Editor's note: This is the 4rd article in a seven-part series by Chetan Conikee. We will publish the series in it's entirety within the next few days. To be notified when a new article in the series is published, "Join" the community in the bottom right hand corner of this page. By joining our community, you'll receive a free download of the book "Epic Failures in DevSecOps", including Chetan's chapter, "Strategic Asymmetry – Leveling the Playing Field between Defenders and Adversaries".
In my previous post we witnessed a vendor partnership flaw that was exploited. Let us now situate ourselves in an online auction event.
Online auctions offer buyers and sellers of a wide variety of goods an enormous platform for trade. Just like local auctions, there are sellers and bidders and winners and losers. Winners are expected to pay for what they bid on at the conclusion of the auction.
At online auctions, you will be required to register before you can buy or sell an item(s). Registration is required to track items you bid on or sell, keep up with the bids, determine the winning bids and build a database on seller and bidder feedback.
Ironically, this is one of those types of flaws that’s all but impossible for an automated web application vulnerability scanner to find.
Is there a human assisted expert system available to check your specific application belonging to a specific business domain for design flaws that can be exploited?
Yes, such a system does exist. At the series finale I will reveal how this expert system can be utilized to identify such flaws.
Until then, onto my next installment in this series.
The second part of season #1 will be released shortly after my coffee supplies are restocked.