Companies still get the basics wrong on e-business security

Feature

Companies still get the basics wrong on e-business security

Web server flaws, poor authentication mechanisms and faulty log-out facilities are the most widespread e-commerce security vulnerabilities, according to new research from NTA Monitor, writes Daniel Thomas.

The internet security testing firm said the results of its research, conducted between October 2002 and January 2003, show that many companies are still failing to get the basics right when it comes to securing online systems.

"Our experience shows that simple faults are worryingly common and on a level that can be exploited by even the most unsophisticated hacker," said Roy Hills, technical director at NTA. "Good security is about doing the fundamentals. Our results, combined with the rapid spread of the SQL Slammer worm recently, illustrate that people still fail to get the basics right."

The most high-risk flaw regularly discovered by NTA was the lack of security behind the "front door", exposing root access web server flaws, giving hackers access to critical systems once they have gained entry.

Other dangerous flaws commonly discovered included predictable authentication tokens, which make it possible to guess valid tokens to access other accounts on the system, and faulty log-out facilities, which allow a user of a public or shared PC full access to the previous user's account.

To counter these problems, NTA said companies should design e-commerce systems with security in mind from the outset, implementing a secure design across all layers - network, operating system, web server and application.

Alternatively, if a company outsources the development of its e-commerce systems to a third-party supplier, it should build a "security quality of service" clause into the contract, NTA said.

A full list of NTA's top 10 e-commerce security flaws is at www.nta-monitor.com/news/eflaws-detail.htm

Email Alerts

Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox.
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

This was first published in March 2003

 

COMMENTS powered by Disqus  //  Commenting policy