382
A Practical Guide to Security Assessments
Risk:
The risk with not properly authenticating customers prior to reset-
ting and communicating password information is that the password might
be given to the wrong person, who can then use that information to gain
unauthorized access to another person’s account.
Client Response:
20. Is administrator access to the Web server limited to only those individuals
who require it?
Guidance:
Administrator access to the Web server allows full access
rights to the Web server — i.e., an administrator can make any change or
see anything on the Web server. This access should not be taken lightly and
should be provided to only those individuals who require such access to do
their jobs. Ideally, this access should be given to the system administrator
who maintains the Web server and a person who serves as the backup. The
server should be configured so that administrator activity is tracked, so a
security breach related to the Web server can be researched. In addition,
the administrator should have a regular account, which is used when not
performing administrator activities.
Risk:
If administrator access to the Web server where B2C operations re-
sides is not strictly controlled, that access, in the wrong hands, can be used
to damage the B2C Web site. This is especially true in the case of disgrun-
tled employees in companies where the termination practices are not effec-
tively performed.
Client Response:
21. If the application was built in house, do changes go through a change
management process before being migrated into production? Is there a
development and test environment to facilitate this?
Guidance:
Change management is evaluated closely in another question-
naire but is included here to determine whether it is used for B2C applica-
tions. The change management process should always be used when
making changes to B2C applications (or any applications), to ensure that
changes have been properly tested and that the appropriate individuals
have approved the change. Because the B2C application is customer facing
AU1706_book.fm Page 382 Tuesday, August 17, 2004 11:02 AM