Web Commerce Security : Design and Development.
Title:
Web Commerce Security : Design and Development.
Author:
Nahari, Hadi.
ISBN:
9781118098899
Personal Author:
Edition:
1st ed.
Physical Description:
1 online resource (506 pages)
Contents:
Web Commerce Security: Design and Development -- Contents -- Foreword by John Donahoe -- Foreword by Scott Thompson -- Introduction -- Part I: Overview of Commerce -- Chapter 1: Internet Era: E-Commerce -- Evolution of Commerce -- Hard vs. Digital Goods -- Payment -- Money -- Financial Networks -- Distributed Computing: Adding E to Commerce -- Client/Server -- Grid Computing -- Cloud Computing -- Cloud Security -- Summary -- Notes -- Chapter 2: Mobile Commerce -- Consumer Electronics Devices -- Mobile Phone and M-Commerce -- Landscape -- M- vs. E-Commerce -- State of Mobile -- Mobile Technologies: Mosquito on Steroids -- Carrier Networks -- Stacks -- Summary -- Notes -- Chapter 3: Important "Ilities" in Web Commerce Security -- Confidentiality, Integrity, and Availability -- Confidentiality -- Integrity -- Availability -- Extensibility -- Black Box Extensibility -- White Box Extensibility (Open Box) -- White Box Extensibility (Glass Box) -- Gray Box Extensibility -- Fault Tolerability -- High Availability -- Telecommunications Network Fault Tolerance -- Interoperability -- Additional Interoperability Standards -- Testing for Interoperability -- Maintainability -- Manageability -- Modularity -- Monitorability -- Intrusion Detection -- Penetration Testing -- Violation Analysis -- Operability -- Protection of Resources and Privileged Entities -- Categories of Web Commerce Operability Controls -- Portability -- Predictability -- Reliability -- Ubiquity -- Usability -- Scalability -- Accountability -- Audit Ability -- Traceability -- Summary -- Notes -- Part II: E-Commerce Security -- Chapter 4: E-Commerce Basics -- Why E-Commerce Security Matters -- What Makes a System Secure -- Risk-Driven Security -- Security and Usability -- Usability of Passwords -- Practical Notes -- Scalable Security -- Securing Your Transactions -- How Secure Is Secure?.
Summary -- Notes -- Chapter 5: Building Blocks: Your Tools -- Cryptography -- The Role of Cryptography -- Symmetric Cryptosystems -- Asymmetric Cryptosystems -- Digital Signatures -- Random Number Generation -- Public Key Certification Systems-Digital Certificates -- Data Protection -- Access Control -- Controls -- Models for Controlling Access -- System Hardening -- Service Level Security -- Host Level Security -- Network Security -- Summary -- Notes -- Chapter 6: System Components: What You Should Implement -- Authentication -- User Authentication -- Network Authentication -- Device Authentication -- API Authentication -- Process Authentication -- Authorization -- Non-Repudiation -- Privacy -- Privacy Policy -- Privacy-Related Legislation and Guidelines -- European Union Principles -- Health Care-Related Privacy Issues -- The Platform for Privacy Preferences -- Electronic Monitoring -- Information Security -- Security Management Concepts -- Data and Information Classification -- Information Classification Benefits -- Information Classification Concepts -- Data Categorization -- Bell-LaPadula Model -- System and Data Audit -- Syslog -- SIEM -- Defense in Depth -- Principle of Least Privilege -- Trust -- Isolation -- Virtualization -- Sandbox -- IPSec Domain Isolation -- Security Policy -- Senior Management Policy Statement -- NIST Policy Categories -- Communications Security -- Inter-Network Security -- Summary -- Notes -- Chapter 7: Trust but Verify: Checking Security -- Tools to Verify Security -- Vulnerability Assessment and Threat Analysis -- Intrusion Detection and Prevention Using Snort -- Network Scanning Using Nmap -- Web Application Survey -- Vulnerability Scanning -- Penetration Testing -- Wireless Reconnaissance -- Summary -- Notes -- Chapter 8: Threats and Attacks: What Your Adversaries Do -- Basic Definitions -- Target -- Threat.
