Website Security: Roundtable for Retailers


Achieving true success as an Internet retailer is difficult enough on its own.

But when merchants take unnecessary risks involving the security of their ecommerce websites - whether they do so intentionally or not - the virtual road to Web success becomes fraught with peril.

Education is the best defense against the multiple website security threats faced by today's online retailers, so we spoke with representatives from four of the leading solutions providers to get some answers. By understanding the specific dangers, the potential havoc they can create, and the strategies and methods that may help prevent them, merchants can rest easier and focus on the already challenging task of running a retail business.

Jeremiah Grossman of WhiteHat Security: Hack yourself first. It is way better to have someone that you know and trust constantly attempt to hack your website and point out the weaknesses so they can be fixed. Also implement a Secure Software Development (SDL) Lifecycle. When mistakes are identified from the hack yourself first policy, tie them back to a missed process or control in the SDL. As a result over time, new code quality and security will improve dramatically.

Much of the value that a comprehensive security program provides is noticing when a breach occurs, being ready to respond quickly and preventing catastrophic damage - all of which requires ongoing monitoring of traffic and logs.

Johnnie Konstantas of Juniper Networks: Web server-specific protections are a must-have for ecommerce firms. The more advanced solutions will detect attempts at misuse and hacking, even by insiders, well before the attacker is successful. Also, solutions that collect forensic data on attack attempts can help firms continually optimize their security configurations and policies.

Ken Beer of Trend Micro: Merchants who manage their own website ecommerce infrastructure should have an audit done to understand where their current weaknesses are. After the initial audit, ongoing penetration testing and vulnerability scanning should be done so that the site can be tested against the latest threats and techniques. Merchants who outsource their website ecommerce in frastructure should make sure the service provider they use can present the results of such audits and regular scanning activities.

Kurt Baumgartner of Kaspersky Lab: In addition to their Web applications and frameworks, many merchants don't understand default configurations of remotely accessed tools and services on their servers and how to modify and update them, which they need to act on. SQL injection is a problem that should be well understood by merchants' code reviewers and developers so that Web apps can be properly defended. Web admins and developers should be carefully guarded against viral malware and Web-based client-side exploits delivering spyware.


Kurt Baumgartner of Kaspersky Lab: Offensive tactics are becoming better known to hackers and widely distributed at no cost. Ready to use, scalable, automated, open-source attack packages and many freshly discussed vulnerabilities are quickly catalogued, managed and distributed. Both organized cybercrime and independent cybercriminals are using these tools to their advantage. In many ways, online retail is becoming less secure for the retailers.