Detect business logic vulnerabilities during development with ShiftLeft Ocular
ShiftLeft Ocular is the only vulnerability analysis solution that can detect business logic vulnerabilities during development time, reducing the attack surface before production. It is free to download with a 14 day trial.
Business logic vulnerabilities — the last bastion
Software code bases are unique, their business logics are unique, however legacy software vulnerability analysis tools (AST) have historically been designed to ignore this uniqueness (one size fits all). These tools apply generic rules to every code base and consequently miss out on detecting critical business logic vulnerabilities unique to an application.
As of now the only way to detect business logic vulnerabilities is to manually review code, hire pen-testers or conduct a bug bounty program. More often than not these vulnerabilities go undetected and expensive tools such as bot protection, account takeover protection, etc. are used to mitigate the impact of these vulnerabilities during production.
ShiftLeft Ocular — How does it work?
Ocular works by creating a graphical representation of the entire code base. A security researcher, code auditor or developer can query this graph for asserting valid business logic flows. Any violations to these assertions are identified as business logic vulnerabilities/flaws. These queries, once formed, can be automated as policies for automated testing through CI/CD pipeline.
Ocular Use cases
Ocular can detect the majority of business logic vulnerabilities including privilege escalation, critical parameter manipulation, cookie tampering, business logic bypass, backdoors, business flow bypass, identity extraction, sensitive data leak, denial of service, weak encryption/validation, etc.
Here is a specific example of how Ocular can be used for the detection of denial of service attack conditions with in the business logic of an application
Security regression testing
Once a query has been created to identify a business logic vulnerability unique to your business, Ocular can be used for automated security regression testing in CI/CD for preventing violation of company business logic and reintroduction of previously fixed vulnerabilities.
Expanding AppSec’s Business Logic Toolkit
Today, the only scalable way to find business logic vulnerabilities is penetration testing and bug bounty programs. While bug bounty programs should be a part of a secure SDLC, there are 3 gaps that Ocular can help fill:
- Testing earlier in the SDLC, in development, when fixing vulnerabilities is most efficient
- Automating discovery of business logic vulnerabilities during development
- Regression testing
Hence finding the business logic flaws that created the underlying vulnerabilities before they go into production fundamentally reduces the attack surface that requires discovery/protection.
A major financial tech company recently discovered 9 zero day vulnerabilities including 5 business logic vulnerabilities in just three weeks. Another major healthcare company has discovered critical business logic vulnerabilities that allowed for sensitive PII data to be leaked out.
As with all aspects of application security, measures should be taken in all major stages of the SDLC. Only now with Ocular is that possible for business logic vulnerabilities. To find business logic vulnerabilities in your source code, please download a trial of Ocular here.
Detect business logic vulnerabilities during development with ShiftLeft Ocular was originally published in ShiftLeft Blog on Medium, where people are continuing the conversation by highlighting and responding to this story.
*** This is a Security Bloggers Network syndicated blog from ShiftLeft Blog - Medium authored by Alok Shukla. Read the original post at: https://blog.shiftleft.io/detect-business-logic-vulnerabilities-during-development-with-shiftleft-ocular-44b1e463104d?source=rss----86a4f941c7da---4
