E Commerce Application Security Technology Essentials

written by: Miriam Kalpar; article published: year 2006, month 07;


In: Categories » Internet » Web design and development » E Commerce Application Security Technology Essentials

In today’s marketplace, across all industry segments, businesses are realizing that transformation to e-business is required to remain competitive. Analysts predict that companies not making the necessary changes will be overrun by their competition. As enterprises around the world undergo transformations, they are increasingly leveraging Internet technologies to help:

  1. Broaden their markets by extending their reach globally.

  2. Enter new business areas through collaborations or expanded services made possible with Web-based interactions.

  3. Increase employee productivity by providing easier access to corporate information and services.

  4. Reduce costs through improved operations that integrate Web access and traditional IT systems

The e-business transformation is not only changing the competitive landscape, it is changing the very nature of how enterprises view security. Data and transaction security is of paramount importance in this age of rapidly expanding commercial and public computer networks and the emerging Internet economy. For an e-business transformation to be successful, the role that security plays has to become a top priority in every company that makes use of information technology.

In other words, the Internet has forever changed the way business gets done. E-commerce-based applications are enabling interaction among customers, prospects, and partners. Unfortunately, many e-commerce-based applications have inherent vulnerabilities and security-oriented design flaws. Internet-based attacks exploit these weaknesses to compromise sites and gain access to critical systems.

Security awareness for e-commerce-based applications is, therefore, essential to an organization’s overall security posture. The key to a successful program is an integrated, multilayer approach to vulnerability assessment (VA), intrusion detection system (IDS), and event correlation.

This part of the article very briefly highlights emerging threats specific to e-commerce application security and provides guidance on effective approaches to e-commerce application protection. E-commerce applications require a new approach to threat categories. Nevertheless, improved security relative to e-commerce applications can be easily achieved through the effective leverage of existing software solutions.

A Growing Threat

As businesses open their networks to business partners, customers, and their mobile workforce, they are significantly increasing both the value and vulnerability of their online assets. Security incidents are costly, with organizations losing productivity as well as experiencing business interruption, legal exposure, and shareholder liability. Merger and acquisition due diligence and insurability concerns, as well as regulatory requirements, are generating even broader awareness that information protection is a critical need.

Most organizations already have some degree of online security infrastructure—firewalls, intrusion detection systems, operating system hardening procedures, and so on. The problem is that they often overlook the need to secure and verify the integrity of internally developed applications and coded pages against external attacks. In these circumstances, simple manipulation of client code or data, such as the price of goods in an online shopping basket application or sending corrupt and incorrect data to the server can lead to fraudulent transactions or theft of confidential information. An understanding of manipulation techniques combined with rigorous client-side security testing will lead to greater security.

Rigorous Client-Side Testing Is Required

Direct attacks against e-commerce applications through manipulation of their inherent vulnerabilities have become commonplace due to the relative ease. Rigorous, client-side security testing and an understanding of manipulation techniques is essential to identifying the potential failure points of e-commerce applications.

The most prevalent methods of attack on applications include buffer overflow attacks, exploitation of application component privileges, and client-side manipulation. On top of the e-commerce server’s OS, several subcategories of applications exist in which vulnerabilities may be exploited, including the following:

Database: Database application vulnerabilities for Microsoft SQL Server, Oracle, Sybase, and IBM DB2, including bugs, misconfigurations, and default/blank passwords

Web and application server: Vulnerabilities for CGI, Java, Xquery, default files, and other resources called by applications, as well as Web servers (IIS, Apache) and development environments (ColdFusion, etc.)

Web site and application: HTML and XML applications; assessment functions include Web crawling and step-through testing

VA, the starting point for this process, is extremely important for both discovery and identifying vulnerabilities. This process allows an organization to turn off unused services, identify and patch vulnerable software, and make educated decisions about which elements of the overall infrastructure require the most extensive protection measures.

Information gained through VA helps set up significantly more effective IDS implementation and allows the IDS to feed attack and misuse information back into the VA process to ensure that successful penetrations cannot be repeated. This process takes place at the network, server, desktop, and application levels, and can additionally be used to validate that an intrusion protection system is in place and functional.

Finally, it can be extremely difficult for any automated audit and assessment application to know how custom applications will respond to cookie manipulation, form field manipulation, and other e-commerce application threats without carrying out a complete, link-to-link, application-specific assessment. This is a time-consuming, interactive analysis best performed by someone with both security and Web development knowledge—a rarely combined skill set. Organizations may need to dedicate additional staff to fully realize and take advantage of the results promised by such analysis, or to outsource the review to leverage the security and application programming expertise of an organization with the appropriate skills specialization.

legal disclaimer

1) Our website is not responsible for the information contained by this article as well for any and all copyright infringements by authors and writers. E-articles is a free information resource. If you suspect this article for any copyright infringements, please read the Terms of service and contact us to investigate the problem.
2) The E-articles directory team is not responsible for inaccuracies, falsehoods, or any other types of misinformation this tutorial may contain and will not be liable for any loss or damage suffered by a user through the user's reliance on the information gained here. Please read the Terms of service

