| Peer-Reviewed

Online Transaction Security Risk Management for E-commerce Web Applications

Received: 31 October 2016     Accepted: 29 November 2016     Published: 3 January 2017
Views:       Downloads:
Abstract

Over the past decade, e-commerce creates exciting new opportunities for business but also brings new web application vulnerabilities and transaction security risks. A stream of news of phishing attacks, website spoofing, payment card skimming (credit /debit cards), fraud in online transactions, malware attack (malicious code attack of viruses, worms, Trojans, and bots), hacker/cracker infiltration, vandalism, identity theft and data breaches of payment card or bank details are increasingly reported. Web application security risk management, therefore, is essential for secure e-commerce online transactions, including order processing, payment transaction, banking and clearing processing. Therefore, the main purpose of this study was to propose a web application security risk management methodology to perform e-commerce web application security risk management, helping organizations understand and improve their e-commerce web application security risks. In order to achieve this purpose, the goal of this study has been two-fold: (1) How will organizations measure threat likelihood, impact consequence and severity of their e-commerce web application security risk? (2) What management methodology is required to prompt the e-commerce web application security vulnerabilities measurement and improvement? Using OWASP Top Ten Vulnerabilities as target items, the proposed management methodology is disciplined in a PDCA based ISO/IEC 27005 iterative process activities, integrating Common Criteria attack potential ratings as threat likelihood scales and the FIPS 199 impact categories as impact consequence scales to categorize severity of every e-commerce web application vulnerabilities. Following the proposed management procedure, all the critical e-commerce web application vulnerabilities can be reviewed, analyzed, prioritized and remedied effectively and efficiently, moving on again in a continuous cycle.

Published in American Journal of Operations Management and Information Systems (Volume 2, Issue 1)
DOI 10.11648/j.ajomis.20170201.12
Page(s) 5-14
Creative Commons

This is an Open Access article, distributed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits unrestricted use, distribution and reproduction in any medium or format, provided the original work is properly cited.

Copyright

Copyright © The Author(s), 2017. Published by Science Publishing Group

Keywords

Attack Potential, Common Criteria, E-commerce Web Application, ISO/IEC 27005, OWASP Ten Most Critical Web Application Security Vulnerabilities

References
[1] C. Revathi, K. Shanthi, A. R. Saranya, A Study on E-Commerce Security Issues, International Journal of Innovative Research in Computer and Communication Engineering, 3(12), pp.12896-12901, 2015.
[2] ISO/IEC 27005: 2011(E), Information technology–Security techniques–Information security risk management, ISO/IEC 27005, 2011.
[3] C. H. Le Grand, Software Security Assurance: A Framework for Software Vulnerability Management and Audit, CHL Global Associates and Ounce Labs, Inc., 2005.
[4] C. Amza, E. Cecchet, A. Chanda, A. Cox, S. Elnikety, R. Gil, J. Marguerite, K. Rajamani and W. Zwaenepoel, Specification and Implementation of Dynamic Web Site Benchmarks, Proceedings of the Fifth Annual IEEE International Workshop on Workload Characterization, Austin, Texas, USA, pp. 3-13, November 25, 2002.
[5] OWASP Top Ten Project, retrieved November 11, 2016, https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
[6] Joint Interpretation Library, Application of Attack Potential to Smartcards, Version 2.9, January 2013.
[7] Common Criteria, Application of Attack Potential to Smartcards, Mandatory Technical Document, Version 2.9, CCDB-2013-05-002, May 2013.
[8] FIPS Publication 199, Standards for Security Categorization of Federal Information and Information Systems, Federal Information Processing Standards Publication, February 2004.
[9] SPI Dynamics, Web Application Security Assessment, SPI Dynamics Whitepaper, 2003
[10] IBM Corporation Software Group, IBM Rational AppScan Standard Edition, IBM Corporation, 2008.
[11] Category: Vulnerability Scanning Tools, retrieved November 11, 2016, https://www.owasp.org/index.php/Category:Vulnerability_Scanning_Tools
[12] P. Black, E. Fong, V. Okun and R. Gaucher, Software Assurance Tools: Web Application Security Scanner, Functional Specification Version 10, NIST Special Publication 500-269, Gaithersburg, MD, USA, January 2008.
[13] OWASP Code Review Guide, retrieved November 11, 2016, http://www.owasp.org/index.php/Category:OWASP_Code_Review_Project
[14] OWASP Testing Guide, Version 4.0, retrieved November 11, 2016, http://www.owasp.org/index.php/OWASP_Testing_Project
[15] Category: OWASP Application Security Verification Standard Project, retrieved November 11, 2016, https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project
[16] K. Kent and M. Souppaya, Guide to Computer Security Log Management, NIST Special Publication 800-92, Gaithersburg, MD, USA, September 2006.
[17] R. Kissel, K. Stine, M. Scholl, H. Rossman, J. Fahlsing and J. Gulick, Security Considerations in the System Development Lifecycle, NIST Special Publication 800-64 Revision 2, Gaithersburg, MD, USA, October 2008.
Cite This Article
  • APA Style

