What steps should I follow to secure an e-commerce Web site? And what features should I look for when deciding...
By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.
which firewall to purchase?
First, it is important to start with a secure Web server configuration. This requires hardening the Web server for its role on the Internet. The U.S. National Security Agency produces an exhaustive hardening guide, and the free Benchmarks and Scoring Tools guidelines are available from the Center for Internet Security. Both are useful in evaluating your configuration. These tools are updated as new vulnerabilities are discovered, so they can be used regularly to monitor the effectiveness of your configuration. Windows-based servers can also be tested against Microsoft's free Baseline Security Analyzer.
Next, you will need to make sure that your Web server is protected at least by a firewall. The best way to choose a firewall is to create or update your existing security policy so you can identify and evaluate which firewalls have the functionality to enforce your policy's rules. Although routers and network-layer stateful packet-filtering firewalls can ensure only approved transmission ports and protocols are open or allowed, I recommend looking at an application-layer filtering firewall. Application-layer filtering firewalls can enforce security policy for both valid connection states and valid application layer communications. In order to provide multiple, overlapping, and mutually supportive protection, you should also deploy intrusion detection, antivirus and antispyware systems.
Once your Web server is secured, you will need to confirm that your e-commerce application and other services do not create holes in your network security. You should have policies in place to ensure the business processes and design requirements of your application are validated and sanity-checked. Formal code reviews should include testing of the source code. You will also need to develop procedures for completing component-level integration testing, system integration testing and application function and deployment testing. From an operating system perspective, the Web applications themselves should be granted only limited ability to access system resources. When building an e-commerce site, you will also need to install a Web server digital certificate so that any confidential data, such as credit card numbers, can be encrypted while in transit between the server and the client.
Even if your Web applications are relatively secure when first deployed, eventual changes to the system's infrastructure or configuration, along with the advent of new threats, will always threaten the applications' security. Web applications in particular will remain vulnerable to attack despite perimeter defenses. It is essential therefore that your security policies are regularly reviewed for relevance and effectiveness. You should develop, maintain and monitor a list of sources that review current security problems and software updates relevant to your system and application software.
Dig Deeper on Application Firewall Security
Related Q&A from Michael Cobb
The TLS protocol has fallen on hard times, but expert Michael Cobb explains how client puzzles can help fix some of the problems.continue reading
Microsoft's Wi-Fi Sense for Windows 10 can share encrypted passwords for Wi-Fi networks, but is it safe? Expert Michael Cobb has the answer.continue reading
Several security vendors and providers have been hacked over the last year. Expert Michael Cobb explains how enterprises should prepare for a vendor ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.