This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Cornucopia - Ecommerce Website - W Joker B

From OWASP
Revision as of 15:35, 21 January 2016 by Dariodf (talk | contribs) (Created page with "{{DISPLAYTITLE:<span style="padding:2px 5px 0px 5px;color:white;background:#fbbb7b;">Cornucopia - Ecommerce Website - WC J</span>}} File:Cornucopia_-_Ecommerce_Website_W_Jok...")

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search
Cornucopia - Ecommerce Website W Joker B.png

Suit: Wild Card

Card/Value: Joker

Description:

Bob can influence, alter or affect the application so that it no longer complies with legal, regulatory, contractual or other organizational mandates.

Technical Note:

Most ecommerce applications will be subject to various legal, regulatory, contractual or other organizational mandates. These are likely to include requirements for data protection/privacy and payment card security. An unapproved change, or application compromise, could mean the ecommerce application is no longer in compliance, or that compliance reporting requirements change. Some examples are:

  • An undocumented installed component has a vulnerability announced.
  • The server hosting the ecommerce application makes an unapproved connection to another system.
  • The fully outsourced payment form template is modified to include code from the merchant's server.
  • Personal data relating to an individual is used for a purpose the individual has not consented to.
  • An unauthorised change to configuration data such that some component/service is no longer configured adequately.
  • Unapproved/insecure services/applications are installed/enabled.
  • The terms of service, or privacy statement, are modified without approval.
  • Personal data is inadvertently mixed with business contact data.
  • A scheduled process is accidentally disabled so that quarterly data destruction is stopped, meaning the application no longer complies with the data retention and disposal policy.

Consider:

  • What could change that affects compliance?
  • How will the application detect this?
  • What is the incident response process for these?

References:

Examine vulnerabilities and discover how they can be fixed using training applications in the free OWASP Broken Web Applications VM, or using the online challenges in the free Hacking Lab.










« Previous Card | Wild Card | Next Card »