Guidelines and Standards for Securing Web Applications
The security of a website involves more than protection for the source code, database, Cardholder Data Environment (CDE), transactions, and inventory data, and more. The security policies must address all aspects of the site that could be compromised, damaged, or stolen. You can follow a variety of guidelines, standards, and best practices to secure the design, operation, and data of your e-commerce site.
In this section, we use the PCI DSS Requirements and Testing Procedures standards, originally developed to provide security for credit card transactions and cardholder data as an example. As you will see, this standard extends well beyond credit card processing and represents a standard applicable to more than e-commerce.
The PCI DSS
Whether or not the plan for a website includes the acceptance of credit cards, there are not many standards for website security better than the “Payment Card Industry Data Security Standard (PCI DSS) Requirements and Testing Procedures.” This standard, currently in version 4 (as of March 2022), provides an excellent framework for building and maintaining a secure network. The PCI DSS defines the technical requirements a merchant, either online or on-ground, should implement to secure customer payment card and personal information when processing, handling, storing, and transmitting a transaction. Table 7-2 lists the objectives of the PCI DSS Security Standard and the 12 requirements grouped by the objective to which each is associated.
| OBJECTIVE | REQUIREMENTS |
|---|---|
| Build and maintain a secure network and systems |
|
| Protect account data |
|
| Maintain a vulnerability management program |
|
| Implement strong access control measures |
|
| Regularly monitor and test networks |
|
| Maintain an information security policy |
|
Data from PCI Security Standards Council. n.d. PCI Security Standards. https://www.pcisecuritystandards.org/pci_security/maintaining_payment_security
There are other standards, guidelines, and regulations, many of which are industry or product specific and define guidelines and safeguards for creating a secure network environment. An unsecured web server on a secured network has slightly more protection than an unsecured server on an unsecured network. If the web server is located on the organization’s network, such as in a data center, the highest possible security levels should be applied to the entire system.
The PCI DSS version 4 is one of the latest security standards that affect websites. In the sections that follow, we take a generic look at the objectives of this standard.
Build and Maintain a Secure Network and Systems
A security policy is relatively easy to define. In fact, several security policy examples are available and usually examples for similar website and products as well. The hard part is implementing the security policy. This objective of the PCI DSS defines network security controls (NSCs) and how they can be used to create “enforcement points” to create a defense in depth approach to the overall security of a website.
Protect Account Data
If an e-commerce site accepts payments for goods in trade, the merchant certainly wishes to protect its financial elements. This objective of the PCI DSS sets out a standard for protecting the customer data that is also a part of the transaction. The version 4 standards are very technical in their recommendations on the protections that should be implemented.
Maintain a Vulnerability Management Program
Website operators have not had to worry too much about virus and malware in the past, but those days are gone, most likely forever. Malware attacks computers; servers are computers, so malware attacks servers, including web servers. Any vulnerability must be treated as a wide-open door that not only malware will enter. All forms of attacks and exploits will also enter any opening found.
Implement Strong Access Control Measures
In the previous section, we talked about an open door, and this objective discusses the ways that that door and any other opening can be closed or at least controlled. Access, access rights, and access control are not necessarily the same things and must be applied to users appropriately. In this area, the principle of least privilege, authentication, and authorization, not to mention, identification, are established for the website as well as the back-end servers and their resources.
Regularly Monitor and Test Networks
Security and privacy events (attacks, breaches, exploits, etc.) are not things that happen to the other sites. Unfortunately, they have become all too common and all too destructive. You should be aware of the information available in system and audit files on virtually every computer, including web servers and any host or server associated to your website. Should there be a security event or if you suspect there may have been a security event that effects your website, the log files can provide a chronological trace of what may have occurred. Unfortunately, you may not be able to pinpoint exactly who the perpetrator may have been in every case, but at least you can learn the nature of the event and take steps to prevent it from happening again.
Maintain an Information Security Policy
It may seem like an endless circle of activity because first you need a security policy so you can develop a security plan so you can implement security elements so you can monitor their effectiveness so you can reexamine the security policy for areas where more security is needed or can be excluded, and on it goes. A security plan is a whole organization commitment, not just one department and not just for one particular product or function. All members of the organization should be aware of the security policy and its application.
To download a PDF copy of the full documentation of the PCI DSS standards, visit the PCI Security Standards Council’s website at https://www.pcisecuritystandards.org/documents/PCI-DSS-v4_0.pdf