Security Testing for E-Commerce Applications
Over the past decade, as the e-Commerce market has evolved into a shopping ecosystem involving multiple devices and store concepts, retailers have been continuously innovating the online shopping experience introducing convenient features like multi-device optimizations, product customization, quick and secure checkout processes, or recurrent payments to attract more customers and influence purchase decisions. The main guidelines that are followed in this paper are revolving around security testing and how it can be performed in the form of manual and automated testing, with aid from automated security tools. This paper looks at the threats e-Commerce Applications are facing in regards with cybersecurity and intends to assist preventing vulnerabilities being exploited by malicious intended users by showing the importance of performing security testing to identify weaknesses, mitigate risks and to raise awareness of the importance of strong security measures and procedures.
“Impact of COVID Pandemic on eCommerce”, International Trade Administration 10 2021. Available: https://www.trade.gov/impact-covid-pandemic-ecommerce.
“eCommerce - Worldwide”, Statista – The Statistics Portal for Market Data, Market Research and Market Studies, 02 2023. Available: https://www.statista.com/outlook/dmo/ecommerce/worldwide.
“What Is Cybersecurity?” Gartner, 18 11 2021. Available: https://www.gartner.com/en/topics/cybersecurity.
“Security Testing: Types, Tools, and Best Practices” Bright Security, 22 05 2022. Available: https://brightsec.com/blog/security-testing/.
“ISO/IEC 27000:2018(en) Information technology – Security techniques – Information security management systems” International Organization for Standardization, 2018. Available: https://www.iso.org/obp/ui/#iso:std:iso-iec:27000:ed-5:v1:en.
B. Hambling, P. Morgan, A. Samaroo, G. Thompson and P. Williams, “Software Testing, An ISTQB–ISEB Foundation Guide, Second Edition”, British Informatics Society Limited, 2010.
“SQL Injection”, The Open Worldwide Application Security Project. Available: https://owasp.org/www-community/attacks/SQL_Injection.
“Session hijacking attack”, The Open Worldwide Application Security Project. Available: https://owasp.org/www-community/attacks/Session_hijacking_attack.
V. Garousi and F. Elberzhager, “Test Automation: Not Just for Test Execution” in IEEE Software, vol. 34, no. 2, pp. 90-96, 28 03 2017, doi: 10.1109/MS.2017.34.
“OWASP Security Culture”, The Open Worldwide Application Security Project. Available: https://owasp.org/www-project-security-culture/v10/7-Security_Testing/.
“Tokenization, Encryption, and Secure Payment Processing”, TrueMerchant. Available: https://truemerchant.com/tokenization-encryption-and-secure-payment-processing/.
S. Scott and G. Neray, “Best practices for REST API security: Authentication and authorization”, The Overflow, 06 10 2021. Available: https://stackoverflow.blog/2021/10/06/best-practices-for-authentication-and-authorization-for-rest-apis/.
J. Li, B. Zhao, and C. Zhang, “Fuzzing: a survey” in Cybersecurity 1, 05 06 2018. Available: https://doi.org/10.1186/s42400-018-0002-y.
P. Raghu and J. Agrah, “Practical Security Testing of Electronic Commerce Web Applications” in International Journal of Advanced Networking and Applications, 01 08 2021, doi: 10.35444/IJANA.2021.13109.
Github, SonarSource / sonarqube. Available: https://github.com/SonarSource/sonarqube.
Github, JosefPihrt / Roslynator. Available: https://github.com/JosefPihrt/Roslynator.
Github, dotnet / roslyn. Available: https://github.com/dotnet/roslyn.
Gitlab Docs, “Dynamic Application Security Testing (DAST)”. Available: https://docs.gitlab.com/ee/user/application_security/dast/.
Github, KissPeter / APIFuzzer. Available: https://github.com/KissPeter/APIFuzzer.