1 / 13

Figure 9-3: Webserver and E-Commerce Security

Learn about the significance of implementing strong security measures for webservers and e-commerce platforms, including the cost of disruptions, loss of reputation, privacy violations, and more.

lambc
Download Presentation

Figure 9-3: Webserver and E-Commerce Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Figure 9-3: Webserver and E-Commerce Security • Importance of Webservice and E-Commerce Security • Cost of disruptions • The cost of loss of reputation and market capitalization • Cost of privacy violations • Links to internal corporate servers

  2. Figure 9-3: Webserver and E-Commerce Security • Importance of Webservice and E-Commerce Security • Customer fraud (including credit card fraud) • Loss of revenues when product is not paid for • Credit card company charge-back fees • Must use external firm to check credit card numbers

  3. Figure 9-3: Webserver and E-Commerce Security • Webservers Versus E-Commerce Servers • Webservice provides basic user interactions • Microsoft Internet Information Server (IIS) • Apache on UNIX • Other webserver programs

  4. Figure 9-3: Webserver and E-Commerce Security • Webservers Versus E-Commerce Servers • E-commerce servers add functionality: • Order entry, • shopping cart, • payment, etc. • Custom programs written for special purposes

  5. Figure 9-4: Webservice Versus E-Commerce Service E-Commerce Software Subsidiary E-Commerce Software Webserver Software Component (PHP, etc.) Custom Programs

  6. Figure 9-3: Webserver and E-Commerce Security • Some Webserver Attacks • Website defacement • Numerous IIS buffer overflow attacks, many of which take over the computer • IIS directory traversal attacks • Normally, paths start at the WWW root directory • Adding ../ might take the attacker up a level, out of the WWW root box

  7. Figure 9-3: Webserver and E-Commerce Security • Some Webserver Attacks • IIS directory traversal attacks • If traverse to command prompt directory in Windows 2000 or NT, can execute any command with system privileges • Companies filter out / and \ • Attackers respond with hexadecimal and UNICODE representations for / and \

  8. Figure 9-3: Webserver and E-Commerce Security • Some Webserver Attacks • Apache has problems, too

  9. Figure 9-3: Webserver and E-Commerce Security • Patching the Webserver and E-Commerce Software and Its Components • Patching the webserver software is not enough • Also must patch e-commerce software • E-commerce software might use third-party component software that must be patched

  10. Figure 9-3: Webserver and E-Commerce Security • Controlling Dynamic Webpage Development • Static versus dynamic webpages • For static webpages: • GET /path/filename.extension HTTP / version • CGI to pass parameters to a program • GET /path/programname.exe?variable1=“value”&variable2=“value”… • Inefficient. Starts new copy of program with each request

  11. Figure 9-3: Webserver and E-Commerce Security • Controlling Dynamic Webpage Development • ASP is Microsoft’s server-side scripting language • ISAPI from Microsoft starts a .dll component • Component continues to run; no need to start a new copy with each request • Controlling software development • Programmer training in safe programming methods • Auditing for security weaknesses

  12. Figure 9-3: Webserver and E-Commerce Security • Controlling Dynamic Webpage Development • Deployment • Development servers: Developers must have wide privileges • Staging servers: Only testers and systems administrators should have privileges • Production servers: Only systems administrators should have privileges

  13. Figure 9-3: Webserver and E-Commerce Security • User Authentication • None: No burden on customer • Username and password provide some protection but may be given out without checking customer quality • IPsec and digital certificates: Expensive and difficult for customers • TLS with client digital certificates: Less expensive than IPsec but difficult for customers

More Related