{"id":28040,"date":"2015-10-19T12:18:21","date_gmt":"2015-10-19T06:48:21","guid":{"rendered":"http:\/\/www.tothenew.com\/blog\/?p=28040"},"modified":"2022-01-11T09:49:30","modified_gmt":"2022-01-11T04:19:30","slug":"an-essence-of-application-security-in-e-commerce","status":"publish","type":"post","link":"https:\/\/www.tothenew.com\/blog\/an-essence-of-application-security-in-e-commerce\/","title":{"rendered":"An essence of Application Security in E-commerce"},"content":{"rendered":"<p><span id=\"hs-cta-wrapper-15ee95f0-c21e-42a3-aae7-7fe230aeafb1\" class=\"hs-cta-wrapper\"><span style=\"color: #000000;\">Hackers and cyber criminals identify <a style=\"color: #000000;\" title=\"E-Commerce\" href=\"http:\/\/www.tothenew.com\/technologies\">E-commerce<\/a>\u00a0sites as a source of information, such as credit cards and other PII (<b>Personally identifiable information<\/b>). To protect customers, it&#8217;s necessary to know how to protect the application and the sensitive customer data it has. All this involves user&#8217;s trust and assurance on the brand and yes, it is at risk, if you compromise on the e-commerce application security.<\/span><br \/>\n<\/span><\/p>\n<h3><span style=\"color: #ff9900;\"><strong>What is wrong with the E-commerce sector?<\/strong><\/span><\/h3>\n<h6 style=\"text-align: left;\">\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 <img decoding=\"async\" loading=\"lazy\" class=\"alignnone wp-image-28401\" src=\"\/blog\/wp-ttn-blog\/uploads\/2015\/10\/bbbb.jpg\" alt=\"\" width=\"800\" height=\"311\" \/>Source:\u00a0safenet-inc.com<\/h6>\n<p>As per the\u00a0last year\u2019s data breach figures (see above), the retail sector which includes e-commerce sector constitutes for more than half of the data breaches. Let us look at some of the threats to e-commerce applications.<\/p>\n<ul>\n<li>E-commerce websites are vulnerable to scam from external as well as internal sources. It may also include credit card fraud, the information being fed into the system by dishonest employees, attackers, malware, etc.<\/li>\n<li>Security issues that exist in internal networks and interface between transactions done by customers on the network. Bypassing the e-commerce application, the attackers can also gain access to more critical internal systems, which could have been isolated from the outside world.<\/li>\n<li>Malicious software and computer viruses are few of the biggest threats. Viruses come from external sources and can corrupt critical files present on systems on the internal network. What if it completely destroys the server on which the application is hosted. This will disrupt the operations of the website. A malicious software that has been accidentally downloaded\u00a0has the ability to steal the clients information\u00a0before any encryption methods come into effect.<\/li>\n<\/ul>\n<h3><span style=\"color: #ff9900;\"><strong> Possible causes<\/strong><\/span><\/h3>\n<p>Mostly employees and users \u00a0open the door to attackers. According to a survey, Easily guessable passwords are responsible for an initial intrusion in 31% data breaches.<\/p>\n<h3><span style=\"color: #ff9900;\"><strong>Case Study<\/strong><\/span><\/h3>\n<p>eBay, the world\u2019s largest and most used eCommerce platform, had suffered a major security breach in the year 2014. The organization reported that more than 100 million customers were affected. It\u2019s still not clear how the intruders gained access to the eBay database, but this is definitely the right time to analyze and re-evaluate application security.<\/p>\n<blockquote><p>\u201cCyber-attackers compromised a small number of employee log-in credentials, allowing unauthorized access to eBay\u2019s corporate network,\u201d eBay recently commented. \u201cThe company is aggressively investigating the matter.\u201d<\/p>\n<p style=\"text-align: right;\">&#8211;\u00a0eBay<\/p>\n<\/blockquote>\n<p>The hacking\u00a0was examined by security experts, as it happened last year. The access was created after intruding into an employee\u2019s computer. \u00a0Although the exact technique used to execute the same was not revealed. Attackers also managed to steal hashed passwords of the users. Cracking the hashes will take a lot of time and computation power, but it is crackable. The exact number of compromised accounts was not known, but the organization made an estimate of 145 million accounts being compromised. And this makes it a massive data breach. The delay in detecting the breach enabled the attackers to check for other log-in opportunities and the breached information was sold online.