Back

Include business logic in the scope of system testing.


CONTROL ID
12622
CONTROL TYPE
Process or Activity
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain system testing procedures., CC ID: 11744

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • Robust System Security Testing, in respect of critical e-banking systems, needs to incorporate, inter-alia, specifications relating to information leakage, business logic, authentication, authorization, input data validation, exception/error handling, session management, cryptography and detailed lo… (Critical components of information security 11) c.32., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • A methodology for system testing should be established. The scope of tests should cover business logic, security controls and system performance under various stress-load scenarios and recovery conditions. (ยง 6.2.2, Monetary Authority of Singapore: Technology Risk Management Guidelines)
  • Verify that the application will only process business logic flows for the same user in sequential step order and without skipping steps. (11.1.1, Application Security Verification Standard 4.0.3, 4.0.3)