Flawed business logic + flawed business processes = security risk

February 10, 2010

Running and managing secure information architecture requires good business processes that reflect sound business logic and rules, along with physical security such as strong authentication, SSL, proxy servers, etc.  Many businesses  have some type of Internet presence, most conducting some form of B2B/B2C transactions, with a few businesses moving towards cloud computing.  Flawed business logic integrated in processes for such businesses can prove risky and pay high dividends for hackers.

Here is an example of a process designed from flawed business logic.

In 2007 a woman was accused of scamming QVC out of US$412,000 by exploiting a flaw in its business logic. She placed orders for 1,800 items with the home-shopping network and then canceled the orders on its Web site. She received credit for returning the merchandise, but the items were sent to her anyway and she sold them on eBay.

Not knowing all the details of the transaction – a business rule for verifying and validating if the user was allowed to do what she was requesting could have been incorporated into the process for cancelling orders. Rather than just process such a request, design a process incorporating a simple business rule that only a manager can approve such a request on an order with a dollar value or item count of more than 123 or XYZ.  Another process could have been designed based on a business rule to verify and validate the shipment of the merchandise and receipt of the returned merchandise, and then applies the credit.

A business model such as QVC, logic would require that both systems – telecommunication and web to interface for a cross walk of authentication/ validation, transaction, etc. Such a design would sustain the capabilities of modeling business processes to be consistent with business rules and logic for inherently handling such scenarios and for B2B business process concepts; to include public and private processes, in addition to the ability to apply business logic in the sequence of steps required in exception handling, transactions, and compensation.

Business logic and rules drive the modeling of processes that manage risk, reduce redundancy and support efficiency. Expanding the scope of analysis and design of business processes to ensure sound logic and good business rules are embedded enables the organization to adjust to internal, B2B and B2C business circumstances. It is imperative that the business people understand the logic and procedures themselves. In connecting to the systems of business partners and suppliers, have a ready-made process scheme for exchanging credentials and granting permissions based on business logic and rules. The same applies to granting access to all parts of a Web site – design a process that is subject to rules that govern what authority the user has in specific situations.

%d bloggers like this: