Cornucopia - Ecommerce Website - AT 9
Claudia can undertake more critical functions because authentication requirements are too weak, or there is no requirement to re-authenticate for these.
The level of assurance required for confirmation of identity should be assessed. In some cases different levels of authentication may be needed (e.g. two-factor authentication for some users, but not others), and re-authentication should be considered for some important functionality (e.g. changing password, making a payment, deleting an account), especially where weaknesses have been accepted to reduce application friction for users (e.g. having longer session timeouts, allowing guest check-out, having remember-me functionality).
NB: the key concept for this card is insufficient authentication. See Session Management SM 8 for the re-authentication requirement to check if privileges have changed.
|OWASP SCP||OWASP ASVS||OWASP AppSensor||CAPEC||SAFECODE|