This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Cornucopia - Ecommerce Website - AT 2

From OWASP
Revision as of 15:57, 21 January 2016 by Dariodf (talk | contribs)

Jump to: navigation, search
Cornucopia - Ecommerce Website AT 2.png

Suit: Authentication

Card/Value: 2

Description:

James can undertake authentication functions without the real user ever being aware this has occurred (e.g. attempt to log in, log in with stolen credentials, reset the password).

Technical Note:

Security event logs should record key actions and the results of important security checks (in some cases successes as well as failures). If users have access to this information, they may well be able to help detect attempted or actual account/data breaches as they know more of the usage context. This information might be sent as alert messages (e.g. SMS, email, post), by making event data available as an API, or might appear in the web application as a short summarised activity log available once authenticated such as on the logged-in welcome page, or during the process of logging-off, and also within a user's account details to be accessed on demand. It maybe useful to include non web application events (e.g. mobile app password reset, a major event initiated by letter or the telephone call to the contact centre).

NB: The key concept here is notification of events to users.

References:

OWASP SCP OWASP ASVS OWASP AppSensor CAPEC SAFECODE
47 2.12 UT1 - 28
52




« Previous Card | Authentication | Next Card »