Tuesday, October 20th, 2009

We at Big Room Studios solve business problems and create web applications. To make our lives easier, and to make product development quicker we've created a framework for implementing web applications called BRS Core, and one of the things we've used the Core for is to implement e-commerce solutions. Having been in the web business for a long time, we've had a variety of experiences with e-commerce, including the use of 3rd party applications. In the following articles I will cover some observations and lessons we've learned, which I hope will be helpful for business owners and developers alike.

Part I : Security

Because you will be storing and transmitting private information, one of the most important things to handle correctly is security. In fact there are a set of security standards called PCI Security Standards to which e-commerce hosts must adhere.

There is some mystery around security and encryption. When I speak about security as it relates to transmission of information via the web or email, I'm talking about keeping it away from people who could use it to conduct theft. A key tool in preventing this type of data theft is data encryption. Encryption is the act converting data (using an algorithm called a cipher) into a form (called ciphertext), that cannot be easily understood by unauthorized parties (bad guys). Of course the data needs to be converted back to readable form, a process called decryption. For the purposes of our e-commerce solutions we rely on two modern cryptography schemes. Symmettric-key and public-key encryption. For those of you who are interested, you can get a good primer on Wikipedia, here.

The following tips on information security can help prevent private data falling into the wrong hands:

Secure web pages that transmit personal information (typically order and checkout forms) by using Secure Socket Layer protocol (SSL). The SSL protocol is separate from security certificates that can be procured from the likes of Verisign/Thawt, which provide a means for verifying that your SSL secured page is authentic and originating from the company from with it claims. For PCI compliance you must disable weak SSL ciphers. For SSL, we use OpenSSL on our servers.

Secure data you transmit via email. Never send credit card or private information in email unless it is strongly enrypted. For encrypting text, we use GnuPG.

Do not store credit card information in plain text format in your database. Don't store it at all if you can help it.

Apart from the transmission of data, there are other security concerns. Any server that's connected to the Internet is vulnerable to an array of attacks and exploits. For obvious reasons, security concerns increase when one is storing and transmitting private information that could be used for identity theft. Following are some server security guidelines that I recommend:

Perform routine security audits.

Run a firewall. If you can't afford a hardware firewall, run a software firewall. Cisco is known for good firewall solutions. Assuming you configure it properly, the open source packet filter, iptables, is also good. Most linux distributions come with iptables. More information can be found here. In either case, it's preferable to run a firewall/filter between your servers and the Internet.

Disable services you don't need. Exploits are uncovered every day and a server may be vulnerable if you leave a service running that you don't really use. Because you may be less knowledgeable about services you don't really use, the need to disable them is doubly important.

Keep up to date with patches. One of the improvements made in recent years is the ease by which automatic updates can be implemented.

Limit login access to servers. Use strong passwords for all users. Use very strong passwords for administrative accounts and limit the number of people that have access to these accounts.

Use strong passwords for database accounts. If you can avoid it, disallow access to database servers from outside the Local Area Network (LAN), and allow access only to the applications and users for whom it is specifically needed.

Limit physical access to your servers.

The best way to keep on top of security concerns is to stay current. Visiting websites like, http://www.sans.org/ and http://www.slashdot.org/ can provide good up to date information as can subscribing to email lists, rss feeds (or I hate to say it twitter feeds).The point is that security is a big deal, but if dealt with correctly, it should not be an impediment to selling online. In the next article, I'll cover some of the important factors to keep in mind before and during implementation.

• Tuesday, October 20th, 2009
  3 Part Series on e-commerce

• Thursday, July 9th, 2009
  First ever galen open held on the moon

• Thursday, July 2nd, 2009
  It's About Time...

• Friday, June 12th, 2009
  Galen Open

• Wednesday, October 29th, 2008
  Beat the Crunch