Web-store is the trending technologies in e-business. Most companies tend to perform their transactions online. There is a number of advantages of incorporating e-commerce in a company. The advantages include: increase of sales, accessing a wider market, reducing the cost of operation and increasing the profit margin. However, the web store has some threats which could led to the failure of a system. The failures include: password breaches, DOS attacks, ransomware, data destruction and fraud (TechGenYZ, 2018).
The password breaches is one of the most dangerous activities with the network system. Passwords make systems distinct from each other. The hackers tend to crack easy passwords and get the access to the system and can steal the databases or manipulate the processes in the system. The administrative passwords allow the users to access the hosting servers and the database servers. The password of access the servers should be strong (Khan, 2014). The passwords should be lengthy and use high entropy words that are hard to crack.
Secondly, DDOS attacks that means Distributed Denial of Services (Acharya and Pradhan, 2017). This involves denying legitimate user the permission of using the system. The hackers tend to manipulate the system and takes control of the system. The hackers inject malware by passing authentication controls. DDoS can result to major business risks which would affect the business for long. The DDoS attacks can take long before they are noticed by the security administrators (ZHANG and QIN, 2010). The e-commerce site are also prone to malware and botnet attack. They would affect the transaction of the site. There are quite a number of threats.
Security testing is quite important for the web-store application. The security testing involves testing for the: availability of the system, confidentiality, proper authentication and the resilience of the system. Since there are many transactions that will be performed through the web-store application the WidgetsInc must ensure the system is secure before launching it (Giac.org, 2018).
When a system is secure then the company will be assured of customer loyalty, more customers, a grater profit margin and less cost in the business processes. The company will also be assured of minimal instances of downtime.
The security threats as mentioned are quite many. The system has to be safe from threats and in case of any attack the system administrators should be aware of the problem or the attempt of an intrusion. For assurance of the system security WidgetsInc Company delegated the test evaluation of the web-store application to Benny Vandergast Inc. Benny Vandergast Inc. provides a VMware that was used in the testing processes. There are four major practices that were taken into consideration in the testing processes.
Investigation of the system security
The practices included noting down the issues that can’t be recreate, getting solutions for the collisions that would happen during the testing, the testing can to be in control in case of the test matrix would become difficult to manage and the team would ensure that the VMware used in testing would provide smart monitoring of the activities that took place in the system. First, there are some error that can be encountered but can be reproduced. In such cases, the errors could have cause the system to crash. So, trying to produce the errors would be impossible. The solution to such a problem, is use of VMware Snapshots tool. The tools allowed the team that was testing to go back and view the execution that would lead to the system crash. The VMware Snapshot tools tends to save recorded session to view them later. Secondly, there are some test would require to be tested simultaneously within a similar environment. The situation seem a bit challenge by cloning and network fencing practices would be applicable in such a scenario. The third point is, able to manage the process even when the test matrix becomes challenging to manage. The team that was involved in the testing process came up with some testing levels. The testing was divided into three testing levels. The First level involved, testing of the servers and the databases. The second level involved testing the network and the third level involved testing the work stations to be used. Using the level in testing eased the testing process. Finally, the testing crew had to come up with a monitoring system whereby, the people involved in the testing would easily identify any intrusion in the system. A VMware monitoring tool that was used was the Opvizor. Also, Snap-watcher played a great role in the monitoring of the system. The Snapwatch is able to capture the VMware snapshots. This makes the monitoring of the transaction easier.
The Set up and the configuration of virtual test environment.
Benny Vandergast Inc. had to set up the virtualization infrastructure. VMware ESXi Server was installed in the infrastructure. There were a few prerequisites that were required in the set up process. The recommended RAM of about 4 GB RAM. This was meant to ensure that multiple VMs would be running on the top of the base OS. The machine is supposed to be 64-bit virtual Machine. That were set to run on a disk array which was different from the operating system runs on. The Virtual Machine runs on a different disk. The installer tends to create basic service which run on the host machine during the installation process. The services were used in managing the virtual environment created. After the installation was completed the computer was restarted and the testing crew also installed PowerCLI (Dekens, 2016). The PowerCLI is used to connect to the local VMware ESXi Server (Ixiacom.com, 2018). The server should be connected to 192.168.1.1 and enter the credentials. There were other tools that were required in the testing that were installed in the VM. The process makes easier and the VM performance is improved.
