Seize a Competitive Advantage – Or Don't Compete!

Business Logic Definition – Meaning – Example – Flaws

What Is Business Logic

Business LogicBusiness logic in programming is using custom rules to handle the exchange of information between a database and user interface. Business logic is essentially the part of a computer program that contains the information in the form of business rules.  These rules define or constrain how a business operates. Such business rules are operational policies that are usually expressed in true or false binaries. Business logic can be seen in the workflows that they support.  Namely, sequences or steps that specify in detail the proper flow of information or data, and therefore decision-making. Business logic is also known as “domain logic.”

These algorithms serve as the foundation of code in business software.  They can be seen in the workflows that they support.  They sequence the steps that specify in detail the proper flow of information or data.  Business logic exists at a higher level than the type of code that is used to maintain basic computer infrastructure.

Business Logic – A Deeper Look

Put another way, business logic is real-world business rules put into computer code.  The rules then show in a computer program via a user interface. It is most evident in regulating workflows that pass data between users and software systems. This is because it determines how data may be shown, stored, created, and altered. Business logic provides a system of rules that guides how business objects work with one another.  Objects are parts of software that control how data is transported.

Business rules and logic also guide how objects within the software are accessed and updated. It exists at a higher level than the type of code that is used to maintain basic computer infrastructure.  For example, how a database is displayed to a user or as a basic system infrastructure. The algorithms involved perform behind-the-scenes data processing that is invisible to the user.  However, it is critical to keeping things running smoothly in a modern economy.

(Source: investopedia.com)

Business Logic vs Business Rules

Specific business rules are useless without logic to determine how data is calculated, changed, and transmitted to users and software. Without business rules to create a framework, logic cannot exist. Business logic is any part of a business enterprise that makes up a system of processes and procedures.  Anything else is an example of a business rule.

However, this logic is often mistaken for something that encapsulates the business rules implemented in a system. There is an important difference between the two. Business rules are a formal expression of business policy.  However, business logic determines how this policy is implemented as a process. For example, the application of VAT on invoices is a business rule.  But, the calculations involved in applying it are implemented as business logic.

But, the separation between business logic and other parts of the system is not necessarily that clear. Many business rules need to be implemented across more than one-tier. For example, a business rule that dictates that negative figures should always be presented on financial reports.  This rule affects both data processing and report writing, i.e. presentation and business logic. This is one of the drawbacks of tiered or layered architectures that seek to isolate business logic into a separate tier. It can be difficult to meaningfully segregate functions into a self-contained tier.  Of course, this depends on the type of processing that is being carried out. Over the long term, business logic often leaks across tier boundaries.  The result is that business rules become scattered across a system. This gives rise to anti-patterns, where any change in a business file requires numerous changes in different parts of the system.

(Source: ben-morris.com)

The dangers of conceptual architecture

Separating a system into conceptual layers or tiers can give rise to inflexible solutions. Many-layered architectures solve every single problem in exactly the same way.  That is, you accept user input on a presentation layer, then apply some rules in a business logic layer. The problem with this kind of generic solution is that it is a mistake to imagine that system architecture can be abstracted from infrastructure. You can’t consider the conceptual design of a system without also considering how it will be deployed.  You must also take into account the strategies around scaling and resilience.

This is where layered applications often come unstuck. The interfaces between each layer tend to be relatively chatty.  They pass data around in small chunks so they can struggle to distribute processing. The system tends to be inefficient.  This is because much of the work being done involves transferring data between layers rather than implementing business rules. The use of single, generic processing routes encourages systems to be orientated around a centralized database that can become a bottleneck at scale.

(Source: ben-morris.com)

Business Logic Example

Take, for example, a credit card issuer.  Their business logic may specify that out-of-state credit card transactions above a certain limit must be flagged as suspicious.  A limit of $400 is imposed and the issuer is to be contacted as soon as possible.  This is to confirm the authenticity of the transaction. The policy of flagging such a transaction is an example of a business rule.  However, the actual process of flagging the transaction is an example of business logic. Millions of credit card transactions are conducted every single day.  Business logic enables such transactions to be checked and processed in an efficient and timely manner.

