I am looking for some information about e-commerce website security baselining. I read your e-commerce website...
security tip from a few years ago, but has anything changed since then? What are the top factors to consider, with an emphasis on emerging technologies?
To summarize my original recommendations, those responsible for the security of an e-commerce site need to:
- Start with a secure Web server configuration. This requires hardening the Web server for its role on the Internet. The NSA produces exhaustive hardening guides, Microsoft provides a free Baseline Security Analyzer, and free benchmarks and scoring tool guidelines are available from the Center for Internet Security.
- Protect Web servers with layered defenses. Deploy a Web application firewall, intrusion detection system, antimalware and antispyware.
- Review Web application code. Use static and dynamic code analysis tools to test for vulnerabilities and logic flaws.
- Install a Web server digital certificate. All traffic to and from the Web server should travel over SSL/TLS. Extended Validation certificates provide the highest level of assurance about a business.
- Regularly pen test the website and review security policies for relevance and effectiveness.
- Keep all software involved in running and maintaining the site patched and up to date.
These basic rules of IT security remain sound, but since my last tip on e-commerce website security baselining, both attackers and the security technologies used to defend against them have increased in sophistication. Distributed denial-of-service (DDoS) attacks against e-commerce sites are becoming a regular occurrence; administrators should put a DDoS mitigation plan in place with their hosting provider. DDoS protection services provided by companies such as CloudFlare or Prolexic are another option, but a solution needs to be in place before an attack is launched.
E-commerce sites should also look to deploy a security information and event management (SIEM) system that brings event, threat and risk data together to improve incident response times. SIEM technologies have advanced considerably in the last few years, and many now can take third-party threat intelligence feeds to provide advanced warnings of potential attacks.
As today's Web applications are mainly built using open source code and components, development teams should use a revision control and repository service such as GitHub to improve the management and ongoing monitoring of third-party code used within the site. Another necessary task is to ensure not only that the site is compliant with the ever-changing legal and regulatory environment, but also that security controls and audit reports fulfill any data protection and reporting requirements. Many SIEMs can now generate pre-defined compliance reports such as PCI DSS, FISMA, GLBA, SOX and HIPAA.
Keeping an e-commerce website secure is an ongoing activity and it is essential to keep up to date with the latest threats and best practices to mitigate them. Regular reviews of policies and practices are important to keeping websites relevant, as is regular patching and pen testing to ensure vulnerabilities aren't introduced as the site evolves.
Ask the Expert!
Perplexed about application security? Send Michael Cobb your questions today! (All questions are anonymous.)
Learn more about e-commerce security needs and how to test an e-commerce website's security and privacy defenses.
Customer experience could be transformed by e-commerce technologies.
Dig Deeper on Web application and API security best practices
Related Q&A from Michael Cobb
Android encryption on devices using Qualcomm chips can be broken due to two vulnerabilities. Expert Michael Cobb explains how these flaws affect ...continue reading
A flaw that allows attackers to load malicious DLL files in Symantec products was labeled as severe. Expert Michael Cobb explains the vulnerability ...continue reading
Mobile apps using insecure OAuth could lead to over one billion user accounts being attacked. Expert Michael Cobb explains how developers can ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.