3 ways abuse cases can drive security requirements

Learn how to use abuse cases to determine security requirements, strengthen controls, and improve the security of an application’s business features.

Misuse and abuse cases describe how users can misuse or exploit weak controls in software features to attack an application. A direct attack against business functionalities, which may bring in revenue or provide a positive user experience, can have a tangible business impact. Abuse cases can be an effective way to drive security requirements to properly protect these critical business use cases.

Below, we’ll delve into three ways to use misuse and abuse cases to improve the security of an application’s business features.

The shopping cart use case

An online retailer plans to support an anonymous checkout and payment system whereby an anonymous user can enter a shipping address and payment details, place the order, and expect delivery without needing to create an account.

In the design, when a customer adds an item to their shopping cart, stock is reserved for that item. So if there were 500 pairs of pants available, and someone adds a pair to their cart, there are now 499 pairs of pants available for other customers.

A user misuses the shopping cart by adding a large quantity of products without the intent to purchase

Reserving stock when a user adds an item to their shopping cart is convenient for the user but reduces buying opportunities for other users. Consider the following security controls to mitigate the risk:

• Reserve stock when a user starts the checkout process, rather than when they add items to their cart. Supplement by communicating low-stock conditions to the user. For example, add a notification to the product page or open a popup once an item has been added to the cart to indicate that there are only “X” units left in stock.
• Limit the number of items allowed in the shopping cart. The limit can be a heuristic based on popularity. For example, put a lower limit on hot selling-items allowed in the cart.
• Implement timers on items added to the cart, or to the entire cart. Once the time limit expires, release reserved stock back into the pool of available items.
• Support oversubscription through a feature to compensate users whose orders couldn’t be fulfilled (e.g., guaranteed delivery on their next order, a discount or voucher).
• Monitor and release. If the stock inventory level is within a predefined threshold, raise an alert. Customer support should have a way to check on related carts, reservation times, and reservation patterns. They should be able to terminate a suspicious reservation with the use of standardized customer communication or protocols to help manage customer expectations.

Denial-of-service attack with anonymous accounts

Attackers can take advantage of the anonymity of the shopping cart to attack the system by repeatedly opening a browser, creating a new cart, and reserving a large quantity of items. The monitor-and-release control explained above can help. Also consider heuristic controls:

• Implement tiered trust. Assign additional privileges to registered accounts, and fewer to anonymous accounts. For example, change the reservation limit and holding time based on registered/anonymous status.
• Use “likelihood to action” to prioritize inventory holding. You can measure and use information such as referral headers, mouse movements (hot spot tracking), UA, PC resolution, IP range, geo data, and so on to determine a ”likelihood to action” analysis (based on historic sales data), which can help you decide whether to reserve that user’s stock.