After installing was complete and successful, Benny Vandergast began the testing process. The whole process of virtualization allowed them to consolidate the service, use minimal space, perform less coding and less power was used (Mastering Vmware Vsphere 4, 2011).
The network interface cards of the VMware ESXi Server were installed and configured, The Operating System ought to be updates as well as the Virtual Machine IP and DNS records were update. On the completion of the VM configuration and the configuration of the network, a snap of the VM was taken. The caption is require to contain the initial configuration of the VM before testing commenced. The snapshot would be used to get back to the initial step when necessary (Keikha and Sadeq, 2015).
Creating configuration files
Data about the environment in which the testing is performed is necessary. The environment can be given a variable name. The environment could be give $testenv. The variable can be used to store names of the Virtual Machined created or cloned, the name of the server and the database table. The Network Interface Card installed in the Virtual Machine was used in building the configuration file to the executions that will take place in the future. The configuration files created would also be used in making a report. The NIC variable is used in storing information such as IP, DNS, Subnet masks and much more information. The scripts are the combined and the VM creates a config file with the IP being used (Offutt, 2008).
Test and the test framework
There is much customization to execute the custom scripts. Some action can be automated by copying the files to the Guest office. The activities that were automated included: downloading and installing the software to be tested, the sources were synced with the test and the frameworks, the management of Microsoft products via PowerShell API (Tachev, 2016). The executable files which include ZIP files, dll and other files were copied into the VM’s local system. After that the set were synced to the source control repository. Any script that was executed would point to another script or to its self. When the script ws executed, the results returned in real time during the testing phase. One the result is display in a various test, another snapshot s necessary (LI et al., 2014).
Creating a report
Once the test is complete, a report was generated for the outcome. The system was found to be vulnerable. The result is based on the snapshot that are take. The system was found to have some loop holes. The issues include the authentication, malware, phishing, unwanted scripts, and lack of encryption of the webstore (Shmueli, 2008).
The uses of weak passwords and lack of authentication is the main root of security breaches. Some of the users in the system has set simple passwords such as 1234.Such a password is easy to crack by hackers. When hackers can attacks the system by cracking the weak passwords they tend to do malicious activities such as inserting scripts that may affect the normal transaction of the business (Merali, 2010). The web-store developers have not deployed the encryption of the password. The hackers can easily retrieve password that are not encrypted using hash. Password is one of the key factor that should be high enhanced by ensuring password encryption and not allowing the users to use the weak password while logging into the system (Gualdoni et al., 2017).
Secondly, the system has a malware. This is a dominant issue with the e-businesses. The malwares can assist the hackers to gain sensitive information from the web-store application. A malware attack can destroy the company reputation and brand. This is because the hacker insert scripts that interfere with business transactions. The malware can also interfere with the payment process. The hackers can access the credit card information of the customer and use the information in other transactions. These may lead to loss of trust from the customer and the company may end up losing most of the customer. Malware programs could wreak havoc by adding to execution of actions. The actions include downloading the software without permission and adding some illegal process into the system. Malware programs enhance phishing. Whereby, a criminal would host another site that look like the wen-store application for the company and pretend to be the actual site. Customers may end up giving their credit card information to the hackers. This is a critical area that need to be addressed.
The data being transmitted through the network is not encrypted. Lack of data encryption is putting customer data at risk. There are quite a number of transaction in e-commerce which results to much data generated. The data in transit is not encrypted and the hacker gets access to the data then it is prone to data theft or data manipulation. This many negatively affect the business by losing the trust from the customers and losing more customers. Also lack of proper encryption can safeguard data against nearly any threat. Encryption of programs are difficult to implement but it is important to follow the right procedure while encrypting the data.