<\/p>\n<h3><span style=\"color: #ff9900;\">Reactive Approach they had to follow<\/span><\/h3>\n<p>After the attack, eBay had to ask\u00a0users to change their passwords. This was an action taken to safeguard users from the impacts of stolen information by the attackers. The following information was breached:<\/p>\n<ul>\n<li>Encrypted passwords<\/li>\n<li>Names<\/li>\n<li>E-mail addresses<\/li>\n<li>Physical addresses<\/li>\n<li>Phone numbers<\/li>\n<li>Dates of birth<\/li>\n<\/ul>\n<h6><img decoding=\"async\" loading=\"lazy\" class=\"alignnone size-full wp-image-28110\" src=\"\/blog\/wp-ttn-blog\/uploads\/2015\/10\/eBay.png\" alt=\"eBay\" width=\"656\" height=\"250\" \/>Source: www.cnet.com<\/h6>\n<h3><span style=\"color: #ff9900;\">Impacts of Data Breach<\/span><\/h3>\n<ul>\n<li>Business Disruption<\/li>\n<li>Loss of Trust<\/li>\n<li>Penalties by Government agencies<\/li>\n<li>Search Engine Result<\/li>\n<li>Compensation offered to the customer<\/li>\n<li>Time and effort lost in investigation<\/li>\n<\/ul>\n<h3><span style=\"color: #ff9900;\">Ways to Prevent E-commerce application:<\/span><\/h3>\n<p dir=\"LTR\">The security vertical of the organization should enforce strict internet browsing rules on all employees. This can be achieved by blocking social networking websites, using strict email protocols and encryption and a robust BYOD policy. Implementing effective Application Security is the best way to combat injection attacks and other most frequent attacks like XSS that are done on e-commerce applications.<\/p>\n<p dir=\"LTR\">An <a title=\"Web Application Penetration Testing\" href=\"http:\/\/www.tothenew.com\/testing\/automated-independent-manual-testing\">application penetration testing of the e-commerce portal<\/a> should be done. This practice should be followed on a regular basis. Such an assessment will cover every aspect of the application to discover the existing security weaknesses. With an added advantage over an automated scan, this type of testing also provides business logic testing, followed by validation and in-depth probing to test application and report vulnerabilities if any. If interested, you can check the case study of one of the e-commerce application we did at TO THE NEW. The following practices should be followed to prevent an e-commerce application from breach:<\/p>\n<ul>\n<li>Use a secure encryption in the transmission channel<\/li>\n<li>Don&#8217;t store sensitive data in clear text<\/li>\n<li>Implement a strong password policy<\/li>\n<li>There should be an intrusion detection system (IDS) &amp;\u00a0intrusion prevention system (IPS) in place<\/li>\n<li>Implement the security in layers<\/li>\n<li>Provide security training to employees<\/li>\n<li>Monitor\u00a0the traffic and logs of the website regularly<\/li>\n<li>Perform regular PCI scans<\/li>\n<li>Patch your servers<\/li>\n<li>Implement a DDoS detection and mitigation service<\/li>\n<li>Use a fraud management service<\/li>\n<li>Backup your site<\/li>\n<li>Introduce red flags and security awareness<\/li>\n<\/ul>\n<p>So, it becomes really important to take certain proactive steps to secure your e-comm application from breach.<\/p>\n<p>I have covered the essence of application security in the Healthcare sector in my last <a href=\"http:\/\/www.tothenew.com\/blog\/essence-of-application-security-in-healthcare\/\">blog<\/a>. Read our next blog post on <a href=\"http:\/\/www.tothenew.com\/blog\/an-essence-of-application-security-in-financial-sector\/\" target=\"_blank\" rel=\"noopener\">importance of application security in Finance sector<\/a> \ud83d\ude42<\/p>\n<p>Please let us know your thoughts in the comment section. If you need more insights on e-commerce application security, join us in our webinar. The details are below. Thanks for your time.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Hackers and cyber criminals identify E-commerce\u00a0sites as a source of information, such as credit cards and other PII (Personally identifiable information). To protect customers, it&#8217;s necessary to know how to protect the application and the sensitive customer data it has. All this involves user&#8217;s trust and assurance on the brand and yes, it is at [&hellip;]<\/p>\n","protected":false},"author":166,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"iawp_total_views":2},"categories":[2026,1],"tags":[2270,1221,2490,2568,912,1095,2572,2577,2571,2493,2576,2569,2575,2491,2492,2574,2578,2579,2570,2573,824],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/posts\/28040"}],"collection":[{"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/users\/166"}],"replies":[{"embeddable":true,"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/comments?post=28040"}],"version-history":[{"count":1,"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/posts\/28040\/revisions"}],"predecessor-version":[{"id":54495,"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/posts\/28040\/revisions\/54495"}],"wp:attachment":[{"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/media?parent=28040"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/categories?post=28040"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/tags?post=28040"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}