December 14, 2006, 12:00 AM

Web services increase site vulnerability, testing service says

As web sites become more complex, so do their security requirements. Most merchants for which it tests system vulnerability initially fail, Security Metrics says.

Paul Demery

Managing Editor, B2B E-commerce

Consumers want the online transaction between their laptop and an e-commerce server to be secure. But if the e-commerce server is itself vulnerable, “the back door to the bank is open,” says Brad Caldwell, CEO of Security Metrics, a provider of security and testing services to online merchants and other businesses.

Caldwell says he has seen an increase over the past three to four months in requests for quotes on forensics services-in this context, the recovery and resolution between merchants and credit card companies after a merchant’s site and database have been hacked into and credit card data stolen.

Why the increase? As web sites become more complex, so do their security requirements, a fact sometimes overlooked by web site operators adding new web services to make operations more efficient. “If you have a new service like a new mail exchange system, for example, IT has to open up a port in your firewall to do that," Caldwell says. “Every time you open another port, you have potentially added new bugs. And some hacker may find a way to get in through that service. As we expect more and more from technology, we open up more points of entry for an attacker.”

Preventing hackers from getting into an e-commerce database is far less expensive than the cost of forensic services to clear up the aftermath of an attack after it occurs, Caldwell says. Security Metrics provides preventive security testing as well as forensic services, and surprisingly, most of the companies for which it provides preventive security testing initially fail the test.

“People in IT do the things they believe they need to for security, but they may not understand all the facets. We check for thousands of different system vulnerabilities to see if we can get into your system using our automated system, and most merchants fail the test when we do a security analysis,” he says.




Sign In to Make a Comment

Comments are moderated by Internet Retailer and can be removed.

Not a member? Signup for free today!




Relevant Commentary


Jason Squardo / Mobile Commerce

Five tips for achieving high mobile search rankings

Searches on mobile devices will soon exceed those on computers, Google says. Retailers that keep ...


Sergio Pereira / B2B E-Commerce

Quill turns to its B2B customers for new ideas

Coming in April is a new section of that will let customers and Quill ...