Today, consumers wish to carry the shopping store in their pockets which is made possible with the advent of e-commerce, m-commerce and smart phones. E-commerce industry is undoubtedly rising at a torrid pace involving online transactions and maintaining confidential records of the consumers. Security breach costs much higher to this industry than any other due to the nature of business which is mainly backed by the customer trust. One serious breach can lead to entire business shutdown, as the consumers don’t take a risk of performing monetary transactions with a vulnerable e-commerce platform, making e-commerce security mandatory for the business instead of an option.
Distributed denial of service (DDoS) attack is a serious threat to e-commerce business which can take the entire business temporarily offline. DDoS could either be launched by cyber criminals or business rivals, which could lead to loss of consumer confidence and bring major business impact due to blackout.
Inside threats from a malicious user could lead to data leakage to a rival or misuse of consumer data to cause compliance or regulatory breach. Mobile applications to enable anytime, anywhere shopping for the consumers bring yet another set of security challenges for the e-commerce business and required to be addressed.
In the past engagements, I could witness few majorly encountered security issues in the e-commerce portals across the industry as listed below:
- Cross Site Scripting
- Cross Site Request Forgery
- Sensitive Information Disclosure
- Session Related Flaws
- Weak Authorization Controls
Apart from the portal level security, security of the mobile applications, perimeter, DMZ and internal network is ensured by performing comprehensive application security assessment, security code reviews, network architecture reviews, penetration testing respectively. Assessments are carried out to determine technical vulnerabilities, logical vulnerabilities and missing best practices. Strong organizational level security controls are also established after performing a thorough risk assessment followed by training the employees to achieve the compliance and/or regulatory requirements.
I follow time-proven and industry best practices/standards including OWASP, OSSTMM, CoBIT, ISO 27001 and PCI DSS to meeting different compliance requirements of the business.
Our consultants work closely with the technical teams of the clients to provide assistance for mitigation of the security vulnerabilities and filling the security gaps throughout the engagement. To maintain a secure state for the business, repeated iterations are performed at a regular period of time to ensure complete peace of mind for the stake holders.