Proposal to the company
One of the vulnerabilities spotted in the webstore is lack of encryption. The developer need to apply the encryption practice in the system. Encryption is necessary when it comes to protecting the data in the system. In most cases the critical information is an attractive target to cybercriminals. Encryption of data should be applied correctly. The developer should analysis the data that requires to be encrypted. The critical and the sensitive data ought to be encrypted. Encryption prevents unauthorized personnel from acquiring the encrypted data. This allows only the people who have been authorized of access critical or sensitive data. Example of critical information that ought to be encrypted include: credit card information, payment details, names, birthdates, the security numbers and many more. Data in transit need to be encrypted until it reaches the destination for decryption. The other factor to consider in the encryption of the information is how the encryption will interact with the cloud systems. Encryption is necessary in cloud computing. This enhance the security of the company data in cloud-based platforms such as Saas and data analytic programs such as Google analytics. Encryption for cloud computing is a bit complex but has to be done accordingly. Another factor to consider before the encryption process, is that the developer have to determine the algorithm to be used in the encryption process. There are a number of requirements for the primary encryptions. The algorithm used has to match the international standards. Finally, proper key management has to be enhance. Use of the right key enhances protection of the data. The administrators should ensure the decryption key is properly managed. The decryption key should only be sent to the receivers of the data. The encryption keys should be stored in encryption keys in a safe location.
The company is required to install a trusted antivirus software. The anti-virus will help in reducing the attack in the system. There are a number of benefits associated with the installation of the anti-virus in the servers. Anti-virus protect the system from attack by the virus. Customers or the employees tend to download some files from the internet (Anon, 2018). The file that they download could contain the virus. These virus are detected and removed by the anti-virus software. The antivirus can detect and deleted 99 percent of the known viruses. The anti-virus is also a tools that is appropriate for protection against spam. Spam involves the employees receiving mails which are of no use to the recipients. In most cases one cannot tell the origin of the sender. This is a clear indication that there is a virus that is embedded in the computer. With the help of the anti-virus, the virus will be detected and deleted from the system after the scanning process.
In conclusion, the security evaluation is a basic practice, which should be done often to ensure the system being used is safe (Kossecki, 2012). Most people believe that transaction done online are safe compared to the transactions dine offline, this is not true, as there is a number of threats in using the online transactions compared to the offline transactions. The online transaction has many benefits. The benefits include, personal security, wider market access, increment of sales opportunities, transactions can be process 24/7, the payments are flexible, greater profit margins and the system can be used internationally. The advantages are only meaningful, only when the system is secure (Vilalta, 2012). The security implemented is to measure the level of attack by hackers into the system. Internet security is the most important factor in e-commerce. Without security, then e-commerce would flop.
From the testing that is done on the system, the company should perform such test monthly (Rajput, 2009). This is to ensure that there are no vulnerabilities found in the system. During the first security test, some issues were detected with the system which are solvable (Smith, 2008). This issues should be avoided at all cost. Also, the system administrator should perform daily monitoring of the system. E-commerce is successful trend in business. The system administrator should add some e-commerce analytic tool to the system.
An example of an e-commerce analytic tool is Google Analytic. This tool is used to monitor all the traction in the system. The system administrator can be able to tell the behavior of the customers in the site. This would be an important tool of tracking malicious visitors on the site. All the events about a customer are logged into the Google Analytic tool (Farney and McHale, 2013). Google Analytic tool is free and the tools displayed graphical reports on the events taking place on the web-store. Google Analytic help the company to make valid decision based on the report given by Google Analytic tool (Brock, 2017).
Finally, the security aps of the system opt to be fixed immediately. Once WidgetsInc has implanted the proposed way of solving the problems that were identified, the company will make huge profit margins. The business should always aim in having a system with accurate, up-to-date and reliable data.
