Utilizing Business Logic Assessments
If you prefer to read the entire Understanding Business Logic Assessments section in PDF format, you can view or print here. |
All sites covered under a Premium Continuous Dynamic license may receive one annual Business Logic Assessment (BLA). Additional BLAs may be purchased separately. You may also purchase a standalone BLA license for a site that is covered under Continuous Dynamic SE (standard dynamic application security testing). If you would like to purchase Business Logic Assessments, please contact Black Duck.
For additional details on any of the following topics, see Site Services Tab.
Credentialing
In order for a full BLA to be performed, you must provide credentials that will allow the engineers in the Threat Research Center to access your site at the highest level of authorization you want to be tested. To ensure that the site is fully tested, provide credentials with the highest level of authorization available. For more details, see Adding, Editing, or Disabling Business Logic Assessment Credentials.
Self-service credentialing is available only for sites covered under a Premium (PE) license. If you want to use a standalone license for a site covered under a Standard (SE) license, contact your Black Duck representative to ensure appropriate credentials are available for the BLA. |
Scheduling your BLA
To ensure that major changes to the site are reviewed promptly, Black Duck recommends scheduling your BLA within the first six months of your contract, or as best suits your business processes.
You can schedule your BLA for any week within your license period for which the TRC Business Logic Analysts are available. We recommend scheduling your BLA early to ensure availability. If there are documents you would like to provide for the reference of the Business Logic Analysts, create a case for our Technical Support department.
If necessary, it is possible to reschedule a BLA that has not yet started in the same interface you used to schedule it. Once your BLA is scheduled, you will see the scheduled BLA in the Continuous Dynamic interface when you go to the asset details page for the site in question.
For more details on scheduling your BLA, see Scheduling a Business Logic Assessment.
Reviewing identified vulnerabilities
Once your BLA has been completed, it is important to review the vulnerabilities that were identified.
To view the completed BLA, go to the asset details page for the site and then select the Site Services tab. The completed BLA is listed.
-
To see a list of associated vulnerabilities, click View BLA Verified Vulnerabilities.
-
To generate a report of the vulnerabilities, click Generate Report.
-
To see details about a given vulnerability, select the specific vulnerability ID.
Site vulnerability details will include the vulnerability class and location as well as the level of risk the vulnerability might pose. From the vulnerability details screen, you can review a summary description of the vulnerability and recommendations for remediating it.
You can also use the "Ask a Question" feature to ask a question directly of the Threat Research Center engineers. This helps ensure you understand the nature of the vulnerability, the risk it poses, and how best to remediate it.
For more information on reviewing the identified BLA-related vulnerabilities, see Reviewing the Completed Business Logic Assessment.
For more information on understanding the Vulnerability Details page, see The Vulnerability Detail Screen: Sites.
Next, learn more about our proprietary BLA methodology.