WavebreakmediaMicro - Fotolia

Problem solve Get help with specific problems with your technologies, process and projects.

How can e-commerce website security be ensured?

While the fundamentals of securing an e-commerce website haven't changed in a few years, there are new threat vectors and security risks to be aware of. Expert Michael Cobb explains.

I am looking for some information about e-commerce website security baselining. I read your e-commerce website security tip from a few years ago, but has anything changed since then? What are the top factors to consider, with an emphasis on emerging technologies?

To summarize my original recommendations, those responsible for the security of an e-commerce site need to:

These basic rules of IT security remain sound, but since my last tip on e-commerce website security baselining, both attackers and the security technologies used to defend against them have increased in sophistication. Distributed denial-of-service (DDoS) attacks against e-commerce sites are becoming a regular occurrence; administrators should put a DDoS mitigation plan in place with their hosting provider. DDoS protection services provided by companies such as CloudFlare or Prolexic are another option, but a solution needs to be in place before an attack is launched.

E-commerce sites should also look to deploy a security information and event management (SIEM) system that brings event, threat and risk data together to improve incident response times. SIEM technologies have advanced considerably in the last few years, and many now can take third-party threat intelligence feeds to provide advanced warnings of potential attacks.

As today's Web applications are mainly built using open source code and components, development teams should use a revision control and repository service such as GitHub to improve the management and ongoing monitoring of third-party code used within the site. Another necessary task is to ensure not only that the site is compliant with the ever-changing legal and regulatory environment, but also that security controls and audit reports fulfill any data protection and reporting requirements. Many SIEMs can now generate pre-defined compliance reports such as PCI DSS, FISMA, GLBA, SOX and HIPAA.

Keeping an e-commerce website secure is an ongoing activity and it is essential to keep up to date with the latest threats and best practices to mitigate them. Regular reviews of policies and practices are important to keeping websites relevant, as is regular patching and pen testing to ensure vulnerabilities aren't introduced as the site evolves.

Ask the Expert!
Perplexed about application security? Send Michael Cobb your questions today! (All questions are anonymous.)

Next Steps

Learn more about e-commerce security needs and how to test an e-commerce website's security and privacy defenses.

Customer experience could be transformed by e-commerce technologies.


This was last published in December 2014

Dig Deeper on Web application and API security best practices

Join the conversation

1 comment

Send me notifications when other members comment.

Please create a username to comment.

Good stuff Michael. Thanks for sharing. I didn't realize it could be this complex - especially because I think of sites as vehicles for data and don't necessarily think of that data as money being moved via electrons. But it is that way and I think we need to readjust our thought processes as they pertain to ecommerce and all it brings with it.