Darshanand Khusial (email@example.com), Software Architect, IBM Toronto, Canada Ross McKegney (firstname.lastname@example.org), Software Engineer, IBM
This article presents an overview of security and privacy concerns based on our experiences as developers of WebSphere® Commerce. WebSphere Commerce is business middleware that accelerates the development of any business transaction-oriented application, from the smallest online retailer to B2B portals, to supply chain management applications. For many of our clients, WebSphere Commerce provides an integrated platform that runs both their customer facing online shopping sites, and their internal distributor or supplier portals as shown in Figure 1.
Figure 1. Common WebSphere Commerce business model
Back to top
What is e-Commerce?
e-Commerce refers to the exchange of goods and services over the Internet. All major retail brands have an online presence, and many brands have no associated bricks and mortar presence. However, e-Commerce also applies to business to business transactions, for example, between manufacturers and suppliers or distributors. In the online retail space, there are a number of models that retailers can adopt. Traditionally, the Web presence has been kept distinct from the bricks and mortar presence, so transactions were limited to buying online and delivering the goods or services. The online presence is also important for researching a product that a customer can purchase later in the store. Recently, there has been a trend towards multi-channel retail, allowing new models such as purchasing online and picking up in store. e-Commerce systems are also relevant for the services industry. For example, online banking and brokerage services allow customers to retrieve bank statements online, transfer funds, pay credit card bills, apply for and receive approval for a new mortgage, buy and sell securities, and get financial guidance and information. ________________________________________
Back to top
A secure system accomplishes its task with no unintended side effects. Using the analogy of a house to represent the system, you decide to carve out a piece of your front door to give your pets' easy access to the outdoors. However, the hole is too large, giving access to burglars. You have created an unintended implication and therefore, an insecure system. In the software industry, security has two different perspectives. In the software development community, it describes the security features of a system. Common security features are ensuring passwords that are at least six characters long and encryption of sensitive data. For software consumers, it is protection against attacks rather than specific features of the system. Your house may have the latest alarm system and windows with bars, but if you leave your doors unlocked, despite the number of security features your system has, it is still insecure. Hence, security is not a number of features, but a system process. The weakest link in the chain determines the security of the system. In this article, we focus on possible attack scenarios in an e-Commerce system and provide preventive strategies, including security features, that you can implement. Security has three main concepts: confidentiality, integrity, and availability. Confidentiality allows only authorized parties to read protected information. For example, if the postman reads your mail, this is a breach of your privacy. Integrity ensures data remains as is from the sender to the receiver. If someone added an extra bill to the envelope, which contained your credit card bill, he has violated the integrity of the mail. Availability ensures you have access and are authorized to resources. If the post office destroys your mail or the postman takes one year to deliver your mail, he has impacted the availability of your...