E-Commerce Application Security Technology Essentials | Electronic Commerce (Charles River Media Networking/Security)

In today’s marketplace, across all industry segments, businesses are realizing that transformation to e-business is required to remain competitive. Analysts predict that companies not making the necessary changes will be overrun by their competition. As enterprises around the world undergo transformations, they are increasingly leveraging Internet technologies to help:

Broaden their markets by extending their reach globally.
Enter new business areas through collaborations or expanded services made possible with Web-based interactions.
Increase employee productivity by providing easier access to corporate information and services.
Reduce costs through improved operations that integrate Web access and traditional IT systems^[1].

The e-business transformation is not only changing the competitive landscape, it is changing the very nature of how enterprises view security. Data and transaction security is of paramount importance in this age of rapidly expanding commercial and public computer networks and the emerging Internet economy. For an e-business transformation to be successful, the role that security plays has to become a top priority in every company that makes use of information technology.

In other words, the Internet has forever changed the way business gets done. E-commerce-based applications are enabling interaction among customers, prospects, and partners. Unfortunately, many e-commerce-based applications have inherent vulnerabilities and security-oriented design flaws. Internet-based attacks exploit these weaknesses to compromise sites and gain access to critical systems.

Security awareness for e-commerce-based applications is, therefore, essential to an organization’s overall security posture. The key to a successful program is an integrated, multilayer approach to vulnerability assessment (VA), intrusion detection system (IDS), and event correlation.

This part of the chapter very briefly highlights emerging threats specific to e-commerce application security and provides guidance on effective approaches to e-commerce application protection. E-commerce applications require a new approach to threat categories. Nevertheless, improved security relative to e-commerce applications can be easily achieved through the effective leverage of existing software solutions.

A Growing Threat

As businesses open their networks to business partners, customers, and their mobile workforce^[2], they are significantly increasing both the value and vulnerability of their online assets. Security incidents are costly, with organizations losing productivity as well as experiencing business interruption, legal exposure, and shareholder liability. Merger and acquisition due diligence and insurability concerns, as well as regulatory requirements, are generating even broader awareness that information protection is a critical need.

Most organizations already have some degree of online security infrastructure—firewalls, intrusion detection systems, operating system hardening procedures, and so on. The problem is that they often overlook the need to secure and verify the integrity of internally developed applications and coded pages against external attacks. In these circumstances, simple manipulation of client code or data, such as the price of goods in an online shopping basket application or sending corrupt and incorrect data to the server can lead to fraudulent transactions or theft of confidential information. An understanding of manipulation techniques combined with rigorous client-side security testing will lead to greater security.

Rigorous Client-Side Testing Is Required

Direct attacks against e-commerce applications through manipulation of their inherent vulnerabilities have become commonplace due to the relative ease. Rigorous, client-side security testing and an understanding of manipulation techniques is essential to identifying the potential failure points of e-commerce applications.

The most prevalent methods of attack on applications include buffer overflow attacks, exploitation of application component privileges, and client-side manipulation. On top of the e-commerce server’s OS, several subcategories of applications exist in which vulnerabilities may be exploited, including the following:

Database: Database application vulnerabilities for Microsoft SQL Server, Oracle, Sybase, and IBM DB2, including bugs, misconfigurations, and default/blank passwords

Web and application server: Vulnerabilities for CGI, Java, Xquery, default files, and other resources called by applications, as well as Web servers (IIS, Apache) and development environments (ColdFusion, etc.)

Web site and application: HTML and XML applications; assessment functions include Web crawling and step-through testing^[4]

VA, the starting point for this process, is extremely important for both discovery and identifying vulnerabilities. This process allows an organization to turn off unused services, identify and patch vulnerable software, and make educated decisions about which elements of the overall infrastructure require the most extensive protection measures.

Information gained through VA helps set up significantly more effective IDS implementation and allows the IDS to feed attack and misuse information back into the VA process to ensure that successful penetrations cannot be repeated. This process takes place at the network, server, desktop, and application levels, and can additionally be used to validate that an intrusion protection system is in place and functional.

Finally, it can be extremely difficult for any automated audit and assessment application to know how custom applications will respond to cookie manipulation, form field manipulation, and other e-commerce application threats without carrying out a complete, link-to-link, application-specific assessment. This is a time-consuming, interactive analysis best performed by someone with both security and Web development knowledge—a rarely combined skill set. Organizations may need to dedicate additional staff to fully realize and take advantage of the results promised by such analysis, or to outsource the review to leverage the security and application programming expertise of an organization with the appropriate skills specialization.

^[2]Vacca, John R., i-mode Crash Course, McGraw-Hill Professional, 2001.

^[4]“Web Application Protection: Using Existing Protection Solutions,” 2003 Internet Security Systems — ISS, Inc. All rights reserved, Internet Security Systems — ISS, 6303 Barfield Road, Atlanta, GA 30328, 2003.