Understanding Business Logic Assessments

If you prefer to read the entire Understanding Business Logic Assessments section in PDF format, you can view or print here.


Business Logic Assessments (BLAs) are manual assessments performed by Threat Research Center engineers for application security vulnerabilities that cannot be tested effectively in an automated fashion. BLAs are intended to complement the automated testing of our WhiteHat service. An annual BLA is included as standard in our PE service. Additional BLA licenses can be purchased separately, for both PE and SE assets.


Web applications that utilize Hypertext Transfer Protocol (HTTP) on the application layer, with an underlying Transmission Control Protocol (TCP) transport layer, are eligible for Business Logic Assessments. (The application must also be accessible via a web browser.) BLA coverage extends beyond the base application URL to incorporate any associated host names (URLs) that you provide. Complete functionality coverage for one user access level (role) per application is included with a BLA; any additional user access levels that are provided will only be covered for specific vertical and horizontal authorization tests. The user role with the highest level of access will be used for the full functionality testing, unless you specify otherwise.

Next, see Utilizing Business Logic Assessments to learn how to provide site credentials, schedule a BLA, and review any vulnerabilities that were identified.