Understanding Business Logic Assessments

Introduction

Business Logic Assessments (BLAs) are manual assessments performed by Threat Research Center[1]," below. engineers for application security vulnerabilities that cannot be tested effectively in an automated fashion. BLAs are intended to complement the automated testing of our Sentinel service; an annual BLA is included in our PE service, and can also be purchased independently.

Scope

Web applications that utilize the Hypertext Transfer Protocol (HTTP) on the application layer with an underlying Transmission Control Protocol (TCP) transport layer are eligible for Business Logic Assessments. (The application must also be accessible via a web browser.) BLA coverage extends beyond the base application URL to incorporate any associated host names (URLs) provided by the client. Complete functionality coverage for one user access level per application is included with a BLA; any additional user access levels (roles) that are provided will only be covered for specific vertical and horizontal authorization tests. The user role with the highest level of access will be used for the full functionality testing, unless the client specifies otherwise.