Ask the Expert

How to secure an e-commerce Web site

What steps should I follow to secure an e-commerce Web site? And what features should I look for when deciding which firewall to purchase?

    Requires Free Membership to View

    Login

First, it is important to start with a secure Web server configuration. This requires hardening the Web server for its role on the Internet. The U.S. National Security Agency produces an exhaustive hardening guide, and the free Benchmarks and Scoring Tools guidelines are available from the Center for Internet Security. Both are useful in evaluating your configuration. These tools are updated as new vulnerabilities are discovered, so they can be used regularly to monitor the effectiveness of your configuration. Windows-based servers can also be tested against Microsoft's free Baseline Security Analyzer.

Next, you will need to make sure that your Web server is protected at least by a firewall. The best way to choose a firewall is to create or update your existing security policy so you can identify and evaluate which firewalls have the functionality to enforce your policy's rules. Although routers and network-layer stateful packet-filtering firewalls can ensure only approved transmission ports and protocols are open or allowed, I recommend looking at an application-layer filtering firewall. Application-layer filtering firewalls can enforce security policy for both valid connection states and valid application layer communications. In order to provide multiple, overlapping, and mutually supportive protection, you should also deploy intrusion detection, antivirus and antispyware systems.

Once your Web server is secured, you will need to confirm that your e-commerce application and other services do not create holes in your network security. You should have policies in place to ensure the business processes and design requirements of your application are validated and sanity-checked. Formal code reviews should include testing of the source code. You will also need to develop procedures for completing component-level integration testing, system integration testing and application function and deployment testing. From an operating system perspective, the Web applications themselves should be granted only limited ability to access system resources. When building an e-commerce site, you will also need to install a Web server digital certificate so that any confidential data, such as credit card numbers, can be encrypted while in transit between the server and the client.

Even if your Web applications are relatively secure when first deployed, eventual changes to the system's infrastructure or configuration, along with the advent of new threats, will always threaten the applications' security. Web applications in particular will remain vulnerable to attack despite perimeter defenses. It is essential therefore that your security policies are regularly reviewed for relevance and effectiveness. You should develop, maintain and monitor a list of sources that review current security problems and software updates relevant to your system and application software.

More information:

  • Find out what types of Web services compromise Web server security.
  • Learn the proper components of an application security management system.

    • This was first published in October 2006

    Join the conversationComment

    Share
    Comments

      Results

      Contribute to the conversation

      All fields are required. Comments will appear at the bottom of the article.
      Back to top