At least in my personal experience it’s very common to have conversations with software developers that are familiar and aware with some application security concepts such as SQL Injection or XSS, but it does not happen the same when we talk about concepts such as Business Logic Flaws (also known as Security Design flaws) that represents about the 50% of the security problems.
The reason behind this reality is not simple to understand but I would say there are significant reasons for that.
First of all, they are not easy to describe because in many cases are based on the combination of different things.
One approach to define business logic flaws that I personally love is based on the description of what is not about. Security design flaws or business logic flaws are the security issues that can not be detected by tools. In other words, they are specific to your business and do not follow an specific pattern of risk and must be detected auditing your applications manually. We can describe the same saying that design flaws are not located only in a specific file and line of your code and usually this kind of issues are more related to the general security architecture of your application and the problem is spreaded in many points of your source code, that’s why we can not automate the detection within a single line.
Secondly, business logic flaws are not covered properly by the security market and that’s why many people in the industry do not talk about them. For instance, if your application security strategy is only based on Application Security Testing tools (AST), take into account you are only detecting the 50% of the problem and they don’t detect any issue related to Security design flaws or business logic flaws.
If you are using protection solutions such as a Web Application Firewalls (WAF) take into account that many of them are only designed or configured to protect against some common specific attack patterns and business logic flaws are not included in those patterns. So it’s very common to have production environments protected by WAFs that are vulnerable to the 50% of risks.
So, if this is the first time that you hear about this kind of risks, please take a look to the Top 10 Security Design Flaws created recently by the IEEE Computer Society that will give you an overview about what we are talking about.
We will present some protection design patterns against this new top 10 in the following posts.