Strategies for Securing E-Commerce Applications

Electronic commerce or e-commerce has changed the way we transact, invest, purchase, communicate from virtually anywhere in the world as long as you have internet connectivity. Over the past decade, it has been creating many new exciting opportunities for businesses worldwide.

However, e-commerce web sites are vulnerable to intruder attacks due to reasons aplenty. If there are loopholes or weaknesses in your design, implementation, testing and maintenance phases you'll land yourself into trouble.

This article talks about the major considerations for securing e-commerce applications at scale. Along the way, it will compare the pros and cons of using third-party e-commerce platforms, or building your own from scratch.

The Importance of Securing E-Commerce Applications

The surge in e-commerce transactions over the past few years has necessitated the adoption of security measures to combat security challenges in web applications. This explains why e-commerce security has been a paramount issue since credit monetary transactions (using cards, funds transfer, e-shopping) are involved in e-commerce transactions.

Today, we've many web applications that are in use for e-commerce. You can leverage such apps to book a flight ticket, order food, buy goods, sell goods, and what not! Businesses of all sizes, big or small, are now taking advantage of e-commerce applications to boost revenue. However, while e-commerce opens many opportunities for today's businesses, it comes at the cost of security threats. 

Since security is a major concern in e-commerce applications, these business houses need to consider the security implications as well to keep their businesses safe at and the same time keep customer's sensitive data such as credit card information, banking information safe as well.

Risks Associated With E-Commerce

Some of the potential e-commerce security threats include the following:

1. Phishing

This is a technique used by hackers to get personal information as well as banking information of the user by using emails, text messages, or even phone calls.

2. Malware Injection

Malware or "malicious software" is a technique in which the attacker attempts to gain access to the victim's computer. It can delete or encrypt data, take control of your devices or even cause your device to become unusable.

3. Man in the Middle

Man-in-the-middle cyber-attacks occur when an attacker invades the communication of two entities who think they are communicating directly and may even change or manipulate the data being transferred. In contrast to a hacking attack, MITM emphasizes invading one party's privacy while relaying messages between two parties undisclosed to both. 

This can happen in many ways, including but not limited to internet surfing, conducting transactions online, and even personal chats. The attacker, in this case, usually intends to obtain private data such as personal details, usernames and passwords, bank account data, or even listen in on conversations meant to be confidential.

4. SQL Injection

SQL Injection is security vulnerability, a serious security threat that enables an attacker to execute unauthorized SQL commands by embedding them in the SQL statements by taking advantage of non-validated input in Web applications that attempt to build SQL queries dynamically. Hence, it is a technique in which SQL keywords or statements are injected into the SQL queries your application is using. This is a data breach as the hackers can gain access to the application's data without your knowledge.

This typically happens in situations where your application accepts user input and builds SQL statements dynamically without a proper input validation mechanism. How? Let us assume that there is a Login form where the user needs to fill in the user name and the password and then click on the Submit button to log in to an application. Suppose the user fills out the form as shown below:

Login: ' OR ''=' 

Password: ' OR ''='

The resultant query is:

SELECT userName FROM Users WHERE userName = '' OR ''='' AND Password = '' OR ''=''

This, of course, will always return true. A smart intruder can inject SQL statements into a SQL query that is built dynamically in your application and can turn the query into the form as shown below: 

SELECT * FROM products WHERE productID = 1 or 1=1

This would always return true irrespective of the value of the product id. Hence, your data is under threat!

The best defense against SQL injection is to avoid creating SQL statements dynamically and adopt proper mechanisms to strip off the potentially malicious characters in the input data. The following code snippet shows how SQL injection can be avoided by using parameterized SQL statements.

string connectionString = "Data source=.; database= PayrollDB; integrated security=SSPI";

using (SqlConnection connection = new SqlConnection(connectionString ))

{

    string strSQL = "INSERT INTO Employee (FirstName, LastName, IsActive)   

   Values(@x,@y,@z)";     

    connection.Open();

    SqlCommand command = new SqlCommand(strSQL);

    command.Parameters.AddWithValue("@x",firstName);

    command.Parameters.AddWithValue("@y",lastName);

    command.Parameters.AddWithValue("@z",isActive);

   command.ExecuteNonQuery();

}

5. Cross-site scripting (XSS)

Cross-site scripting in yet another security risk that is common in web applications. In this type of security vulnerability, the hackers insert malicious scripts into benign and trusted websites. In other words, the hacker adds source code to a web page which is then executed in the web browser of the user.

XSS vulnerabilities may occur if one or more of the following occurs:

• Input data is not validated

• The web browser output data is not HTML encoded

Consider the following piece of code:

https://thisisanexamplewebsite.com/status?message=This+is+a+test+message.

<p>Status: This is a test message.</p>

Since the application doesn't process the data, an attacker can easily create an attack like this:

https://thisisanexamplewebsite.com/status?message=<script>/*+Insert+malicious+code+here.*/</script>

<p>Status: <script>/* Insert malicious code here. */</script></p>

6. Distributed Denial of Service (DDoS)

A Distributed Denial of Service (DDoS) attack is a form of cyber assault wherein different systems (often part of a botnet) bombard a particular target — like a server, website, or network — with excessive traffic in an attempt to deplete the target’s resources and render it inaccessible to legitimate users.

Here is how DDoS attacks work:

• Malicious software is used by cybercriminals to target and infect various devices, including computers and smart phones.

• These infected devices form a network, referred to as a botnet.

• The botnet now overwhelms the target server or network with a plethora of requests. 

• Due to the deluge of requests the target server receives, it crashes or goes offline for long periods.

