IamHDT / Ecommerce-Website-Security-CheckList

List of considerations for commerce site auditing and security teams. This is summary of action points and areas that need to be built into the Techinical Specific Document, or will be checked in the Security testing phases.
GNU General Public License v3.0
129 stars 30 forks source link
bug-bounty ecomm ecommerce hacker hacking security

Ecommerce Website Security CheckList

   List of considerations for commerce site auditing and security teams. This is summary of action points and areas that need to be built into the Techinical Specific Document, or will be checked in the Security testing phases..

Join the chat at https://gitter.im/CodepinIO/Ecommerce-Website-Security-CheckList CC0

Table of Contents

  1. SDLC and development guidelines
  2. PCI DSS (Credit/Debit Card Handling) in applications
  3. Infrastructure hardening (IIS, Apache, Windows)
  4. Password policies
  5. General security best practices
  6. Interfaces
  7. API Security Checklist
  8. What are some proven application security principles?

SDLC and development guidelines

The OWASP Top 10 - 2013 includes the following changes as compared to the 2010 edition:

PCI DSS (Credit/Debit Card Handling) in applications

Essentially, requirements 3, 4, 6, 8, 10 of the PCI DSS Standard version 3.1

Requirement 3: Protect stored cardholder data

Requirement 4: Encrypt transmission of cardholder data across open, public networks

Requirement 6: Develop and maintain secure systems and applications

Requirement 8: Identify and authenticate access to system components

Requirement 10: Track and monitor all access to network resources and cardholder data

Infrastructure hardening (IIS, Apache, Windows)

Review and implement hardening standards available at www.cisecurity.org

Password policies

For users:

Minimum 8 characters Complexity set requiring a combination of letters, numbers and optional special characters Account locked for at least 30 mins after 5 incorrect attempts

For administrators:

Minimum 12 characters Complexity set requiring a combination of letters, numbers and special characters Account locked out indefinitely until unlocked after 5 incorrect attempts

General security best practices

SO 27001 Annex A Controls (apply the ones applicable and where a risk exists)

Interfaces

Restriction by IP Address

API Security Checklist

Checklist of the most important security countermeasures when designing, testing, and releasing your API.


Authentication

JWT (JSON Web Token)

OAuth

Access

Input

Processing

Output

CI & CD

What are some proven application security principles?

Authors

HDT