Top 10 e-commerce security flaws exposed

News

Top 10 e-commerce security flaws exposed

Dan Thomas
Web server flaws, poor authentication mechanisms and faulty logout facilities are the most widespread e-commerce security flaws, according to research from NTA Monitor.

The internet security testing firm said the results of its research, conducted between October 2002 and January 2003, show that many companies are still failing to get the basics right when it comes to securing online systems.

“Our experience shows that simple faults are worryingly common - and on a level that can be exploited by even the most unsophisticated hacker,” said Roy Hills, technical director at NTA.

“Good security is about doing the fundamentals. Our results, combined with the rapid spread of the SQL Slammer worm recently, illustrate that people still fail to get the basics right.”

The most high-risk flaw regularly discovered by NTA was the lack of security behind the “front door”, exposing root access web server flaws, giving hackers access to critical systems once they have gained entry.

Other dangerous flaws commonly discovered during the course of the research included predictable authentication tokens, which make it possible to guess valid tokens to access other accounts on the system, and faulty logout facilities, which allows a user of a public or shared PC full access to the previous user’s account.

To counter these problems, NTA said companies should design e-commerce systems with security in mind from the outset, implementing a secure design across all layers - network, operating system, web server and application.

Alternatively, if a company is outsourcing the development of its e-commerce systems to a third-party supplier, it should build in a “security quality of service” line item into the contract, NTA said.

For a full list of NTA’s top 10 e-commerce security flaws:

 www.nta-monitor.com/news/eflaws-detail.htm


Email Alerts

Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox.
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
 

COMMENTS powered by Disqus  //  Commenting policy