Refer to the following piece of code that illustrates how a method can be used to asynchronously send a GET request:

using System;

using System.Net.Http;

using System.Threading.Tasks;

static readonly HttpClient client = new HttpClient();

try

{

HttpResponseMessage response = await client.GetAsync("http://thisisanexamplewebsite.com/");

response.EnsureSuccessStatusCode();

string responseBody = await response.Content.ReadAsStringAsync();

Console.WriteLine(responseBody);

}

catch(HttpRequestException e)

{

     Console.WriteLine("Exception occurred!"); 

}

The preceding piece of code when executed, sends a Http GET request to the URL mentioned in the code and displays the response body. A similar pattern could be used to measure how a server responds to single, legitimate requests from different clients in a legitimate testing scenario.

Securing E-Commerce Web Sites Using Microservices

Microservices architecture has been used for building e-Commerce applications in recent times. It is a good choice for implementing the latest trends such as new payment methods, voice assistants, sans the possibility of significant risks. Microservices architecture enables you to integrate POS, ERP, or WMS solutions easily.

Enterprises like Amazon and Coca Cola have leveraged microservices to replace their legacy monoliths. The leading eCommerce companies such as eBay, Etsy, Gilt, etc., joined the movement and migrated their legacy systems into microservices. However, one of the downsides of using microservices in e-Commerce applications is poor performance since the microservices need to communicate with one another.

Why Is Microservices Architecture the Best Choice for E-Commerce?

Using microservices architecture in e-commerce has the following benefits:

• Integration with e-commerce platforms - By leveraging microservices architecture you can integrate e-commerce platforms with multiple systems such as ERP, WMS, etc. 
• Consistent User Interface - You can adopt frontend as a microservice strategy - this would help you build a consistent unified user interface that connects to multiple backend APIs
• Seamless data updates - Microservices architecture will help you build an e-commerce application that can seamlessly connect to databases and retrieve data or update data as and when needed
• Implementing Innovations - Microservices architecture enables you to enhance your e-commerce application seamlessly - you can easily implement your updates or innovations in one or more modules without disturbing the other modules of the application

Third-Party E-commerce Platforms

You should choose a secure platform even before you set up your e-commerce site. The third-party e-commerce platforms host and manage online sales by charging a fee. You can pay this fee (for hosting, domain, SSL certificates, storage) to these e-commerce platform providers to run your e-commerce stores quickly. This approach is time-efficient, convenient, boosts revenue and provides you exposure to a huge customer base. That said, the major downsides are loss of identity and limited branding, expensive, etc. 

There are many e-commerce platforms available for you - you can select one from this list:

• BigCommerce
• Shopify
• Square
• Wix
• WooCommerce
• 3DCart

You can even create one from scratch. While this approach will give you a lot of flexibility and control, it is not advisable for new comers to the e-commerce space.

Protect Your E-Commerce Site

Although it is easy to set up an e-commerce site these days, keeping your site's data secure, i.e., safe from intruders and prying eyes is not that easy at all. You should adhere to the best practices and guidelines to protect your e-commerce site.

Avoid Storing Sensitive Data

Always refrain from storing sensitive data of your customer such as credit card or banking information so that the sensitive information is not compromised. If sensitive information is compromised then you would lose your customer's trust. You can take advantage of tokens in lieu of customer information to help prevent such credit card or banking frauds.

Choose a Secure E-Commerce Platform

Since e-commerce web sites need to handle sensitive data which can contain your credit card information, banking account details, etc., it is imperative that you build a secure e-commerce website by leveraging a secure platform. You should ensure that you're using a trusted and secure platform. 

A good e-commerce provider will constantly monitor all e-commerce websites on the platform for any security issues and deploy fixes to any security issues that are found. There are open-source and proprietary e-commerce platforms aplenty. However, whatever e-commerce platform you'd like to use for your e-commerce website, you must ensure that there are extensive security measures in place.

Ensure That Your Website Is PCI DSS Compliant

If you're processing online payments, you must ensure that your e-commerce site is Payment Card Industry Security Standards Council (PCI DSS) compliant. Fortunately, there are some payment integrators such as Stripe who encrypt and store credit card information so you don't need to store any sensitive banking information at your end.

Implement SSL Certificates

Secure Socket Layer (SSL) is the defacto standard for securing sensitive information that is passed over the wire during online transactions. SSL certificates are used to authenticate the identity of users as well as encrypting sensitive data that is passed over the wire—both on the store and in transit.

Use Two-Factor Authentication

Security breaches often occur if you're not using strict security measures as far as authentication is concerned. Hackers use multiple phishing ways to steal your user credentials and access the application. Once this happens, the security of your e-commerce site is compromised!

A good way to prevent such attacks is by implementing two-factor authentication. This actually adds an extra layer of security on top of the security mechanism you've already implemented for your e-commerce website. In this security mechanism, a user needs to provide to means of authentication. 

One of them is the combination of username & password and the other might be an OTP (an acronym for One Time Password) or an autogenerated security code with would expire after a short duration. This security code is sent to the user's verified mobile number. While the hacker might be able to crack the username & password combo, it would be very difficult to know the security code.

Keep Your Site Updated

You should be aware of the fact that unpatched applications and extensions make your e-commerce website vulnerable to security threats. It is very important that you keep your e-commerce website always updated with the latest security updates. You can reduce the possibilities of security attacks by applying the latest security updates.

Use Content Delivery Network

A content delivery network geographically distributed network of servers that helps minimize the delays in loading content by serving the web pages from a location that is nearest to the end user. CDNs are adept at identifying traces of malware as well as blocking DDoS attacks.

Conclusion

The emergence of e-commerce applications and their growing popularity over the past few years has necessitated the adoption of best practices to combat the security risks involved to keep your and your customer's confidential data safe from intruders.