Cornucopia - Ecommerce Website - W Joker B
Suit: Wild Card
Bob can influence, alter or affect the application so that it no longer complies with legal, regulatory, contractual or other organizational mandates.
Most ecommerce applications will be subject to various legal, regulatory, contractual or other organizational mandates. These are likely to include requirements for data protection/privacy and payment card security. An unapproved change, or application compromise, could mean the ecommerce application is no longer in compliance, or that compliance reporting requirements change. Some examples are:
- An undocumented installed component has a vulnerability announced.
- The server hosting the ecommerce application makes an unapproved connection to another system.
- The fully outsourced payment form template is modified to include code from the merchant's server.
- Personal data relating to an individual is used for a purpose the individual has not consented to.
- An unauthorised change to configuration data such that some component/service is no longer configured adequately.
- Unapproved/insecure services/applications are installed/enabled.
- The terms of service, or privacy statement, are modified without approval.
- Personal data is inadvertently mixed with business contact data.
- A scheduled process is accidentally disabled so that quarterly data destruction is stopped, meaning the application no longer complies with the data retention and disposal policy.
- What could change that affects compliance?
- How will the application detect this?
- What is the incident response process for these?
Examine vulnerabilities and discover how they can be fixed using training applications in the free OWASP Broken Web Applications VM, or using the online challenges in the free Hacking Lab.