Question

You can prevent application logic errors by performing tests to verify that the application’s logic is working as intended. This is best done by someone who understands both the business requirements of the organization and the development process of the application. You’ll need a detailed understanding of how your application works, how users interact with each other, how functionalities are carried out, and how complex processes work.

通过执行测试来验证应用程序的逻辑是否按预期工作，您可以预防应用程序逻辑错误。最好由既了解组织业务需求又熟悉应用程序开发过程的人员执行此项任务。你需要对应用程序的工作原理，用户之间的互动方式，功能的开展方式以及复杂过程的运作方式有详尽的了解。

Carefully review each process for any logical flaws that might lead to a security issue. Conduct rigorous and routine testing against each functionality that is critical to the application’s security.

仔细检查每个过程是否存在逻辑缺陷，可能会导致安全问题。对于应用的安全至关重要的每个功能进行严密和常规测试。

Next, prevent broken access control issues with a variety of countermeasures. First, implement granular access control policies on all files and actions on a system. The code that implements the access control policies should also be audited for potential bypasses. You can conduct a penetration test to try to find holes in the access policy or its implementation. Make sure that access control policies are accurate. Also, make sure that the multiple ways of accessing a service have consistent access control mechanisms. For example, it shouldn’t matter whether the application is accessed via a mobile device, desktop device, or API endpoint. The same authentication requirements, such as MFA, should apply for every individual access point.

接下来，使用多种对策来防止破解访问控制问题。首先，在系统中对所有文件和操作实施细粒度访问控制策略。实施访问控制策略的代码还应受到潜在绕过漏洞的审计。您可以进行渗透测试，尝试找到访问策略或其实现中的漏洞。确保访问控制策略准确无误。同时，确保访问服务的多种方式具有一致的访问控制机制。例如，无论是通过移动设备、桌面设备还是 API 端点访问应用程序，都应该应用相同的身份认证要求，如 MFA。