what is website security verification?

Question

I have an e-commerce website and I recently came across a web page that talks about cyber crime and this has got me wondering what website security verification means.

• Does any one know what website security verification means?
• How can verify my website to prevent such fraud cases?

Answer 1

Security certifications are typically based on the results of a penetration test, which gives an indication of how difficult it is for ethical hackers to get past the security controls. Where this testing is done by experienced professionals this can be very useful.

However

• Any security test is a point in time: a new 0-day exploit could be released the day after the attack and if the site is vulnerable the security certification is effectively useless.

• For organisations that handle credit card data, PCI-DSS is supposed to certify that you protect your data appropriately, however the inadequacies are demonstrated in the media by famous attacks against PCI compliant organisations (eg Worldpay in 2009) - despite that, there are a lot of good activities described in PCI which you should look at.

So if you are worried about your site, good practice for security generally includes:

• Risk assess your assets
• Patch your platforms and your code!!!
• Training your developers in secure coding - certifying them is useful (see this SANS initiative)
• Look at the OWASP top ten for the most common attacks and what to do about them
• Understand what platforms you use, and monitor scurity advisories for those platforms
• Regular penetration testing - annually, on every major update, on changes to your risk profile or threat landscape
• A defence in depth approach, so if a particular layer of security fails you will spot it before you are compromised

Answer 2

I'm not an expert, but to me its nothing but a bit of a sham, users want to see that a website is secure, so owners pay money to get 'verified'

some are Trust Guard, Mcafee and truste