It was possibly only a simple development error that led to a security gap at eBay in December 2015, which had the potential to intercept client passwords during the login process. The consequences of hacker attacks that take advantage of such breakdowns can be substantial – and extremely unpleasant for the user: SPAM-mail, Phishing or stolen credit cards are only a few of them.
And the eBay example shows: large players are also not spared. Up to 87 percent of all websites have medium security flaws, while 50 percent have serious security gaps. The resulting annual loss worldwide is over 400 billion US Dollars. Stores not only risk serious damage to their image with data loss. Online stores are responsible for the security of client data, and are accordingly liable for data leaks. Processes and methods that target the security of e-commerce solutions are therefore indispensable for stores. However, this is not limited to a particular phase in a project, but runs through the entire period up to the day of implementation and activation. Security is an indispensable part of the design process, part of the implementation, part of the system infrastructure and part of the operation.
The following points in particular should be addressed:
1. Define clear requirements
It seems so mundane, but it is so important: Security begins before the project starts. And each web-store has its own requirements. In a B2B shop which charges a fee for the download of technical documents, it is of course extremely important to design very safe identification or customer registration and access protection. For a telecommunications provider that offers all of its products through a self-service portal, it is equally crucial that only the authorised user has access on the contract and invoice data. Although both examples require the implementation of access security tools, the underlying requirements are different. These must be recognised in the “Requirements-Engineering” phase, and form the basis for later implementation.
2. Set your standards
“Secure Coding Standards” help developers write secure codes for the web. Ideally, they fall back on safety tested frameworks. Although these preventive investments are immensely important for the security of the web application, there are still no recognised industrial standards, or a norm which defines the security of web applications. Therefore each agency or online shop must take on the responsibility itself and create its own portfolio of standards in the areas of quality assurance, security and testing.
Therefore, a few years ago we started to collect best practices or recommendations from experts, for example the Open Web Security Application Project (OWASP), so that every client does not need to search for a standard themselves, and to be able to offer truly measurable security.
3. Search for your security flaws
In addition, at the end of any development, we put it through a “Web Application Security Test”, which checks whether our security standards are actually adhered to. In order to do so, we work with a certified “Ethical Hacker”, a specially trained IT expert that possesses a hacker’s knowledge, but who is working for us. Additionally, this is done using various software tools (we use, for example, IBM AppScan) that simulate attacks on the application. Any suspicious reaction by the application is documented and must later be manually verified or falsified. At the end, there is a report that documents the security flaws that have been found, and provides technical assistance to help rectify the problems.
Consider each security flaw found in this phase not as an error by the programmer, but rather as a success! You’ve discovered this in the development phase. The later an error comes to light, the more expensive it is to rectify.
4. Conduct continuous monitoring
Factors that cannot be influenced, such as the execution environment (browser), different devices (desktop and mobile) and heterogeneous systems introduce challenges to e-commerce solutions that are not always predictable in advance. Selective security and penetration tests, in which experts (e.g., certified ethical hackers) perform targeted attack attempts, help to keep these factors in mind. Because the number of newly discovered security flaws and the ways in which software gaps can be exploited grows daily.
Moreover, there is the option to install an additional “Web Application Firewall” (WAF). This one checks every incoming request before it is passed on to the actual web application. Therefore, a WAF needs to have a complex set of rules that is customised to the particular web application. Suspicious requests are rejected immediately, and, under predefined conditions, could raise an alarm (e.g., through an email to an administrator, when 100 requests per second are sent from an IP address that contain the code for a SQL injection). As a WAF is an independent system, attack attempts do not even come close to the protected application, or the data to be protected.
Be Secure from the Beginning
The cornerstone for a secure e-commerce solution must therefore already be selected during the design – even before the software is actually used. In addition, regular testing of the software, as well as any resulting updates is unavoidable and absolutely necessary. Only then it is possible to keep the software up to date, and to ensure its safety.
This article was also published at e-commerce-magazin.de.