WavebreakmediaMicro - Fotolia
I am looking for some information about e-commerce website security baselining. I read your e-commerce website security tip from a few years ago, but has anything changed since then? What are the top factors to consider, with an emphasis on emerging technologies?
To summarize my original recommendations, those responsible for the security of an e-commerce site need to:
- Start with a secure Web server configuration. This requires hardening the Web server for its role on the Internet. The NSA produces exhaustive hardening guides, Microsoft provides a free Baseline Security Analyzer, and free benchmarks and scoring tool guidelines are available from the Center for Internet Security.
- Protect Web servers with layered defenses. Deploy a Web application firewall, intrusion detection system, antimalware and antispyware.
- Review Web application code. Use static and dynamic code analysis tools to test for vulnerabilities and logic flaws.
- Install a Web server digital certificate. All traffic to and from the Web server should travel over SSL/TLS. Extended Validation certificates provide the highest level of assurance about a business.
- Regularly pen test the website and review security policies for relevance and effectiveness.
- Keep all software involved in running and maintaining the site patched and up to date.
These basic rules of IT security remain sound, but since my last tip on e-commerce website security baselining, both attackers and the security technologies used to defend against them have increased in sophistication. Distributed denial-of-service (DDoS) attacks against e-commerce sites are becoming a regular occurrence; administrators should put a DDoS mitigation plan in place with their hosting provider. DDoS protection services provided by companies such as CloudFlare or Prolexic are another option, but a solution needs to be in place before an attack is launched.
E-commerce sites should also look to deploy a security information and event management (SIEM) system that brings event, threat and risk data together to improve incident response times. SIEM technologies have advanced considerably in the last few years, and many now can take third-party threat intelligence feeds to provide advanced warnings of potential attacks.
As today's Web applications are mainly built using open source code and components, development teams should use a revision control and repository service such as GitHub to improve the management and ongoing monitoring of third-party code used within the site. Another necessary task is to ensure not only that the site is compliant with the ever-changing legal and regulatory environment, but also that security controls and audit reports fulfill any data protection and reporting requirements. Many SIEMs can now generate pre-defined compliance reports such as PCI DSS, FISMA, GLBA, SOX and HIPAA.
Keeping an e-commerce website secure is an ongoing activity and it is essential to keep up to date with the latest threats and best practices to mitigate them. Regular reviews of policies and practices are important to keeping websites relevant, as is regular patching and pen testing to ensure vulnerabilities aren't introduced as the site evolves.
Ask the Expert!
Perplexed about application security? Send Michael Cobb your questions today! (All questions are anonymous.)
Learn more about e-commerce security needs and how to test an e-commerce website's security and privacy defenses.
Customer experience could be transformed by e-commerce technologies.
Dig Deeper on Web application and API security best practices
Related Q&A from Michael Cobb
Explore the differences between symmetric vs. asymmetric encryption algorithms, including common uses and examples of both, as well as their pros and... Continue Reading
Pirated software is still a major concern nowadays. Uncover how to prevent software piracy and protect your organization's intellectual property. Continue Reading
Shellcode is a set of instructions that executes a command in software to take control of or exploit a compromised machine. Read up on the malware ... Continue Reading