Continued from page 1
In addition, it is key that proper testing procedures, source code/change control and defect tracking procedures are in place.
It should go without saying that internet applications which carry out transactions should be thoroughly tested and yet it is incredible how many ‘holes’ are created on Ecommerce web sites due to shoddy programming and testing. Preferably web applications should be tried out by ‘professional hackers’ who can look for loopholes in programs written on
web. Silicon.com reported in October that Marks and Spencer’s website (marksandspencer.com) had an error on it caused by a broken link, that when activated caused an error message which contained confidential material such as passwords, credit card dummies and other log-in information.
Testing of internet applications should be supported by systems which enable changes to code to be made easily and effectively, so that unauthorized/untested changes do not slip through into production system and that changes made to source code are not later ‘undone’ accidentally due to poor source code control.
Internet Specific Issues
While security should be a concern for any IT organization, there are some aspects of security which are specific to internet-based activities.
Authentication, non repudiation, encryption, privacy, and integrity of data are all issues made more important by use of web technologies, inherently an open and anonymous form of communication.
The internet provides added security issues, because there is no centralised infrastructure, it operates 24 x 7, over a huge global scale and therefore has millions of potential users, of whom any one could at any time attempt to access non-public information. Some will do so by accident, some just out of curiosity and some using malicious intent will relentlessly test out every aspect of your system until they find a security hole through which they can create havoc.
Security is also a moving target, as new methods become available to hackers all time, with technology increasing rapidly. By its very nature, internet was developed to allow openness and this makes it all more complex to implement security over top of internet without making it difficult for authorized parties to access data you wish them to be able to access. Severe damage is often detected too late.
Technologies
Access controls and cryptography can help to prevent unauthorized access to information, but they are only part of picture.
Organizations are now employing complete PKI and CA infrastructures, such as Onsite Managed Trust Services provided by Verisign, in order to provide them with flexibility and control they need throughout enterprise, allowing them to issue their own digital certificates, secure access to extranets/intranets, secure transactions, encrypt email and to carry out authentication.
Access Controls
Hidden URLs –one easy way to restrict access to information and services is to put information at unpublished URLs and provide URL only to those who should have access to information at that address. Clearly this is not a high security option and is unacceptable for most purposes. There are various tools open to serious hackers that enable them to ‘find’ hidden URLs (spiders etc.), and of course it is possible that locations of URLs are passed on to others by those who are authorized to access URLs.
Host-based Restrictions – it is possible to restrict access to a web address (or to a web server, if using a firewall) by IP address or DNS hostname. This method can enforce that only web users operating from within a particular domain or network can access web page. This is useful if an external web site contains some pages which should only be accessed by employees of company, as it can be used to deny access to anyone not operating from within company’s network. This method is not totally foolproof as it cannot deal with unauthorized access due to ‘spoofing’ (whereby a user ‘pretends’ to come from an authorized network address).
Identity-based Controls The most common method of access control on websites is via usernames and passwords. However, passwords are so easily shared/forgotten, often users select easily-guessed passwords and there are a number of tools available to serious hackers to enable them to easily guess most passwords. Thus, alternative identity-based controls have been developed. Many companies now implement a VPN (Virtual Public Network) to enable employees to connect to internal networks from outside of company, though these can be costly and troublesome to implement. Smart cards, or software, containing an encrypted public key, to identify valid users are one of many other options in this area.
Authentication Single Sign-on – this technology allows same user to sign on to multiple Ebusiness applications without having to type in their userid/password for each site. There are a number of offerings of this kind of technology. The most common names in this field are Netegrity SiteMinder and X at top end, and Gator Ewallet and RoboForms at lower end of market.
Integrated Authentication – The best known offering in this area is Nt/Windows 2000/3 authentication. This, in effect, provides single sign-on to Microsoft applications that support it – such as SQL Server and any of Windows operating systems.
Cryptography
Cryptography can be implemented through encryption of data sent to and from a website and through digital signatures and certificates which ‘prove’ that sender and recipient are who they claim to be.
Non-repudiation – cryptographic receipts are created so that author of a message cannot falsely deny sending message.
Code Signing – a digital certificate can be enclosed within a Jar file (for java code) or a Cab file (for activex controls) to indicate that code was created by a trusted party and has not been tampered with since being created.
Confidentiality- encryption can scramble information sent over internet so that eavesdroppers cannot access data’s content.
Integrity – digitally signed message digest codes can be used to verify that a message has not been modified while in transit.
To read this complete article go to http://mishj.brinkster.net/intranet/esecurity.doc
Michelle Johnston is an Ebusiness expert. She is currently Ebusiness Director of Apogee Interactive Inc. in Atlanta USA.
