Scheduling a BLA and Accessing Results

If you prefer to read the entire Understanding Business Logic Assessments section in PDF format, you can view or print here.

This article summarizes how to authorize and schedule a Business Logic Assessment (BLA) and access the results in the Continuous Dynamic Portal. During a BLA, engineers in the Black Duck Threat Research Center (TRC) assess your web application for vulnerabilities in its business logic.

BLA availability depends on your chosen DAST service level. If you have purchased the Premium Edition (PE) service, you are entitled to one annual BLA for each site covered under the PE license. Additional BLAs for PE sites can be purchased separately at any time.

For sites covered under the Standard Edition (SE) service level, you can purchase a standalone BLA license for each SE site. Contact your Black Duck sales representative for more information.

Business Logic Assessment Setup Process

For additional details on any of the following topics, see Site Services Tab.

1. Provide credentials for your BLA

See Adding, Editing, or Disabling Business Logic Assessment Credentials.

First, you need to provide dedicated credentials for Black Duck TRC engineers to use when they carry out your BLA. To ensure a comprehensive assessment, you must provide credentials at a level of authorization that corresponds to the level of functionality you want our engineers to test. For example, to enable all site functionality to be tested, provide credentials with the highest level of authorization.

Self-service provisioning of BLA credentials is only available for sites covered under a PE license. If you are using a standalone BLA license, contact your Black Duck representative to ensure that appropriate credentials are available for the BLA.

2. Schedule your BLA

See Scheduling a Business Logic Assessment.

After providing BLA credentials, the next step is to schedule your BLA.

To ensure that major changes to the site are reviewed promptly, Black Duck recommends scheduling your BLA:

  • To take place within the first six months of your contract, or as best suits your business processes.

  • Within the license period.

  • As soon as possible, to ensure availability of engineers.

BLAs are assigned to one-week blocks. When you schedule a BLA in the Continuous Dynamic Portal, available dates for TRC engineers to perform the assessment are shown in blue.

When you have scheduled a BLA for a site, you will see the BLA details on the Site Services tab. If needed, you can reschedule a BLA that has not yet started in the same area of the Portal as you scheduled it.

If you would like to provide documents for the TRC engineers' reference, please create a case for our Technical Support team.

3. Review identified vulnerabilities

Once your BLA is complete, it is important to review the vulnerabilities that were identified in the assessment.

To view the completed BLA, go to the asset details page for the site and then select the Site Services tab. The completed BLA is listed.

  • To see a list of associated vulnerabilities, click View BLA Verified Vulnerabilities.

  • To generate a report of the vulnerabilities, click Generate Report.

  • To see details about a given vulnerability, select the specific vulnerability ID.

Site vulnerability details include the class and location, as well as the level of risk the vulnerability might pose. From the vulnerability details screen, you can review a summary description of the vulnerability and recommendations for remediation.

You can use the "Ask a Question" feature to ask the TRC engineers a question about a particular finding from a BLA. This helps ensure you understand the nature of the vulnerability, the risk it poses, and how best to remediate it.

For more information on reviewing the identified BLA-related vulnerabilities, see Reviewing the Completed Business Logic Assessment.

For more information on understanding the Vulnerability Details page, see The Vulnerability Detail Screen: Sites.

Next, learn more about our proprietary BLA methodology.