Business logic flaws are application vulnerabilities that result from faulty application logic. These flaws are very different from technical vulnerabilities such as cross-site scripting (XSS) and SQL injection (SQLi) because they are specific to an application and the business domain.
Traditional static application security testing (SAST) cannot detect business logic flaws because it does not understand the unique aspects of your code, such as business domain workflow, logic of the programmer, and the ways in which the business logic can be tampered with or bypassed.
Hard coded usernames, passwords, tokens, API keys, and other secrets in the source code are an increasingly common security risk. NextGen Code Analysis can easily detect these literals as soon as the pull request is created to prevent them from going into production. Now, it’s one thing to grep for these patterns but this will cause false positives because there are legitimate use cases such as authentication where secrets are needed. So it’s crucial to understand whether the secrets are mishandled in the application to identify issues.
Data leakage is one of the fastest growing problems in AppSec. PII data, encryption keys, social security numbers, and financial information are all prized targets. ShiftLeft identifies, classifies, and maps all critical data flows across your applications and microservices to determine improper data handling and leakage. It does this not by looking for values on the wire for that would be too noisy. Instead it uses variable names in code to identify sensitive data.
Modern software development architectures make applications particularly vulnerable to insider attacks due to their complexities and dependencies. NG SAST helps detect insider attacks such as logic bombs, rootkits, secret inputs, and security misconfigurations.
Regulations such as GDPR and CCPA require organizations to secure sensitive data ranging from financial information to web browsing history. NG SAST can identify and help ensure that regulated information is properly secured in your applications.
By bypassing the normal logic flow of an application, an attacker can make the application do things it was not intended to. These include elevated permissions through authorization bypasses and accessing sensitive information through insecure direct object references (IDORs). ShiftLeft’s Code Property Graph can map the end-to-end flows within an application and help find any conditions that lead to logic flow bypass.