Without wanting to sound too much like a hard task master, if you’re not taking security seriously, you shouldn’t be selling online. A lot of marketing blogs and publishers will spend a great deal of time talking about brand voice, SEO and social media. All the hard work you put into your business following such great advice could all be for naught if your security considerations aren’t up to scratch.
PCI-DSS COMPLIANCE
If you’ve no idea what PCI Compliance is and you’re selling online you should stop reading this right nowand check out the PCI site. If you’re not compliant you’re at risk of large fines and the loss of your merchant account. While strictly speaking PCI Compliance isn’t a perfect check list of everything you need to be safe, it does help you implement a series of basic measures to protect your customers and their data. Having been through the process myself, I can tell you it isn’t the sexiest job you’ll ever do and it can be frustrating but you must stick with it and get compliant as soon as possible.
Primarily, PCI Compliance is aimed at securing credit card data. The problem here is that there’s so much more to your online business than simply taking payments. Imagine the damage that could be wrought against your brand if you lost access to your blog, social media accounts or god forbid, administration of your online shop.
PASSWORDS (YOURS)
Bruce Schneier wrote an excellent essay on password security, and he really does know what he’s talking about. The main point I’d like to pick out here is this quote;
If you can’t remember your passwords, write them down and put the paper in your wallet … or better yet – a hint that will help you remember
This can be an excellent method to keep your password secure if you have trouble remembering them all– it’s far better to do this than use the same password everywhere. Odds are (if you’re like me) you’re super paranoid about your wallet and thus will keep it nice and safe.
PASSWORDS (YOUR CUSTOMERS)
In an ideal world your customer database would never ever ever be stolen. In reality though, even the big boys can lose their data. No finer example than Sony’s Playstation loss. The damage caused ran into the hundreds of millions of dollars. Within a few months an online gaming service called Steam was also compromised. Both of these services had huge user bases (100 million vs 35 million respectively). Both of them stored customer details and credit card information. So why did one company hit the news big time and lose over $170m dollars while the other was consigned to be a footnote? Encryption. Steam stored their data in a manner that made the data incredibly difficult to abuse, Sony did not. Steam users were virtually unaffected with no reported cases of credit card theft. Sony customers had to cancel cards, contact their banks about fraudulent use, etc…
The point I’m getting at here is that no system is perfect. When you’re responsible for security you have to look at the worst case scenario at all times. Don’t assume your database is safe.
TRUST NO ONE
If that sounds paranoid, it’s because it is. SQL Injection is a common attack method and it’s easy to prevent by simply being paranoid and distrusting all data sent to your ecommerce site. The basic rule of thumb is to filter incoming data and escape anything outgoing. If you never accept anything that is a threat and never output anything bad either, you’re pretty much there.
There’s a huge wealth of information available about secure coding available, but it’s largely language specific. Here’s a few links for a couple of the most common server-side scripting languages, but I’d suggest a serious search specifically for your chosen language;
PHP
- http://phpsec.org/projects/guide/
- http://php.net/manual/en/security.php
- https://www.owasp.org/index.php/PHP_Security_Cheat_Sheet
.NET
- http://msdn.microsoft.com/en-us/library/330a99hc(v=vs.71).aspx
- http://msdn.microsoft.com/en-us/library/ff649874.aspx
- https://www.owasp.org/index.php/Category:OWASP_.NET_Project
HARDWARE
There’s more to keeping your ecommerce site secure that keeping your store locked down tightly. Chances are the default set up for your hosting will have lots of commonly used services open and available for use. If you’ve got nmap or a similar port mapping tool available, run a scan against your site. I’ve included results from a scan of a project of my own below:
PORTSTATESERVICE
21/tcp open ftp
25/tcp open smtp
80/tcp open http
110/tcp open pop3
443/tcp open https
You should have a firewall running on your hosting (either software or hardware) and a good first step for securing the hardware is locking down ports and services you do not require with your firewall. Looking at the example above I’ve got FTP, SMTP and POP3 services open. FTP is an insecure service and one I’m not actually using (You should use SFTP or FTPS for managing files). So really I should block all FTP connections to the server with the firewall. Since I’m not sending or receiving email with this server I should do the same with SMTP and POP3. With those three services blocked that’s three more attack vectors I don’t need to worry about.
But what about if I need a service like FTP open? Well do you need it open, or does the whole world? You should be able to configure your firewall to only allow certain traffic from specific IP addresses for a specific port or service. If you have a static IP address (or use DDNS) you can allow just FTP (for example) from just your address. This allows you access to the services you need, but not everyone. It’s another way to reduce risk.
Of course, removing acess to services globally isn’t as good as simply turning them off entirely.
A firewall is just your first point of call. Don’t forget that the services and software that keep your ecommerce shop running like Apache, IIS, MySQL, MSSQL, etc… will be regularly patched by their creators. If your server is running old software it may be exploitable by various means, compromising your shop.
SUMMARY
There’s a lot more detail available elsewhere regarding secure sites: I’d recommend spending some time on OWASP if you’re a bit technical. But as a summary of some key points, here’s a nice bullet point list;
- Use secure coding when building your shop or find an agency that does: cutting costs and/or corners on security is false economy.
- Look after access to your administration of your shop like you would the keys to a physical store.
- Protect your customers details as best as you can. Encryption of their data is your last line of defense.
- Make sure your hosting environment is as secure as it can be. A good hosting company can help you with this. Paying more for hosts who’ll help you is better than saving money on someone who’ll not take care of you.