Business Logic Vulnerability

Most security problems are weaknesses in an application resulting from a broken or missing security control.  The weakness could be a result of authentication, access control, input validation, etc. By contrast, business logic vulnerabilities are ways of using the legitimate processing flow of an application.  However, they are used in a way that results in a negative consequence to the organization. For example:

  • Deadlines – Purchase orders that are not processed before midnight.
  • Authorization – The written authorization is not on file before web access is granted.
  • Established limits – Transactions in excess of $1000 are not reviewed by a person.

Many articles describe business logic problems simply by taking an existing and well-understood web application security problem and discuss the business consequence of the vulnerability. True business logic problems are actually different from the typical security vulnerability. Here are some examples of problems that are not business logic vulnerabilities:

  • Performing a denial of service by locking an auction user’s account
  • Posting unvalidated input publically
  • Cracking MD5 hashes
  • Brute forcing a password recovery scheme

Too often, the logic category is used for vulnerabilities that can’t be scanned automatically. This makes it very difficult to apply any kind of categorization scheme. Logic problems are different from authentication problems and every other category. There are many significant business logic vulnerabilities, but they are far less common.  A nice rule-of-thumb is this: if you need to truly understand the business to understand the vulnerability, you might have a business-logic problem on your hands. If you don’t understand the business, you can’t see logical flaws.

(Source: owasp.org)

Business Logic Flaws

Business Logic Flaws, also known as Security Design flaws, represent about 50% of security problems.  It is not easy to understand why such a significant proportion of security issues go unnoticed.  But, there are many reasons for this.

Not easy to describe

First of all, they are not easy to describe.  This is because in many cases they are based on a combination of different things. Probably the best way to define business logic flaws is to describe what they are not about. Security design flaws or business logic flaws are security issues that cannot be detected by tools such as ASTs. In other words, they are business specific and do not follow a specific pattern of risk and therefore they have to be detected by auditing the applications manually. A slightly different description could be that design flaws are not located in a specific file and line of your code. Instead, these kinds of issues are more related to the general security architecture of the application.  As a result, the problem is spread over many areas of the source code. Therefore the detection of logic flaws cannot be automated.

Not easy to detect

Secondly, the impossibility of detecting these issues makes them unattractive to most of the security industry.  This leads to a lack of awareness of these risks as they are rarely mentioned by the big companies. Therefore, an application security strategy that is only based on Application Security Testing tools (AST), will only detect 50% of the problem.  This is because these tools are unable to detect any issue related to security design flaws or logic flaws.

The issues are similar when using protection solutions such as Web Application Firewalls (WAF). We should take into account that many of them are only designed or configured to protect against some specific common attack patterns.  Unfortunately, logic flaws are not included in those patterns. So, it is very common to have production environments protected by WAFs that are vulnerable to 50% of risks.

(Source: hdivsecurity.com)

Final Words

It can be difficult to precisely define what this business logic really means. The logic layer can become a generic bucket for processing that does not fit into the presentation and data tiers. Anything that involves some kind of transformation or workflow just gets dropped into the tier by default.  The processing that happens in “business logic” is an important part of systems.  But, putting it into a single conceptual tier may result in generic solutions that can’t scale and are difficult to change. Once you start trying to unpack the logic it’s often easy to identify concerns that would benefit from a more specific implementation.

The likelihood of logic problems really depends on the circumstances. First, you need to evaluate the threat agents who could possibly exploit the problem.  Then you need to decide whether it would be detected.  This takes a strong understanding of the business. The vulnerabilities themselves are often quite easy to discover and exploit without any special tools or techniques. Flaws are often the most critical in terms of consequences.  Especially when they are deeply tied into the company’s process.

Up Next: Day Trading For Beginners – What Is A Day Trader

Day trading is simply buying a stock or security, then, quickly selling or closing out the position.  Usually, the position is closed within a single trading day.  Ideally, a day trader wants to “cash-out” by the end of each trading day.  They want no open positions to avoid the risk of losses by holding security overnight.  Day trading is not for everyone and carries significant risks. It requires an in-depth understanding of how the markets work and various strategies for profiting in the short term.  Short term profits require a very different approach compared to traditional long term, buy and hold investment strategies.

 

Leave a comment

Your email address will not be published.