[Owasp-topten] Feedback on OWASP 2010 Top 10 (Sec. Misconfig)

McGovern, James F. (eBusiness) James.McGovern at thehartford.com
Fri Nov 20 09:36:59 EST 2009

I fully agree with Steve regarding business logic flaws. I guess I also
would love to understand whether the crowd who feels its less important
or wants to jam it in another category are looking through the lens of
automated pen testing vs true risk.
-----Original Message-----
From: Steven M. Christey [mailto:coley at linus.mitre.org] 
Sent: Thursday, November 19, 2009 8:02 PM
To: Dave Wichers
Cc: McGovern, James F. (eBusiness); owasp-topten at lists.owasp.org
Subject: Re: [Owasp-topten] Feedback on OWASP 2010 Top 10 (Sec.

On Mon, 16 Nov 2009, Dave Wichers wrote:

> My point is that most of the 'business logic' flaws that can occur in 
> applications really belong (in my opinion) in one of the existing Top 
> 10 categories, rather than in a separate category called 'business 
> logic flaws'.

For whatever it's worth, I think the same way about this... plus if
there's a problem that we still have to call a "business logic flaw,"
then in my book it means that maybe we don't fully understand the
underlying weakness yet (and maybe we never will, not any time soon
anyway.)  I don't know how to generally classify a rule like "a customer
can never buy an item at a negative price" so it's business logic, but
at one level it's an instance of "use of a negative number in an
always-positive context" which doesn't feel that far from the common
error in C of checking a signed, potentially-negative integer for a
maximum value to prevent integer overflows.

When Jeremiah Grossman started talking about business logic problems, I
believe that one of his main points was that issues like SQL injection,
XSS, etc. are "almost always wrong" regardless of what application
you're looking at, and in a sense they're easier to find.  But some key
problems can't be found without having specific knowledge of the domain
in which the software is operating.  Access control generally happens to
live in the domain-specific area.  You also usually need domain-specific
knowledge to determine whether CSRF is a feature or a vulnerability for
a particular function, but I wouldn't call either of these "business

- Steve
This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential and/or privileged information.  If you are not the intended recipient, any use, copying, disclosure, dissemination or distribution is strictly prohibited.  If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this communication and destroy all copies.

More information about the Owasp-topten mailing list