Website/e-Commerce Security

Hinal Panchal+919601174443hinal.panchal@ipowersoftwares.com

The Web is changing many of the assumptions that people have historically made about computer security and publishing. As the Internet makes it possible for web servers to publish information to millions of users, it also makes it possible for computer hackers, crackers, criminals, vandals, and other “bad guys” to break into the very computers on which the web servers are running. Once subverted, web servers can be used by attackers as a launching point for conducting further attacks against users and organizations.

It is considerably more expensive and more time-consuming to recover from a security incident than to take preventative measures ahead of time.

Server-Level Security Separate web- and database-servers on to different

physical machines. Secure the web- and database-servers with traditional

techniques. Only authorized accounts should have the capabilities to run tasks on the machine. That means not giving admin-rights to the user account.

Keep servers up-to-date with the latest patches and software releases.

Minimize the number of services running on the server. This means limiting the services to only those required for the web- or database-servers to function.

Secure information in transit between servers. This may mean physically securing the network to prevent eavesdropping via encryption or obfuscating the data amongst innocuous ‘noise’.

Application-Level Security Separate the web server and database server user

accounts. They should never be under the same system account.

Create a database user specifically for your data source and restrict it to only the activities required for the application. The user should not have database-owner rights, access to databases not relating to the application or access to the system tables.

Revoke privileges to prevent the SQL commands CREATE, DROP, GRANT, REVOKE and ALTER.

Reduce the Maximum size of post data from 100MB. Enable Timeout Requests, and set to 60 seconds or

less.

Other security measures to be taken care of from developer’s perspective:

Choose a secure ecommerce platform: Put your ecommerce site on a platform that uses a sophisticated object-orientated programming language.

Use a secure connection for online checkout--and make sure you are PCI compliant. "Use strong SSL [Secure Sockets Layer] authentication for Web and data protection.

Don't store sensitive data.

Employ an address and card verification system. "Enable an address verification system (AVS) and require the card verification value (CVV) for credit card transactions to reduce fraudulent charges.

Require strong passwords.

Set up system alerts for suspicious activity.

Layer your security.

Provide security training to employees.

Use tracking numbers for all orders.

Monitor your site regularly--and make sure whoever is hosting it is, too.

Make sure whoever is hosting your ecommerce site "regularly monitors their servers for malware, viruses and other harmful software.

Perform regular PCI scans.

Patch your systems.

Make sure you have a DDoS protection and mitigation service. "With DDoS [Distributed Denial of Service] attacks increasing in frequency, sophistication and range of targets, ecommerce sites should turn to cloud-based DDoS protection and managed DNS services to provide transactional capacity to handle proactive mitigation and eliminate the need for significant investments in equipment, infrastructure and expertise

Consider a fraud management service.

Make sure you or whoever is hosting your site is backing it up--and has a disaster recovery plan.