Next, you will need to make sure that your Web server is protected at least by a firewall. The best way to choose a firewall is to create or update your existing security policy so you can identify and evaluate which firewalls have the functionality to enforce your policy's rules. Although routers and network-layer stateful packet-filtering firewalls can ensure only approved transmission ports and protocols are open or allowed, I recommend looking at an application-layer filtering firewall. Application-layer filtering firewalls can enforce security policy for both valid connection states and valid application layer communications. In order to provide multiple, overlapping, and mutually supportive protection, you should also deploy intrusion detection, antivirus and antispyware systems.
Once your Web server is secured, you will need to confirm that your e-commerce application and other services do not create holes in your network security. You should have policies in place to ensure the business processes and design requirements of your application are validated and sanity-checked. Formal code reviews should include testing of the source code. You will also need to develop procedures for completing component-level integration testing, system integration testing and application function and deployment testing. From an operating system perspective, the Web applications themselves should be granted only limited ability to access system resources. When building an e-commerce site, you will also need to install a Web server digital certificate so that any confidential data, such as credit card numbers, can be encrypted while in transit between the server and the client.
Even if your Web applications are relatively secure when first deployed, eventual changes to the system's infrastructure or configuration, along with the advent of new threats, will always threaten the applications' security. Web applications in particular will remain vulnerable to attack despite perimeter defenses. It is essential therefore that your security policies are regularly reviewed for relevance and effectiveness. You should develop, maintain and monitor a list of sources that review current security problems and software updates relevant to your system and application software.
This was first published in October 2006