Useful tools and features

Translate this article to...    Send this article to you or to a friend

Link to this article from your page   
If you like this article (tutorial), please link to it from your web page using the information above. Linking to this page, this is the only way to help us improve our service, the same time providing your visitors with a way to improve their online experience.

related articles

1. The Essential Ingredients Of A Magnetic Website
Yes, believe it or not, there is actually a recipe for creating a website that is magnetic. A website that attracts targeted people far and wide like a super-powerful yet pinpoint-accurate magnet! If you apply each of these ingredients, but badly, you will have failed. If you address a quarter of them with gusto, accuracy and efficiency you will be well on the way to having a magnetic website whose profile just grows and grows. Your Shopping List For Baking A Magnetic Website • Great ...

2. Advantages and Disadvantages of HTTP Authentication
Authentication can be passed in the HTTP headers of incoming requests. This is the same type of authentication that is used when your browser creates a small login window when attempting to access a site. The authentication information is Base 64-encoded, so it does look like it is encrypted when transmitted over the wire, but in reality it is not. This encoding only ensures that all characters are valid to be passed in the header and is not intended to provide any level of security. Advantages: Easily hand...

3. Advantages and Disadvantages of Message Based Authentication
Client credentials can also be passed along with the regular message payload. This is marginally easier to implement on the client side because adding credentials should be no more difficult than adding another parameter to the request. Remember that even if a secure (SSL) endpoint is used, the URL used for the request is still sent in the clear, so if the credentials are passed on the URL (as is the case with a REST request), they will be visible to any and all intermediaries. Advantages: Easily handled &m...

4. 7 Things You Should Not Use in Web Design to Get a Quality Web Site
If you have any of these on your website or you have built websites for other people that include some of these ‘No-No’s’ then don’t feel too bad. We all make mistakes and it’s only my opinion right? 1. Flash In The Pan Pan being a slang term for toilet – as that’s where it belongs. Okay, maybe not all use of Flash but certainly Flash introduction pages. What a nightmare they are – ever visited a site where you positively revelled in the fact you got to...

5. How To Quickly And Easily Protect Your Adsense Account From Accidental Clicks
Not a day goes by without somebody complaining that they’ve been shutdown by Adsense because of “click fraud”. Scary isn’t it? Your kids or family members accidentally “stumble” on your website as they’re browsing the net (using the home computer)… and proceed to click on YOUR ads. You accidentally click on your ads yourself while you’re “checking” your site in your browser. Now, I’m sure that some people have accidentally ...

6. What Should I Do For a Successful Business Website
There are just four cornerstone foundations you need to perfect to make your website a success. These foundations need to be central to your way of thinking about your website from now on. Whenever you make a single change to your website, whenever you have an idea about your website, whenever you think about your website in any way you need to think about the four cornerstone foundations – so here they are… Volumes The volume of people you attract to your website is crucial to your websit...

7. The 7 Deadly Sins Of Web Design
Sin 1 - Starfield backgrounds You know the sort – zillions of tiny white pixels glinting back at you from behind the text. Beautiful. Not! In a galaxy far, far away, in a time long, long ago people thought this was cool. It’s not. It sucks and people who use it should be shot. Sin 2 - Anything that moves. Okay, that’s maybe a little bit harsh – let me zero in on something more specific - animated cursors. I know 12 year-old kids that think they’re crap. Wise up an...

8. General advantages and disadvantages of HTML vs XML and XHTML
There are three markup languages. These include Hypertext Markup Language (HTML), Extensible Markup Language (XML), and the combination of the two, Extensible Hypertext Markup Language, (XHTML). HTML HTML is the primary format used on the World Wide Web. HTML can display Web pages with a wide range of colors, shapes, and objects. Although not a true programming language, HTML has increased in power over the years. HTML is actually a loosely defined subset of XML. However, whereas XML is a strict languag...

9. Wireless Markup languages ~ Overview ~ WAP WML WMLScript
The most common standard of data transfer and presentation for a handheld device involves the combination of Wireless Application Protocol (WAP) with Wireless Markup Language (WML). Although WAP can be used with other forms of presentation, its coders primarily designed it to be used with WML. WAP Because of the small size of PCS devices, and because they operate with much less bandwidth or speed, than the rest of the Internet, a special protocol was necessary to redefine how they handle data transmission. This protoc...

10. How To Configure Apache or IIS Web Server to Work with WML ~ Openwave SDK
It could be a useful exercise for you to create your own WML program and test it on a live Web server. This requires the following two items: Access to a Web server (IIS or Apache both work well) A development tool to test the programming For the development tool, we recommend that you download and use the latest version of Openwave's SDK, which is freely available to developers at http://www.openwave.com. Once you install this program, you simply need to specify where the files ...