Manage Learn to apply best practices and optimize your operations.

How to secure an e-commerce Web site

If you need to secure an e-commerce Web site, application security expert, Michael Cobb, has a place to start. In this expert Q&A, Cobb recommends the equipment that will secure your online business.

What steps should I follow to secure an e-commerce Web site? And what features should I look for when deciding...

which firewall to purchase?

First, it is important to start with a secure Web server configuration. This requires hardening the Web server for its role on the Internet. The U.S. National Security Agency produces an exhaustive hardening guide, and the free Benchmarks and Scoring Tools guidelines are available from the Center for Internet Security. Both are useful in evaluating your configuration. These tools are updated as new vulnerabilities are discovered, so they can be used regularly to monitor the effectiveness of your configuration. Windows-based servers can also be tested against Microsoft's free Baseline Security Analyzer.

Next, you will need to make sure that your Web server is protected at least by a firewall. The best way to choose a firewall is to create or update your existing security policy so you can identify and evaluate which firewalls have the functionality to enforce your policy's rules. Although routers and network-layer stateful packet-filtering firewalls can ensure only approved transmission ports and protocols are open or allowed, I recommend looking at an application-layer filtering firewall. Application-layer filtering firewalls can enforce security policy for both valid connection states and valid application layer communications. In order to provide multiple, overlapping, and mutually supportive protection, you should also deploy intrusion detection, antivirus and antispyware systems.

Once your Web server is secured, you will need to confirm that your e-commerce application and other services do not create holes in your network security. You should have policies in place to ensure the business processes and design requirements of your application are validated and sanity-checked. Formal code reviews should include testing of the source code. You will also need to develop procedures for completing component-level integration testing, system integration testing and application function and deployment testing. From an operating system perspective, the Web applications themselves should be granted only limited ability to access system resources. When building an e-commerce site, you will also need to install a Web server digital certificate so that any confidential data, such as credit card numbers, can be encrypted while in transit between the server and the client.

Even if your Web applications are relatively secure when first deployed, eventual changes to the system's infrastructure or configuration, along with the advent of new threats, will always threaten the applications' security. Web applications in particular will remain vulnerable to attack despite perimeter defenses. It is essential therefore that your security policies are regularly reviewed for relevance and effectiveness. You should develop, maintain and monitor a list of sources that review current security problems and software updates relevant to your system and application software.

More on this topic


This was last published in October 2006

Dig Deeper on Application firewall security