How to secure an e-commerce Web site

BROWSE BY TAG Application Security,   Application and Platform Security,   Application Firewall Security,   Web Security Tools and Best Practices,   Web Server Threats and Countermeasures,   Web Application and Web 2.0 Threats,   VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Application Security Do Facebook URL security concerns justify blocking social networks? Is there a way to block iPhone widgets that bypass Web filters? Should enterprises be concerned with Twitter in the workplace? Are there still Google Desktop security problems? Can an IP spoofing tool be used to spam SPF servers? Will an application usage policy best control network bandwidth? How can URL-shortening services be manipulated? Is my security program ready for Web application firewall deployment? How to ensure the security of a shopping cart application When to use the service features of the Metasploit hacking tool Application Firewall Security Web application firewall use goes beyond compliance, company finds Best Application Security Products Common PCI questions: Web application firewalls or source code review? IT pros find corporate firewall rules tough to navigate PCI compliance requirement 1: Firewalls Comparing an application proxy firewall and a gateway server firewall Citrix virtual desktop, app delivery controller includes security benefits How to choose between source code reviews or Web application firewalls Check Point adds virtual firewall appliance Web application firewall deployments gain traction Web Server Threats and Countermeasures VeriSign extends DDoS attack protection service Microsoft issues IIS FTP advisory, exploit code circulates Panda reports fast-spreading rogueware antivirus fraud rakes in millions Oracle issues quarterly patches, fixes database flaws Latest DDoS attacks extremely unsophisticated, experts say Stolen FTP credentials likely in massive website attacks Microsoft warns of IIS zero-day vulnerability How to find and stop automated SQL injection attacks How to spot attacks through Apache Web server log analysis Symantec acquires Mi5 Networks, bolsters Web security

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary cache cramming  (SearchSecurity.com) content filtering  (SearchSecurity.com) Web filter  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

First, it is important to start with a secure Web server configuration. This requires hardening the Web server for its role on the Internet. The U.S. National Security Agency produces an exhaustive hardening guide, and the free Benchmarks and Scoring Tools guidelines are available from the Center for Internet Security. Both are useful in evaluating your configuration. These tools are updated as new vulnerabilities are discovered, so they can be used regularly to monitor the effectiveness of your configuration. Windows-based servers can also be tested against Microsoft's free Baseline Security Analyzer.

Next, you will need to make sure that your Web server is protected at least by a firewall. The best way to choose a firewall is to create or update your existing security policy so you can identify and evaluate which firewalls have the functionality to enforce your policy's rules. Although routers and network-layer stateful packet-filtering firewalls can ensure only approved transmission ports and protocols are open or allowed, I recommend looking at an application-layer filtering firewall. Application-layer filtering firewalls can enforce security policy for both valid connection states and valid application layer communications. In order to provide multiple, overlapping, and mutually supportive protection, you should also deploy intrusion detection, antivirus and antispyware systems.

Once your Web server is secured, you will need to confirm that your e-commerce application and other services do not create holes in your network security. You should have policies in place to ensure the business processes and design requirements of your application are validated and sanity-checked. Formal code reviews should include testing of the source code. You will also need to develop procedures for completing component-level integration testing, system integration testing and application function and deployment testing. From an operating system perspective, the Web applications themselves should be granted only limited ability to access system resources. When building an e-commerce site, you will also need to install a Web server digital certificate so that any confidential data, such as credit card numbers, can be encrypted while in transit between the server and the client.

Even if your Web applications are relatively secure when first deployed, eventual changes to the system's infrastructure or configuration, along with the advent of new threats, will always threaten the applications' security. Web applications in particular will remain vulnerable to attack despite perimeter defenses. It is essential therefore that your security policies are regularly reviewed for relevance and effectiveness. You should develop, maintain and monitor a list of sources that review current security problems and software updates relevant to your system and application software.

More information: