Over the past decade, e-commerce creates exciting new opportunities for business but also brings new web application vulnerabilities and transaction security risks. A stream of news of phishing attacks, website spoofing, payment card skimming (credit /debit cards), fraud in online transactions, malware attack (malicious code attack of viruses, worms, Trojans, and bots), hacker/cracker infiltration, vandalism, identity theft and data breaches of payment card or bank details are increasingly reported. Web application security risk management, therefore, is essential for secure e-commerce online transactions, including order processing, payment transaction, banking and clearing processing. Therefore, the main purpose of this study was to propose a web application security risk management methodology to perform e-commerce web application security risk management, helping organizations understand and improve their e-commerce web application security risks. In order to achieve this purpose, the goal of this study has been two-fold: (1) How will organizations measure threat likelihood, impact consequence and severity of their e-commerce web application security risk? (2) What management methodology is required to prompt the e-commerce web application security vulnerabilities measurement and improvement? Using OWASP Top Ten Vulnerabilities as target items, the proposed management methodology is disciplined in a PDCA based ISO/IEC 27005 iterative process activities, integrating Common Criteria attack potential ratings as threat likelihood scales and the FIPS 199 impact categories as impact consequence scales to categorize severity of every e-commerce web application vulnerabilities. Following the proposed management procedure, all the critical e-commerce web application vulnerabilities can be reviewed, analyzed, prioritized and remedied effectively and efficiently, moving on again in a continuous cycle.
| Published in | American Journal of Operations Management and Information Systems (Volume 2, Issue 1) |
| DOI | 10.11648/j.ajomis.20170201.12 |
| Page(s) | 5-14 |
| Creative Commons |
This is an Open Access article, distributed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits unrestricted use, distribution and reproduction in any medium or format, provided the original work is properly cited. |
| Copyright |
Copyright © The Author(s), 2017. Published by Science Publishing Group |
Attack Potential, Common Criteria, E-commerce Web Application, ISO/IEC 27005, OWASP Ten Most Critical Web Application Security Vulnerabilities
| [1] | C. Revathi, K. Shanthi, A. R. Saranya, A Study on E-Commerce Security Issues, International Journal of Innovative Research in Computer and Communication Engineering, 3(12), pp.12896-12901, 2015. |
| [2] | ISO/IEC 27005: 2011(E), Information technology–Security techniques–Information security risk management, ISO/IEC 27005, 2011. |
| [3] | C. H. Le Grand, Software Security Assurance: A Framework for Software Vulnerability Management and Audit, CHL Global Associates and Ounce Labs, Inc., 2005. |
| [4] | C. Amza, E. Cecchet, A. Chanda, A. Cox, S. Elnikety, R. Gil, J. Marguerite, K. Rajamani and W. Zwaenepoel, Specification and Implementation of Dynamic Web Site Benchmarks, Proceedings of the Fifth Annual IEEE International Workshop on Workload Characterization, Austin, Texas, USA, pp. 3-13, November 25, 2002. |
| [5] | OWASP Top Ten Project, retrieved November 11, 2016, https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project |
| [6] | Joint Interpretation Library, Application of Attack Potential to Smartcards, Version 2.9, January 2013. |
| [7] | Common Criteria, Application of Attack Potential to Smartcards, Mandatory Technical Document, Version 2.9, CCDB-2013-05-002, May 2013. |
| [8] | FIPS Publication 199, Standards for Security Categorization of Federal Information and Information Systems, Federal Information Processing Standards Publication, February 2004. |
| [9] | SPI Dynamics, Web Application Security Assessment, SPI Dynamics Whitepaper, 2003 |
| [10] | IBM Corporation Software Group, IBM Rational AppScan Standard Edition, IBM Corporation, 2008. |
| [11] | Category: Vulnerability Scanning Tools, retrieved November 11, 2016, https://www.owasp.org/index.php/Category:Vulnerability_Scanning_Tools |
| [12] | P. Black, E. Fong, V. Okun and R. Gaucher, Software Assurance Tools: Web Application Security Scanner, Functional Specification Version 10, NIST Special Publication 500-269, Gaithersburg, MD, USA, January 2008. |
| [13] | OWASP Code Review Guide, retrieved November 11, 2016, http://www.owasp.org/index.php/Category:OWASP_Code_Review_Project |
| [14] | OWASP Testing Guide, Version 4.0, retrieved November 11, 2016, http://www.owasp.org/index.php/OWASP_Testing_Project |
| [15] | Category: OWASP Application Security Verification Standard Project, retrieved November 11, 2016, https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project |
| [16] | K. Kent and M. Souppaya, Guide to Computer Security Log Management, NIST Special Publication 800-92, Gaithersburg, MD, USA, September 2006. |
| [17] | R. Kissel, K. Stine, M. Scholl, H. Rossman, J. Fahlsing and J. Gulick, Security Considerations in the System Development Lifecycle, NIST Special Publication 800-64 Revision 2, Gaithersburg, MD, USA, October 2008. |
APA Style
Kuo-Sui Lin. (2017). Online Transaction Security Risk Management for E-commerce Web Applications. American Journal of Operations Management and Information Systems, 2(1), 5-14. https://doi.org/10.11648/j.ajomis.20170201.12
ACS Style
Kuo-Sui Lin. Online Transaction Security Risk Management for E-commerce Web Applications. Am. J. Oper. Manag. Inf. Syst. 2017, 2(1), 5-14. doi: 10.11648/j.ajomis.20170201.12
Share This Article
Twitter
Linked In
Facebook
Copy
Download@article{10.11648/j.ajomis.20170201.12,
author = {Kuo-Sui Lin},
title = {Online Transaction Security Risk Management for E-commerce Web Applications},
journal = {American Journal of Operations Management and Information Systems},
volume = {2},
number = {1},
pages = {5-14},
doi = {10.11648/j.ajomis.20170201.12},
url = {https://doi.org/10.11648/j.ajomis.20170201.12},
eprint = {https://article.sciencepublishinggroup.com/pdf/10.11648.j.ajomis.20170201.12},
abstract = {Over the past decade, e-commerce creates exciting new opportunities for business but also brings new web application vulnerabilities and transaction security risks. A stream of news of phishing attacks, website spoofing, payment card skimming (credit /debit cards), fraud in online transactions, malware attack (malicious code attack of viruses, worms, Trojans, and bots), hacker/cracker infiltration, vandalism, identity theft and data breaches of payment card or bank details are increasingly reported. Web application security risk management, therefore, is essential for secure e-commerce online transactions, including order processing, payment transaction, banking and clearing processing. Therefore, the main purpose of this study was to propose a web application security risk management methodology to perform e-commerce web application security risk management, helping organizations understand and improve their e-commerce web application security risks. In order to achieve this purpose, the goal of this study has been two-fold: (1) How will organizations measure threat likelihood, impact consequence and severity of their e-commerce web application security risk? (2) What management methodology is required to prompt the e-commerce web application security vulnerabilities measurement and improvement? Using OWASP Top Ten Vulnerabilities as target items, the proposed management methodology is disciplined in a PDCA based ISO/IEC 27005 iterative process activities, integrating Common Criteria attack potential ratings as threat likelihood scales and the FIPS 199 impact categories as impact consequence scales to categorize severity of every e-commerce web application vulnerabilities. Following the proposed management procedure, all the critical e-commerce web application vulnerabilities can be reviewed, analyzed, prioritized and remedied effectively and efficiently, moving on again in a continuous cycle.},
year = {2017}
}
TY - JOUR T1 - Online Transaction Security Risk Management for E-commerce Web Applications AU - Kuo-Sui Lin Y1 - 2017/01/03 PY - 2017 N1 - https://doi.org/10.11648/j.ajomis.20170201.12 DO - 10.11648/j.ajomis.20170201.12 T2 - American Journal of Operations Management and Information Systems JF - American Journal of Operations Management and Information Systems JO - American Journal of Operations Management and Information Systems SP - 5 EP - 14 PB - Science Publishing Group SN - 2578-8310 UR - https://doi.org/10.11648/j.ajomis.20170201.12 AB - Over the past decade, e-commerce creates exciting new opportunities for business but also brings new web application vulnerabilities and transaction security risks. A stream of news of phishing attacks, website spoofing, payment card skimming (credit /debit cards), fraud in online transactions, malware attack (malicious code attack of viruses, worms, Trojans, and bots), hacker/cracker infiltration, vandalism, identity theft and data breaches of payment card or bank details are increasingly reported. Web application security risk management, therefore, is essential for secure e-commerce online transactions, including order processing, payment transaction, banking and clearing processing. Therefore, the main purpose of this study was to propose a web application security risk management methodology to perform e-commerce web application security risk management, helping organizations understand and improve their e-commerce web application security risks. In order to achieve this purpose, the goal of this study has been two-fold: (1) How will organizations measure threat likelihood, impact consequence and severity of their e-commerce web application security risk? (2) What management methodology is required to prompt the e-commerce web application security vulnerabilities measurement and improvement? Using OWASP Top Ten Vulnerabilities as target items, the proposed management methodology is disciplined in a PDCA based ISO/IEC 27005 iterative process activities, integrating Common Criteria attack potential ratings as threat likelihood scales and the FIPS 199 impact categories as impact consequence scales to categorize severity of every e-commerce web application vulnerabilities. Following the proposed management procedure, all the critical e-commerce web application vulnerabilities can be reviewed, analyzed, prioritized and remedied effectively and efficiently, moving on again in a continuous cycle. VL - 2 IS - 1 ER -
Information
Email: