This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Cornucopia - Ecommerce Website - W Joker B"
(→Technical Note:: Complioance reporting text moved and updated.) |
|||
| Line 11: | Line 11: | ||
=== Technical Note: === | === Technical Note: === | ||
| − | Most ecommerce applications will be subject to various legal, regulatory, contractual or other organizational mandates. These are likely to include requirements for data protection/privacy and payment card security | + | Most ecommerce applications will be subject to various legal, regulatory, contractual or other organizational mandates. These are likely to include requirements for data protection/privacy and payment card security. Some examples are: |
* An undocumented installed component has a vulnerability announced. | * An undocumented installed component has a vulnerability announced. | ||
* The server hosting the ecommerce application makes an unapproved connection to another system. | * The server hosting the ecommerce application makes an unapproved connection to another system. | ||
| Line 21: | Line 21: | ||
* Personal data is inadvertently mixed with business contact data. | * Personal data is inadvertently mixed with business contact data. | ||
* A scheduled process is accidentally disabled so that quarterly data destruction is stopped, meaning the application no longer complies with the data retention and disposal policy. | * A scheduled process is accidentally disabled so that quarterly data destruction is stopped, meaning the application no longer complies with the data retention and disposal policy. | ||
| + | An unapproved change, or application compromise, could mean the ecommerce application is no longer in compliance, or that compliance reporting requirements change. For example, an ecommerce website might be eligible to assess and report under PCIDSS using Self Assessment Questionnaire (SAQ) A, but due to one of the above issues, the merchant no longer meets the eligibility requirements, and thus has to use controls in and report under the longer SAQ A-EP or full SAQ D. | ||
Consider: | Consider: | ||
Latest revision as of 10:12, 19 May 2016
Suit: Wild Card
Card/Value: Joker
Description:
Bob can influence, alter or affect the application so that it no longer complies with legal, regulatory, contractual or other organizational mandates.
Technical Note:
Most ecommerce applications will be subject to various legal, regulatory, contractual or other organizational mandates. These are likely to include requirements for data protection/privacy and payment card security. Some examples are:
- An undocumented installed component has a vulnerability announced.
- The server hosting the ecommerce application makes an unapproved connection to another system.
- The fully outsourced payment form template is modified to include code from the merchant's server.
- Personal data relating to an individual is used for a purpose the individual has not consented to.
- An unauthorised change to configuration data such that some component/service is no longer configured adequately.
- Unapproved/insecure services/applications are installed/enabled.
- The terms of service, or privacy statement, are modified without approval.
- Personal data is inadvertently mixed with business contact data.
- A scheduled process is accidentally disabled so that quarterly data destruction is stopped, meaning the application no longer complies with the data retention and disposal policy.
An unapproved change, or application compromise, could mean the ecommerce application is no longer in compliance, or that compliance reporting requirements change. For example, an ecommerce website might be eligible to assess and report under PCIDSS using Self Assessment Questionnaire (SAQ) A, but due to one of the above issues, the merchant no longer meets the eligibility requirements, and thus has to use controls in and report under the longer SAQ A-EP or full SAQ D.
Consider:
- What could change that affects compliance?
- How will the application detect this?
- What is the incident response process for these?
References:
Examine vulnerabilities and discover how they can be fixed using training applications in the free OWASP Broken Web Applications VM, or using the online challenges in the free Hacking Lab.
