This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Cornucopia - Ecommerce Website - W Joker B
Suit: Wild Card
Card/Value: Joker
Description:
Bob can influence, alter or affect the application so that it no longer complies with legal, regulatory, contractual or other organizational mandates.
Technical Note:
Most ecommerce applications will be subject to various legal, regulatory, contractual or other organizational mandates. These are likely to include requirements for data protection/privacy and payment card security. An unapproved change, or application compromise, could mean the ecommerce application is no longer in compliance, or that compliance reporting requirements change. Some examples are:
- An undocumented installed component has a vulnerability announced.
- The server hosting the ecommerce application makes an unapproved connection to another system.
- The fully outsourced payment form template is modified to include code from the merchant's server.
- Personal data relating to an individual is used for a purpose the individual has not consented to.
- An unauthorised change to configuration data such that some component/service is no longer configured adequately.
- Unapproved/insecure services/applications are installed/enabled.
- The terms of service, or privacy statement, are modified without approval.
- Personal data is inadvertently mixed with business contact data.
- A scheduled process is accidentally disabled so that quarterly data destruction is stopped, meaning the application no longer complies with the data retention and disposal policy.
Consider:
- What could change that affects compliance?
- How will the application detect this?
- What is the incident response process for these?
References:
Examine vulnerabilities and discover how they can be fixed using training applications in the free OWASP Broken Web Applications VM, or using the online challenges in the free Hacking Lab.