Ecommerce Security   «Prev  Next»
Lesson 6Application security
Objective Design for system security at the application level.

Application Security

It is difficult to secure every application in an e-commerce site. A better approach is to allow only particular applications to communicate through the network.
A common hacker technique is to load an illicit server on a host that acts as a Trojan horse. Once this session is established, the hacker has full control over the host. Security at the application layer is implemented through application-level gateways known as proxy servers, which are discussed in a later module.

ecommerce Management

Building an ecommerce Website

The job of building an e-commerce website is an ongoing process. The website which consists of various form of technology, constantly evolves as new forms of server side scripting are introduced. Security risks change as the site positions itself on the web, and as the platform used by the site become obsolete. The different website configurations and approaches discussed in this module come to prove, that the network level protection that so many websites have been using, might not be enough.
When building a website we must survey the risks facing the website from all different aspects. Not allweb sites face the same "threats" and many websites are just another collection of HTML pages in the vast cyberspace of the Internet. But, websites conducting business, containing information (considered valuable for a malicious hacker) or holding a political view, are at higher risk then others. E-commerce websites often hold valuable information (credit card numbers or other private, personal data) and conduct business, and are thus placed at a high-risk position. Having recognized a website is in the high-risk zone, we must consider the different types of security hazards:
  1. Denial of Service including DDOS
  2. Defacement (the replacement of content on a web site, indicating it has been hacked).
  3. Data Theft
  4. Fraud (data manipulation or actual theft)
While any of these attacks might cause revenue lose, the method of defense against each is different. Since there is no global security solution that can provide the full defensive spectrum an e-commerce website requires, it has become extremely difficult to choose the right line of defense. Security is a product that comes with a price tag. At first, this might be very obvious since products such as firewall and anti-virus have known pricing. However, the costs of on-going security, software-security updates, and new website technologies cannot be calculated during initial installation planning. Eventually the website owner will have to decide what level of security will be provided, while considering the current risks and costs involved.

TCP/IP applications

E-commerce sites often require custom software that must successfully transit the firewall. Understanding the architecture of each application that will be routed through a firewall is necessary for proper firewall configuration. Common e-commerce TCP/IP applications are described in the table below.

Application Description
Telnet Used for many purposes. Telnet allows you to access a remote computer as if you were sitting right in front of it. Once you have logged on, you can use telnet to modify users, edit files (including HTML, CGI, and Java), and generally administer your site.
FTP Used for file transfers.
HTTP using SSL Most firewalls block out this traffic by default, causing problems with the entire e-commerce implementation.
SSH A secure replacement for Telnet and UNIX-based remote login programs.
Custom middleware Includes Java servlets and applications that include Microsoft DNA, Netscape ONE, and Oracle NCA.
Legacy communications Many older network systems may have to communicate across the firewall.