A Multi-Tier, Multi-Role Security Framework for E-Commerce Systems

As the use of the Internet for commercial purposes continues to grow, so do the number of security threats which attempt to disrupt online systems (Glisson and Welland, 2005); (Deloitte, 2005); and (Gordon et al., 2005). A number of these threats are in fact unintended (Mackey, 2003). For example, a careless employee might drop a cup of coffee onto essential equipment. However, when compared to the brick and mortar world, the Internet offers would-be attackers a more anonymous environment in which to operate. Also, the free availability of hacking tools makes it possible even for the curious teenager to carry out dangerous attacks. Despite this ever-present threat however, it is all too often the case that security is dealt with (if at all) after a Web application has been developed (Gaur, 2000). This is mainly due to our software development heritage whereby companies prefer to focus on the functionality of new systems because that provides and immediate return on investment. This paper proposes a framework for building security into Web applications as they are being developed. The core philosophy here is that security is too big an issue to leave up to one person/team after the product has been developed. The framework also provides a quality assurance process and a communication protocol to ensure that all security-related tasks have been carried out

[1]  Mark Micallef,et al.  Towards a RAD Framework for E-Commerce Systems , 2006, WEBIST.

[2]  Mark Micallef,et al.  An ontology of security threats to web applications , 2006 .

[3]  Mark Micallef,et al.  Towards Effectively Appraising Online Stores , 2004, SEKE.

[4]  T. E. Diroff The protection of computer facilities and equipment: physical security , 1978, DATB.

[5]  Bruce Schneier,et al.  Secrets and Lies: Digital Security in a Networked World , 2000 .

[6]  Ray Welland,et al.  Web development evolution: the assimilation of Web engineering security , 2005, Third Latin American Web Congress (LA-WEB'2005).

[7]  Christopher Krügel,et al.  Precise alias analysis for static detection of web application vulnerabilities , 2006, PLAS '06.

[8]  Michael G. Bailey,et al.  The urgency for effective user privacy-education to counter social engineering attacks on secure computer systems , 2004, CITC5 '04.

[9]  Dewayne E. Perry,et al.  Metrics and laws of software evolution-the nineties view , 1997, Proceedings Fourth International Software Metrics Symposium.

[10]  D. Pinto Secrets and Lies: Digital Security in a Networked World , 2003 .

[11]  James D. Herbsleb,et al.  Software quality and the Capability Maturity Model , 1997, CACM.

[12]  Steven R. Rakitin Software verification and validation - a practitioner's guide , 1997 .

[13]  Yvonne Coady,et al.  Are patches cutting it?: structuring distribution within a JVM using aspects , 2005, CASCON.

[14]  Roger S. Pressman,et al.  Software Engineering: A Practitioner's Approach , 1982 .

[15]  Nalneesh Gaur Assessing the Security of Your Web Applications , 2000 .

[16]  Alan O. Freier,et al.  The SSL Protocol Version 3.0 , 1996 .

[17]  David Mackey,et al.  Web Security for Network and System Administrators , 2003 .