Ixiacom.com. (2018). The Ixia Difference in Virtualization Testing | Ixia. [online] Available at: https://www.ixiacom.com/resources/ixia-difference-virtualization-testing [Accessed 22 May 2018].
Anon, (2018). [online] Available at: https://www.toptenreviews.com/software/articles/the-benefits-of-having-anti-virus-protection/ [Accessed 23 May 2018].
Owasp.org. (2018). Top 10 2014-I2 Insufficient Authentication/Authorization - OWASP. [online] Available at: https://www.owasp.org/index.php/Top_10_2014-I2_Insufficient_Authentication/Authorization [Accessed 23 May 2018].
Imagine Monkey, I. and Imagine Monkey (2018). Malware: Protecting Your eCommerce Website - Imagine Monkey, Inc.. [online] Imagine Monkey, Inc. Available at: https://www.imaginemonkey.com/ecommerce-malware/ [Accessed 23 May 2018].
Giac.org. (2018). [online] Available at: https://www.giac.org/paper/gsec/2067/strong-user-authentication-electronic-mobile-commerce/103557 [Accessed 23 May 2018].
Khan, R. (2014). Open Disclosure of Vulnerabilities and Hackers. SSRN Electronic Journal.
ZHANG, J. and QIN, Z. (2010). Modified method of detecting DDoS attacks based on entropy. Journal of Computer Applications, 30(7), pp.1778-1781.
Acharya, S. and Pradhan, N. (2017). DDoS Simulation and Hybrid DDoS Defense Mechanism. International Journal of Computer Applications, 163(9), pp.20-24.
Brock, T. (2017). Performance Analytics: The Missing Big Data Link Between Learning Analytics and Business Analytics. Performance Improvement, 56(7), pp.6-16.
Gualdoni, J., Kurtz, A., Myzyri, I., Wheeler, M. and Rizvi, S. (2017). Secure Online Transaction Algorithm: Securing Online Transaction Using Two-Factor Authentication. Procedia Computer Science, 114, pp.93-99.
Shmueli, G. (2008). Statistical Inference with Large (eCommerce) Datasets. SSRN Electronic Journal.
Keikha, Z. and Sadeq, M. (2015). The E-readiness Assessment Pattern Designing with an Approach to Ecommerce (a Case Study Conducted in Sistan and Balouchestan Province of Iran). International Journal of Engineering Research, 4(2), pp.85-92.
LI, H., WANG, S., LIU, C., ZHENG, J. and LI, Z. (2014). Software Reliability Model Considering both Testing Effort and Testing Coverage. Journal of Software, 24(4)
Vilalta, A. (2012). Online Dispute Resolution & eCommerce. IN3 Working Paper Series.
Merali, Z. (2010). Hackers blind quantum cryptographers. Nature.
Tachev, T. (2016). API (API Economy). SSRN Electronic Journal.
Kossecki, P. (2012). Building Trust in eCommerce - Quantitative Analysis. SSRN Electronic Journal.
Rajput, W. (2009). E-Commerce systems architecture and applications. Boston, Mass.: Artech House.
Dekens, L. (2016). VMware vSphere powerCLI reference. Indianapolis: Sybex, a Wiley brand.
TechGenYZ. (2018). What is e-commerce and what are the major threats to e-commerce security?. [online] Available at: https://www.techgenyz.com/2017/04/05/e-commerce-major-threats-e-commerce-security/ [Accessed 22 May 2018].
Offutt, J. (2008). Editorial: Software testing is an elephant. Software Testing, Verification and Reliability, 18(4), pp.191-192.
Farney, T. and McHale, N. (2013). Maximizing Google Analytics. Chicago, IL: ALA TechSource.
Mastering Vmware Vsphere 4. (2011). Sybex Inc.
Smith, G. (2008). Control and security of E-commerce. Hoboken, N.J.: Wiley.