    Kuo-Sui Lin. (2017). Online Transaction Security Risk Management for E-commerce Web Applications. American Journal of Operations Management and Information Systems, 2(1), 5-14. https://doi.org/10.11648/j.ajomis.20170201.12

    Copy | Download

    ACS Style

    Kuo-Sui Lin. Online Transaction Security Risk Management for E-commerce Web Applications. Am. J. Oper. Manag. Inf. Syst. 2017, 2(1), 5-14. doi: 10.11648/j.ajomis.20170201.12

    Copy | Download

    AMA Style

    Kuo-Sui Lin. Online Transaction Security Risk Management for E-commerce Web Applications. Am J Oper Manag Inf Syst. 2017;2(1):5-14. doi: 10.11648/j.ajomis.20170201.12

    Copy | Download

  • @article{10.11648/j.ajomis.20170201.12,
      author = {Kuo-Sui Lin},
      title = {Online Transaction Security Risk Management for E-commerce Web Applications},
      journal = {American Journal of Operations Management and Information Systems},
      volume = {2},
      number = {1},
      pages = {5-14},
      doi = {10.11648/j.ajomis.20170201.12},
      url = {https://doi.org/10.11648/j.ajomis.20170201.12},
      eprint = {https://article.sciencepublishinggroup.com/pdf/10.11648.j.ajomis.20170201.12},
      abstract = {Over the past decade, e-commerce creates exciting new opportunities for business but also brings new web application vulnerabilities and transaction security risks. A stream of news of phishing attacks, website spoofing, payment card skimming (credit /debit cards), fraud in online transactions, malware attack (malicious code attack of viruses, worms, Trojans, and bots), hacker/cracker infiltration, vandalism, identity theft and data breaches of payment card or bank details are increasingly reported. Web application security risk management, therefore, is essential for secure e-commerce online transactions, including order processing, payment transaction, banking and clearing processing. Therefore, the main purpose of this study was to propose a web application security risk management methodology to perform e-commerce web application security risk management, helping organizations understand and improve their e-commerce web application security risks. In order to achieve this purpose, the goal of this study has been two-fold: (1) How will organizations measure threat likelihood, impact consequence and severity of their e-commerce web application security risk? (2) What management methodology is required to prompt the e-commerce web application security vulnerabilities measurement and improvement? Using OWASP Top Ten Vulnerabilities as target items, the proposed management methodology is disciplined in a PDCA based ISO/IEC 27005 iterative process activities, integrating Common Criteria attack potential ratings as threat likelihood scales and the FIPS 199 impact categories as impact consequence scales to categorize severity of every e-commerce web application vulnerabilities. Following the proposed management procedure, all the critical e-commerce web application vulnerabilities can be reviewed, analyzed, prioritized and remedied effectively and efficiently, moving on again in a continuous cycle.},
     year = {2017}
    }
    

    Copy | Download

  • TY  - JOUR
    T1  - Online Transaction Security Risk Management for E-commerce Web Applications
    AU  - Kuo-Sui Lin
    Y1  - 2017/01/03
    PY  - 2017
    N1  - https://doi.org/10.11648/j.ajomis.20170201.12
    DO  - 10.11648/j.ajomis.20170201.12
    T2  - American Journal of Operations Management and Information Systems
    JF  - American Journal of Operations Management and Information Systems
    JO  - American Journal of Operations Management and Information Systems
    SP  - 5
    EP  - 14
    PB  - Science Publishing Group
    SN  - 2578-8310
    UR  - https://doi.org/10.11648/j.ajomis.20170201.12
    AB  - Over the past decade, e-commerce creates exciting new opportunities for business but also brings new web application vulnerabilities and transaction security risks. A stream of news of phishing attacks, website spoofing, payment card skimming (credit /debit cards), fraud in online transactions, malware attack (malicious code attack of viruses, worms, Trojans, and bots), hacker/cracker infiltration, vandalism, identity theft and data breaches of payment card or bank details are increasingly reported. Web application security risk management, therefore, is essential for secure e-commerce online transactions, including order processing, payment transaction, banking and clearing processing. Therefore, the main purpose of this study was to propose a web application security risk management methodology to perform e-commerce web application security risk management, helping organizations understand and improve their e-commerce web application security risks. In order to achieve this purpose, the goal of this study has been two-fold: (1) How will organizations measure threat likelihood, impact consequence and severity of their e-commerce web application security risk? (2) What management methodology is required to prompt the e-commerce web application security vulnerabilities measurement and improvement? Using OWASP Top Ten Vulnerabilities as target items, the proposed management methodology is disciplined in a PDCA based ISO/IEC 27005 iterative process activities, integrating Common Criteria attack potential ratings as threat likelihood scales and the FIPS 199 impact categories as impact consequence scales to categorize severity of every e-commerce web application vulnerabilities. Following the proposed management procedure, all the critical e-commerce web application vulnerabilities can be reviewed, analyzed, prioritized and remedied effectively and efficiently, moving on again in a continuous cycle.
    VL  - 2
    IS  - 1
    ER  - 

    Copy | Download

Author Information
  • Department of Information Management, Aletheia University, Taiwan, R.O.C.

  • Sections