Vulnerabilities of Web Applications – Business Scenario Analysis


Describe the business threats posed by each of the following situations and explain what its effect may be if a Web application is compromised.

  1. A publicly traded retailer with retail outlets and online shopping and shipping options
    • Loss of integrity of inventory
    • Loss of confidentiality of customer’s PII data – Name, Address, Phone number, credit card details
    • Severe PCI DSS compliance penalties
    • Delayed order fulfilment
    • Loss of customers and credibility
    • Possible theft and redirection of organization funds
    • Dipping of stocks
    • Major stakeholders may pull out their investments from the organization
  2. A small, private law firm whose small website features forms for potential clients to complete that require name, address, contact number, and reason for scheduling an appointment
    • Loss of confidentiality – potential clients’ details are leaked
    • Competitors may gain from this information – leading to loss of leads
    • Clients lose faith in the firm and will chose a competitor
    • Loss of scheduling information can lead to cancelled and forgotten appointments further showing that the firm in unprofessional and cannot be trusted
    • A small firm will face the backlash and find it difficult to build credibility again
  3. A real estate appraisal company that provides residential-loan applicants of a publicly traded financial institution with online appraisals – all applicant information is sent to the appraisal company electronically
    • Loss of confidential data
    • Severe penalties under the SOX (Sarbanes Oxley) Act
    • Possible litigations by individuals and the Federal Trade Commission (FTC)
    • Identity theft of clients – leading to more losses and litigation
  4. A Web hosting company that provides leased servers for the websites of clients, ranging from small firms to large online retailers
    • Disruption in services – leading to loss of network and cloud availability to clients
    • Breach of service contract – can lead to financial losses and litigation
    • Loss of reputation and clientele
    • Labelled unreliable, insecure – and no clients will want such services to host their organizations data and websites.
    • Possible loss of integrity and confidentiality with the clients’ hosted data – leading to catastrophic and cascading repercussions.
  5. A city government that allows people with parking tickets to pay the fines online using a credit card or online check
    • Loss of credit card information
    • Financial fraud with stolen details
    • PCI-DSS compliance violations
  6. A local residential-cleaning business with a website that acts as a company brochure; no forms of any type are located on the website
    • Possible defacing of the website – by malicious hackers
    • Change in contact information – leading to possible clients contacting a competitor
  7. A software development company that develops and licenses online shopping software to large corporations
    • Loss of highly confidential data involving license keys and digital signatures
    • Leads to frauds involving clients’ software
    • Huge financial losses for the clients
    • Clients will sue for losses
    • Possible loss of clients’ payment details – leading too financial losses – and compliance violations and litigations
    • Loss in intellectual property involving algorithms used for generation license keys
    • Can lead to the company going bankrupt and shutting down
  8. A private, locally owned bank with a website that accepts loan applications online
    • Loss of customer’s PII data – leading to possible identity theft and compliance violations
    • Lost data can be very useful for competitors
    • Loss of customers
    • Loss of reputation
  9. A local doctor’s office that maintains all patient information within the office; it doesn’t share electronically with any entities and doesn’t have a website or use any custom-developed software
    • Business threats are offline – loss of paperwork, patient’s details, stolen information, loss of information through dumpster diving, social engineering etc.
    • HIPAA violations – leading to steep penalties
    • Can lead to the health care providers losing their licenses
    • Complete loss of credibility, severe losses, and irreparable damages
  10. An online-only retailer which sells athletic equipment using shopping-cart software that has been developed in-house and uses PayPal whenever a customer makes a purchase
    • Loss of orders
    • Loss of inventory details
    • Forged orders leading to loss of goods
    • Loss of genuine customers
    • Financial losses