Ecommerce, as a flourishing industry, is generating an infinity of opportunities for business and wealth expansion, shifting the paradigm of business in its growing course. But this growth comes at a price, given the nature of the process. Online businesses are an usual target for hackers and other types of cybercriminals. A great deal of sensitive data is exchanged between businesses and customers, and, since trust could be considered the biggest and most valuable asset in the whole business dynamic, the biggest possible efforts should be put into improving the security of all the processes involved
What is Security Testing?
Conceptually, it is the process of testing a system in search for vulnerabilities that some malicious agent may exploit. Often, security testing is performed by teams specialized in security. The end goal of security testing is, after such vulnerabilities are found in the system, to analyze them and fix them. Applied to Ecommerce, security testing consists in testing the security of an Ecommerce website or online store and critical components like login page, shopping cart, payment gateway, etc., which are usual attack targets for cybercriminals. All this emphasizes the importance of ensuring there are no data breaches in our system.
What is at stake concerning security in an Ecommerce platform
Hacking and malicious usage is a practice that has been going on since the very beginning of the internet, but unfortunately it has grown at almost the same pace as Ecommerce. The reason is the type and sensitivity of data which Ecommerce websites handle and hold, like user/customer info, credit card/bank account data, user passwords, purchase order details, address details, etc. One of the worst scenarios for an Ecommerce website is such data falling into the wrong hands. Hackers commonly utilize them to steal a user’s identity. This all entails big trouble since a business owner can actually be liable for any caused damage due to such type of security breach.
Some the more common types of vulnerabilities which affect Ecommerce platforms:
- Order management
- Coupon and reward management
- Payment gateway integration
- Content management system integration
Ways in which hackers can exploit system vulnerabilities
- Brute Force Attack: a hacking method that uses trial and error to crack passwords, login credentials, and encryption keys. A simple, reliable tactic for gaining unauthorized access to systems and networks. By trying multiple usernames and passwords, often using a computer to test a wide range of combinations, until they find the correct login information.
- Injection: attempt to use application code to access or corrupt a database (SQL injection), network configuration, or operating system content.
- Cross-Site Scripting (XSS): An attacker can use XSS to send a malicious script to an unsuspecting user who eventually thinks the script came from a trusted source, thus letting attacker to masquerade himself and carry out any actions that the user is able to perform, and to access any of the user’s data or even performing actions like rewriting the content of an HTML page.
- Cross-site request forgery (XSRF): also known as Sea Surf or Session Riding, is a security vulnerability that allows an attacker, quite like in XSS, to induce innocent users to perform unintended actions, like submitting a web request. This may cause inadvertent data leakage, change of session state or manipulation of an end user’s account.
- Remote File Inclusion: a technique used to exploit web applications that dynamically reference external scripts (dynamic file include). When web applications take user input (URL, parameter value, etc.) and pass them into file include commands, the web application might be tricked into including remote files with malicious code.
- Session Fixation: an attack technique used to force –or fix– a user’s session ID value. An attacker can use the predefined session ID value to hijack its online identity after the user logs in and the session ID has been fixed.
- Unencrypted Data: sites which do not use proper data encryption are most vulnerable to attacks which may extract personal user data such as identity data, credit card numbers, etc.
- Vulnerable Software Components: plugins, libraries and frameworks that run with the same access levels as the core application code, all have vulnerabilities with which attackers can gain access to sites.
- Platform Signatures: Details like operating system, web server, cookies, HTTP headers, application server and database system can be used by attackers targeting a certain system.
Some Important Security Testing Practices/Techniques
- Vulnerability Scanning: typically automated, it is done periodically and is not tied to a specific event (such as a change to the system). It is a proactive approach to finding and remediating vulnerabilities and identifying the vulnerabilities present in our software systems or network
- Penetration testing: is a method used to find security weaknesses, usually to determine the risk of damage from possible attackers. That is, penetration testers will try to find security breaches in our network or software before hackers do.
- Risk Assessment: used to identify and prioritize risks and threats which may expose an organization and its business-critical assets or IT systems. It also helps an organization take the necessary countermeasures for reducing and mitigating risks and give a good response in the event of an attack.
- Security Auditing: review and assessment with a systematic and detailed examination at application and network levels, aimed at verifying compliance with standards, regulations, and policies.
- Source Code Review: to verify the code for specifications compliance. It is a process of looking for errors and vulnerabilities in the code. Usually done by independent security experts, it’s a way to identify and report potential security issues.
Principles to follow in Security Testing
Confidentiality: like a mantra on information security, non-disclosure and not sharing any of the stakeholders’ private information with third parties when it’s not authorized or necessary.
Integrity: private data stored in our systems should not be allowed to be modified by unauthorized agents.
Availability: a user should be able to access his private data, under any circumstance. Therefore, it’s key to have a contingency plan in the case of a data breach.
Authentication: a valid, registered user should be identified as such, in order to access data in the system where he is registered, and, conversely, an invalid user should be identified as such, and hence his access to data, limited.
Authorization: access to certain privileged system resources, like files, services, data, applications and features must be determined through a set of mechanisms.
Non-repudiation: proving the identity of the user or processes sending specific messages or performing specific actions is what protects businesses from fraud and ensures trust from a specific user or computer system.
We’ve discussed concepts concerning Security Testing and learned about some of the risks to which Ecommerce platforms are somehow or somewhat exposed, technical details on how attackers usually proceed, and some of the most used techniques used to perform Security Testing. Finally, we shared a set of principles considered, in the industry, to be a fundamental guide from where all Security Testing activities should follow.