May 31, 2008
For most eTailers and eCommerce site owners and managers, security continues to be a top
priority, and retailers are now investing heavily in improved security implementations to better
monitor and manage system vulnerabilities and control access.
But even with all this attention to security, Gartner still finds little or no correlation
between enterprises that spend the most on security and enterprises that are the most secure.
Of course many would say this seems a bit counterintuitive, but for experts in software security,
Gartner's findings correspond with one of the biggest issues eTailers face when trying to comply
with industry standards such as the Payment Card Industry Data Security Standard.
While it's not a new problem, security breaches last year and since the beginning of this year
have exposed private customer data of high-profile retailers such as TJX, RadioShack, CVS, Neiman
Marcus, Gap and the Hannaford grocery chain, generating negative attention among customers,
press and legislators.
"Weak software" and loosely secured servers continue to be one of the most common weaknesses
exploited by criminals targeting personal information. In reports of the privacy breaches at BJ's
Wholesale, ChoicePoint and DSW, the Federal Trade Commission named specific lapses in security
on which it based the imposed penalties, including:
Storing consumer information in unencrypted files
Unnecessarily storing consumer information
Not using readily available security measures
Not adequately assessing the vulnerability of computer networks
SQL Injection attacks
Critical database breaches such as SQL Injection attacks
are taking a large toll on eCommerce sales. Slightly over 23.4 percent of Americans refuse to make
online purchases because they fear their financial information will be stolen, according to a study
from the Cyber Security Industry Alliance (CSIA).
That number represents about $3.8 billion in lost transactions, the CSIA estimates. In a nationwide
survey of 1,150 adults, CSIA also found that about half of Internet users are concerned about the
safety of their financial information online.
The increased focus on application security in the latest revisions of the PCI DSS can be traced
directly to many of the recent high profile breaches, where vulnerable software and insecure
applications have been the point of access for hackers, and the source of data loss.
With increased public attention and legislative focus, it is becoming increasingly clear that those
responsible for oversights that lead to theft of customers' identities will face more than public
Combined with losses in customer trust and brand image, liability concerns are strengthening
the business case in all industries for tighter protection against identity theft.
PCI DSS Requirement 6.6, which falls under the main heading of developing and maintaining
secure systems and applications, covers the security of Web-facing applications. Specifically,
Requirement 6.6 states that all custom application code must be reviewed for common vulnerabilities
by an organization that specializes in application security or there must be a Web application
firewall installed in front of Web-facing applications.
This requirement will be considered a "best practice" until June 30, 2008, and then it
becomes a requirement. This requirement, together with the other detailed requirements of the
section, make application security a cornerstone in the drive to protect cardholder data. It is a
clear recognition that true data security must begin at the source.
As retailers struggle to avoid being the next victim of targeted attacks and public exposure,
they must look to what these breaches can teach them: Data security starts with software security.
It is in source code that encryption is enforced, the security of network communications is
established, and access control is set (or not).
Therefore, it's in the source code that the drive for compliance with the PCI DSS, and the
effort to secure private cardholder data must begin. Application security represents one of the
areas most challenging to retailers subject to PCI regulations.
The most recent guidance surrounding the PCI DSS specifically calls out Requirement 6.6. While
this requirement is considered by many to be the most difficult in PCI DSS, it strongly reflects
the growing industry understanding about the impact of insecure applications on data privacy.
The leading source code analysis solutions use an extensive vulnerability knowledge base powered
by a scanning engine able to scan large amounts of source code efficiently. Today, these vendors
offer retailers a way to automatically audit their software in order to certify adherence to
security policies and identify areas of potential vulnerability.
By scanning the source code itself, this technology generates a practical, reliable security
assessment of software in legacy systems or during development. It also allows companies to set
and enforce strict requirements for software security controls, including those found by the FTC
to be lacking among the major companies that were breached three years ago.
The growing focus on secure source code can be linked to the fact that it is the central
place where security vulnerabilities to credit card data get introduced the most. It can also be
the least expensive place to address them, when source code analysis is performed at the earliest
point in the software development life cycle.
For organizations charged with PCI compliance, it makes good business sense to introduce source
code scanning processes into the development life cycle for custom and outsourced code. Leaving it
solely to the responsibility of an outside organization reduces the financial benefit of early
discovery of vulnerabilities and increases the likelihood of project delay and risk.
This article was featured on Business 5.0.
Advertise on E-Commerce News
If you have a product or service that deals with the ecommerce
or ebusiness field, advertising on E-Commerce News can bring
you new sales leads and close new marketing channels. This news
portal is read by over 25,000 people a week.
Businessmen and woman that either own an ecommerce website, an
ebusiness franchise, a B2B commercial exchange or by people in all walks
of life that need to keep abreast of this fast-changing field. For
more information on the many advantages of advertising on our news
portal or to request pricing information, please send us an
and a marketing representative will be glad to answer you