp-topten at lists.owasp.org

More information about the Owasp-topten mailing list