Cornucopia - Ecommerce Website - W Joker B

Suit: Wild Card

Card/Value: Joker

Description:
Bob can influence, alter or affect the application so that it no longer complies with legal, regulatory, contractual or other organizational mandates.

Technical Note:
Most ecommerce applications will be subject to various legal, regulatory, contractual or other organizational mandates. These are likely to include requirements for data protection/privacy and payment card security. An unapproved change, or application compromise, could mean the ecommerce application is no longer in compliance, or that compliance reporting requirements change. Some examples are:
 * An undocumented installed component has a vulnerability announced.
 * The server hosting the ecommerce application makes an unapproved connection to another system.
 * The fully outsourced payment form template is modified to include code from the merchant's server.
 * Personal data relating to an individual is used for a purpose the individual has not consented to.
 * An unauthorised change to configuration data such that some component/service is no longer configured adequately.
 * Unapproved/insecure services/applications are installed/enabled.
 * The terms of service, or privacy statement, are modified without approval.
 * Personal data is inadvertently mixed with business contact data.
 * A scheduled process is accidentally disabled so that quarterly data destruction is stopped, meaning the application no longer complies with the data retention and disposal policy.

Consider:
 * What could change that affects compliance?
 * How will the application detect this?
 * What is the incident response process for these?

References:
Examine vulnerabilities and discover how they can be fixed using training applications in the free OWASP Broken Web Applications VM, or using the online challenges in the free Hacking Lab.

« Previous Card | Wild Card | Next Card »