Secure ecommerce framework for the .NET environment

Abstract

Ecommerce systems are common attack targets due to the financial value of their transactions. The lack of constant security considerations in software development methodologies, the lack of security expertise in the development team and the focus on the business logic rather than security all contribute towards the introduction of security vulnerabilities in web application development. The management of code security is not a trivial task and may leave the developed web application vulnerable to at least one serious flaw. A single security vulnerability may be enough for the web application to suffer an attack or turn the application into a launch pad for more serious attacks. This dissertation proposes to prevent security vulnerability introduction in ecommerce ASP.NET C# web applications. This project presents Sentry.NET: a framework for the development of secure ecommerce .NET web applications that acts as a separate layer of security on the web application to ease the security-related burden in the development process. Sentry.NET presents a .NET library to analyze and filter the user HTTP request and application HTTP response to detect and prevent a number of identified security vulnerabilities. Security flaws may also be introduced with poor design and implementation decisions. Sentry.NET also provides secure implementations of generic common functionality found in ecommerce systems. The framework still leaves web application developers free to bypass the provided secure implementations and introduce security vulnerabilities in the developed code. To mitigate this problem, the web developer is also offered a static code analysis tool which scans the C# source code for common coding flaws that are known to introduce security vulnerabilities. The encouraging results show that the identified common security vulnerabilities in ecommerce systems are covered by Sentry.NET. Although security considerations should always be part of the development lifecycle, the developers can focus more on the functionality of their application rather than the repetitive security management tasks on the developed application.