May 31, 2008

Add to del.icio.us     Digg this

For most eTailers and eCommerce site owners and managers, security continues to be a top priority, and retailers are now investing heavily in improved security implementations to better monitor and manage system vulnerabilities and control access.

But even with all this attention to security, Gartner still finds little or no correlation between enterprises that spend the most on security and enterprises that are the most secure.

Of course many would say this seems a bit counterintuitive, but for experts in software security, Gartner's findings correspond with one of the biggest issues eTailers face when trying to comply with industry standards such as the Payment Card Industry Data Security Standard.

While it's not a new problem, security breaches last year and since the beginning of this year have exposed private customer data of high-profile retailers such as TJX, RadioShack, CVS, Neiman Marcus, Gap and the Hannaford grocery chain, generating negative attention among customers, press and legislators.

"Weak software" and loosely secured servers continue to be one of the most common weaknesses exploited by criminals targeting personal information. In reports of the privacy breaches at BJ's Wholesale, ChoicePoint and DSW, the Federal Trade Commission named specific lapses in security on which it based the imposed penalties, including:

Storing consumer information in unencrypted files

Unnecessarily storing consumer information

Not using readily available security measures

Not adequately assessing the vulnerability of computer networks

SQL Injection attacks

Critical database breaches such as SQL Injection attacks are taking a large toll on eCommerce sales. Slightly over 23.4 percent of Americans refuse to make online purchases because they fear their financial information will be stolen, according to a study from the Cyber Security Industry Alliance (CSIA).

That number represents about $3.8 billion in lost transactions, the CSIA estimates. In a nationwide survey of 1,150 adults, CSIA also found that about half of Internet users are concerned about the safety of their financial information online.

The increased focus on application security in the latest revisions of the PCI DSS can be traced directly to many of the recent high profile breaches, where vulnerable software and insecure applications have been the point of access for hackers, and the source of data loss.

With increased public attention and legislative focus, it is becoming increasingly clear that those responsible for oversights that lead to theft of customers' identities will face more than public backlash.

Combined with losses in customer trust and brand image, liability concerns are strengthening the business case in all industries for tighter protection against identity theft.

PCI DSS Requirement 6.6, which falls under the main heading of developing and maintaining secure systems and applications, covers the security of Web-facing applications. Specifically, Requirement 6.6 states that all custom application code must be reviewed for common vulnerabilities by an organization that specializes in application security or there must be a Web application firewall installed in front of Web-facing applications.

This requirement will be considered a "best practice" until June 30, 2008, and then it becomes a requirement. This requirement, together with the other detailed requirements of the section, make application security a cornerstone in the drive to protect cardholder data. It is a clear recognition that true data security must begin at the source.

As retailers struggle to avoid being the next victim of targeted attacks and public exposure, they must look to what these breaches can teach them: Data security starts with software security. It is in source code that encryption is enforced, the security of network communications is established, and access control is set (or not).

Therefore, it's in the source code that the drive for compliance with the PCI DSS, and the effort to secure private cardholder data must begin. Application security represents one of the areas most challenging to retailers subject to PCI regulations.

The most recent guidance surrounding the PCI DSS specifically calls out Requirement 6.6. While this requirement is considered by many to be the most difficult in PCI DSS, it strongly reflects the growing industry understanding about the impact of insecure applications on data privacy.

The leading source code analysis solutions use an extensive vulnerability knowledge base powered by a scanning engine able to scan large amounts of source code efficiently. Today, these vendors offer retailers a way to automatically audit their software in order to certify adherence to security policies and identify areas of potential vulnerability.

By scanning the source code itself, this technology generates a practical, reliable security assessment of software in legacy systems or during development. It also allows companies to set and enforce strict requirements for software security controls, including those found by the FTC to be lacking among the major companies that were breached three years ago.

The growing focus on secure source code can be linked to the fact that it is the central place where security vulnerabilities to credit card data get introduced the most. It can also be the least expensive place to address them, when source code analysis is performed at the earliest point in the software development life cycle.

For organizations charged with PCI compliance, it makes good business sense to introduce source code scanning processes into the development life cycle for custom and outsourced code. Leaving it solely to the responsibility of an outside organization reduces the financial benefit of early discovery of vulnerabilities and increases the likelihood of project delay and risk.

Add to del.icio.us     Digg this

Source: Gartner.

    This article was featured on Business 5.0.

Advertise on E-Commerce News