E Commerce Application Security Technology Essentials

written by: Miriam Kalpar; article published: year 2006, month 07;


In: Root » Internet » Web design and development » E Commerce Application Security Technology Essentials

Dutch French Spanish Portuguese Italian German Japanese Chinese Korean Russian Arabic Bookmark and Share this Article

In today’s marketplace, across all industry segments, businesses are realizing that transformation to e-business is required to remain competitive. Analysts predict that companies not making the necessary changes will be overrun by their competition. As enterprises around the world undergo transformations, they are increasingly leveraging Internet technologies to help:

  1. Broaden their markets by extending their reach globally.

  2. Enter new business areas through collaborations or expanded services made possible with Web-based interactions.

  3. Increase employee productivity by providing easier access to corporate information and services.

  4. Reduce costs through improved operations that integrate Web access and traditional IT systems

The e-business transformation is not only changing the competitive landscape, it is changing the very nature of how enterprises view security. Data and transaction security is of paramount importance in this age of rapidly expanding commercial and public computer networks and the emerging Internet economy. For an e-business transformation to be successful, the role that security plays has to become a top priority in every company that makes use of information technology.

In other words, the Internet has forever changed the way business gets done. E-commerce-based applications are enabling interaction among customers, prospects, and partners. Unfortunately, many e-commerce-based applications have inherent vulnerabilities and security-oriented design flaws. Internet-based attacks exploit these weaknesses to compromise sites and gain access to critical systems.

Security awareness for e-commerce-based applications is, therefore, essential to an organization’s overall security posture. The key to a successful program is an integrated, multilayer approach to vulnerability assessment (VA), intrusion detection system (IDS), and event correlation.

This part of the article very briefly highlights emerging threats specific to e-commerce application security and provides guidance on effective approaches to e-commerce application protection. E-commerce applications require a new approach to threat categories. Nevertheless, improved security relative to e-commerce applications can be easily achieved through the effective leverage of existing software solutions.

A Growing Threat

As businesses open their networks to business partners, customers, and their mobile workforce, they are significantly increasing both the value and vulnerability of their online assets. Security incidents are costly, with organizations losing productivity as well as experiencing business interruption, legal exposure, and shareholder liability. Merger and acquisition due diligence and insurability concerns, as well as regulatory requirements, are generating even broader awareness that information protection is a critical need.

Most organizations already have some degree of online security infrastructure—firewalls, intrusion detection systems, operating system hardening procedures, and so on. The problem is that they often overlook the need to secure and verify the integrity of internally developed applications and coded pages against external attacks. In these circumstances, simple manipulation of client code or data, such as the price of goods in an online shopping basket application or sending corrupt and incorrect data to the server can lead to fraudulent transactions or theft of confidential information. An understanding of manipulation techniques combined with rigorous client-side security testing will lead to greater security.

Rigorous Client-Side Testing Is Required

Direct attacks against e-commerce applications through manipulation of their inherent vulnerabilities have become commonplace due to the relative ease. Rigorous, client-side security testing and an understanding of manipulation techniques is essential to identifying the potential failure points of e-commerce applications.

The most prevalent methods of attack on applications include buffer overflow attacks, exploitation of application component privileges, and client-side manipulation. On top of the e-commerce server’s OS, several subcategories of applications exist in which vulnerabilities may be exploited, including the following:

Database: Database application vulnerabilities for Microsoft SQL Server, Oracle, Sybase, and IBM DB2, including bugs, misconfigurations, and default/blank passwords

Web and application server: Vulnerabilities for CGI, Java, Xquery, default files, and other resources called by applications, as well as Web servers (IIS, Apache) and development environments (ColdFusion, etc.)

Web site and application: HTML and XML applications; assessment functions include Web crawling and step-through testing

VA, the starting point for this process, is extremely important for both discovery and identifying vulnerabilities. This process allows an organization to turn off unused services, identify and patch vulnerable software, and make educated decisions about which elements of the overall infrastructure require the most extensive protection measures.

Information gained through VA helps set up significantly more effective IDS implementation and allows the IDS to feed attack and misuse information back into the VA process to ensure that successful penetrations cannot be repeated. This process takes place at the network, server, desktop, and application levels, and can additionally be used to validate that an intrusion protection system is in place and functional.

Finally, it can be extremely difficult for any automated audit and assessment application to know how custom applications will respond to cookie manipulation, form field manipulation, and other e-commerce application threats without carrying out a complete, link-to-link, application-specific assessment. This is a time-consuming, interactive analysis best performed by someone with both security and Web development knowledge—a rarely combined skill set. Organizations may need to dedicate additional staff to fully realize and take advantage of the results promised by such analysis, or to outsource the review to leverage the security and application programming expertise of an organization with the appropriate skills specialization.

Disclaimer

1) E-articles is not responsible for the information contained by this article as well for any and all copyright infringements by authors and writers. E-articles is a free information resource. If you suspect this article for any copyright infringement, please read the terms of service and contact us to investigate the problem.
2) E-articles is not responsible for inaccuracies, falsehoods, or any other types of misinformation this article may contain and will not be liable for any loss or damage suffered by a user through the user's reliance on the information gained here.

link to this article