Posting this for my own future reference as well to share the love:
Threat Classification
As a Web developer, I should know all of these classifications and make sure my applications are protected using a security scheme that fits its intended usage.
On a side note, I'm developing a "manage my account" type of thing for a paid magazine (OP Magazine, for out-of-print books) and when looking at what other magazines do for this, I'm amazed that all you need to access your account is your e-mail address. Or knowing the mailing address. See this example at Running World.
I also find it kinda interesting when you survey different magazines' online subscription systems, they're either Time or buysub.com (which is part of CDS Fulfillment). It really amazes me how many magazines use the buysub.com application when they want to take subscription orders online.
So should I follow their footsteps? Or am I a little paranoid here? What security scheme should be done here? How do you balance the need for security against usability for the user?
I guess the worst that could be done is that someone steals an issue of a magazine by reassigning the mailing address to their own. So when we get a complaint from the victim, we could fix it and lock the account against further/online changes.
Film @ 11...
Peace,
Jason
