Survey on Security Assessement for E Commerce Website

CHAPTER 1

INTRODUCTION

E-commerce is a transaction of buying or selling online. Electronic commerce draws on technologies such as mobile commerce, electronic funds transfer, supply chain management,   Internet   marketing,   online   transaction   processing,   electronic   data interchange  (EDI),  inventory management systems,  and  automated  data  collection systems. Modern electronic commerce typically uses the World Wide Web for at least one part of the transaction's life cycle although it may also use other technologies such as e-mail.

               Contemporary electronic commerce involves everything from ordering "digital" content for immediate online consumption, to ordering conventional goods and services, to "meta" services to facilitate other types of electronic commerce.

E-commerce website is the main carrier of enterprise and consumer interaction and complete online transactions, it is important to evaluate the performance of enterprise e-commerce  system.  According  to  China  Internet  Network  Information  Center  2010 online shopping market size was over 430 billion yen compared with 2009 that is a substantial growth.

With the popularity and rapid development of Internet, e-commerce has become increasingly integrated into our lives, provides us with the convenience of life, people are becoming increasingly dependent on these services. But in such an open architecture Internet, coupled with the impact of other factors, the e-commerce sites face attack and destruction events which emerge in an endless stream, which great deal of trouble and security risks to our economic activities. With the rapid development of e-commerce sites,  the  presence  of  security  vulnerabilities  in  this  site  is  gradually  exposed. Vulnerability refers to the existence of a system's weaknesses or flaws, it is exploited by the attack which could cause the software to enter an unsafe state. According to Symantec released  the  "Symantec  Internet  security  threat  report",  more  than  60%  of  software security vulnerabilities is about web application, these vulnerabilities could lead web applications  subjected to various attacks, such as denial of service attacks, SQL injection, steal user information.

OWASP (open web application security project) of the ten most important web application threat report showing injection attacks and cross site scripting attacks are most

serious shown in Table.1.1 and Table.1.2.

Table 1.1:  2010 Owasp Ten News Security Threats

Table 1.2:  2013 Owasp Ten News Security Threats

One reason for the security vulnerabilities is due to the lack of experience in the site development staff, the security problem is not enough attention to, the most important[pic 4][pic 5]

is the lack of a comprehensive security testing and evaluation.

Figure 1.1: Typical E-commerce Vulnerabilities

Function of electronic commerce enterprises, scientific evaluation, can effectively help the enterprise to find the technical vulnerability management process, eliminate network of e-commerce platform in the practical application of security risks, effectively at the same time the consumer reasonable consumer guide. Most existing domestic and international ecommerce Web site evaluation limited to site stability evaluation, assessment Consumer Satisfaction Survey and opportunities specific website, lack of a specific security assessment. This paper focuses on the security of e-commerce sites to be tested for security vulnerabilities, and design a targeted safety assessment system, the data obtained by testing, evaluation modules come through a Site Security visualization of quantitative and qualitative results, and convenient for security measures proposed.

Figure 1.2: E-commerce Transaction with Hacker[pic 6][pic 7][pic 8][pic 9]

Figure 1.3: Identifying the risk

One of the main reasons for such vulnerabilities is the fact that web application developers are often not very well versed with secure programming techniques. As a result, security of the application is not necessarily one of the design goals. This is exacerbated by the rush to meet deadlines in the fast-moving e-commerce world. Even one day's delay in publishing a brand new feature on your website could allow a competitor to steal a march over you. Typically found this in cases where e-commerce sites need to add functionality rapidly to deal with a sudden change in the business environment or simply to stay ahead of the competition. In such a scenario, the attitude is to get the functionality online; security can always be taken care of later. Another reason why security vulnerabilities appear is because of the inherent complexity in most online systems. Nowadays, users are placing very demanding requirements on their e-commerce providers, and this requires complex designs and programming logic.