Attack -- Control -- Same-Origin Policy -- Common Web Commerce Attacks -- Broken Authentication and Session Management Attack -- Cross-Site Request Forgery Attack -- Cross-Site Scripting Attack -- DNS Hijacking Attack -- Failure to Restrict URL Access Attack -- Injection Flaws -- Insufficient Transport Layer Protection Attack -- Insecure Cryptographic Storage Attack -- Insecure Direct Object Reference Attack -- Phishing and Spamming Attack -- Rootkits and Their Related Attacks -- Security Misconfiguration Attack -- Unvalidated Redirects and Forwards Attack -- Summary -- Notes -- Chapter 9: Certification: Your Assurance -- Certification and Accreditation -- The Certification Process -- Standards and Related Guidance -- Trusted Computer System Evaluation Criteria -- Common Criteria ISO/IEC 15408 -- Defense Information Assurance Certification and Accreditation Process -- Office of Management and Budget Circular A-130 -- The National Information Assurance Certification and Accreditation Process -- Federal Information Security Management Act -- Federal Information Technology Security Assessment Framework -- FIPS 199 -- FIPS 200 -- Additional Guidance -- Related Standards Bodies and Organizations -- Jericho Forum -- The Distributed Management Task Force -- International Organization for Standardization/ International Electrotechnical Commission -- The European Telecommunications Standards Institute -- Storage Networking Industry Association -- The Open Web Application Security Project -- NIST SP 800-30 -- Certification Laboratories -- The Software Engineering Center Software Assurance Laboratory -- SAIC -- ICSA Labs -- The Systems Security Engineering Capability Maturity Model -- Value of Certification -- When It Matters -- When It Does Not -- Certification Types -- Common Criteria -- MasterCard CAST -- EMV -- Other Evaluation Criteria -- NSA.
FIPS 140 Certification and NIST -- Summary -- Notes -- Appendix A: Computing Fundamentals -- Introduction -- Hardware -- Central Processing Unit -- Memory and Storage -- Input and Output -- Popular Architectures -- Software -- Underware -- Operating System -- Middleware -- Applications -- Programming Languages -- Summary -- Appendix B: Standardization and Regulatory Bodies -- ANSI -- COBIT -- COSO -- CSA -- Ecma -- ETSI -- FIPS -- GlobalPlatform -- IANA -- IEC -- IETF -- ISO -- Kantara -- NIST -- OASIS -- OAuth -- OpenID -- OpenSAF -- PCI -- SAF -- SOX -- The Open Group -- W3C -- WASC -- Notes -- Appendix C: Glossary of Terms -- Appendix D: Bibliography -- Index.
Abstract:
A top-level security guru for both eBay and PayPal and a best-selling information systems security author show how to design and develop secure Web commerce systems. Whether it's online banking or ordering merchandise using your cell phone, the world of online commerce requires a high degree of security to protect you during transactions. This book not only explores all critical security issues associated with both e-commerce and mobile commerce (m-commerce), it is also a technical manual for how to create a secure system. Covering all the technical bases, this book provides the detail that developers, system architects, and system integrators need to design and implement secure, user-friendly, online commerce systems. Co-authored by Hadi Nahari, one of the world's most renowned experts in Web commerce security; he is currently the Principal Security, Mobile and DevicesArchitect at eBay, focusing on the architecture and implementation of eBay and PayPal mobile Co-authored by Dr. Ronald Krutz; information system security lecturer and co-author of the best-selling Wiley CISSP Prep Guide Series Shows how to architect and implement user-friendly security for e-commerce and especially, mobile commerce Covers the fundamentals of designing infrastructures with high availability, large transactional capacity, and scalability Includes topics such as understanding payment technologies and how to identify weak security, and how to augment it. Get the essential information you need on Web commerce security-as well as actual design techniques-in this expert guide.
Local Note:
Electronic reproduction. Ann Arbor, Michigan : ProQuest Ebook Central, 2017. Available via World Wide Web. Access may be limited to ProQuest Ebook Central affiliated libraries.
Genre:
Added Author:
Electronic Access:
Click to View