Companies still get the basics wrong on e-business security

Web server flaws, poor authentication mechanisms and faulty log-out facilities are the most widespread e-commerce security...

Web server flaws, poor authentication mechanisms and faulty log-out facilities are the most widespread e-commerce security vulnerabilities, according to new research from NTA Monitor, writes Daniel Thomas.

The internet security testing firm said the results of its research, conducted between October 2002 and January 2003, show that many companies are still failing to get the basics right when it comes to securing online systems.

"Our experience shows that simple faults are worryingly common and on a level that can be exploited by even the most unsophisticated hacker," said Roy Hills, technical director at NTA. "Good security is about doing the fundamentals. Our results, combined with the rapid spread of the SQL Slammer worm recently, illustrate that people still fail to get the basics right."

The most high-risk flaw regularly discovered by NTA was the lack of security behind the "front door", exposing root access web server flaws, giving hackers access to critical systems once they have gained entry.

Other dangerous flaws commonly discovered included predictable authentication tokens, which make it possible to guess valid tokens to access other accounts on the system, and faulty log-out facilities, which allow a user of a public or shared PC full access to the previous user's account.

To counter these problems, NTA said companies should design e-commerce systems with security in mind from the outset, implementing a secure design across all layers - network, operating system, web server and application.

Alternatively, if a company outsources the development of its e-commerce systems to a third-party supplier, it should build a "security quality of service" clause into the contract, NTA said.

A full list of NTA's top 10 e-commerce security flaws is at
This was last published in March 2003

Read more on Managing IT and business issues

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.






  • How do I size a UPS unit?

    Your data center UPS sizing needs are dependent on a variety of factors. Develop configurations and determine the estimated UPS ...

  • How to enhance FTP server security

    If you still use FTP servers in your organization, use IP address whitelists, login restrictions and data encryption -- and just ...

  • 3 ways to approach cloud bursting

    With different cloud bursting techniques and tools from Amazon, Zerto, VMware and Oracle, admins can bolster cloud connections ...