Logic Errors and Best Practices for Preventing Them

Oct 11, 2018
Jerry Gamblin
Director of Security Research at Kenna Security

Share with Your Network

By now you’ve undoubtedly heard about the Facebook breach. I’ve published an article in Dark Reading that goes into detail on what happened at Facebook and my views on the important lessons we can learn in our efforts to catch and fix these vulnerabilities before hackers do. Here’s a quick synopsis. I hope you will read the full article.

Facebook had a logic error, the result of human error where code allowed a user to take an action that gave them access far beyond what the developer who wrote the code originally intended. This error was then identified and exploited. Unfortunately, these types of errors are extremely difficult to find as it takes human ingenuity to identify the error another human made. And they can be extremely damaging. In combatting these types of errors, I recommend three stages of review beginning with a development team that starts the process thinking about security. Then, build quality assurance teams that know how the app should function and include a few people who think like hackers. Finally, establish meaningful bug bounty programs that offer compensation in line with the internal importance of the app as well as external markets. Read the full article for more detail.

Read the Latest Content

Research Reports

Prioritization to Prediction Volume 5: In Search of Assets at Risk

The fifth volume of the P2P series explores the vulnerability risk landscape by looking at how enterprises often view vulnerabilities.

5 Things Every CIO Should Know About Vulnerability Management

If you view vulnerability management (VM) as just a small part of your operation, it might be time to take another look.  Managing vulnerabilities is...



Get Started Using the Exploit Prediction Scoring System (EPSS).

Cyentia Institute’s Chief Data Scientist and Founder Jay Jacobs gives tips on how to get started using the Exploit Prediction Scoring System (EPSS). You...

© 2022 Kenna Security. All Rights Reserved. Privacy Policy.