: What is website security verification? I have an e-commerce website and I recently came across a web page that talks about cyber crime and this has got me wondering what website security verification

@Deb1703797

Security certifications are typically based on the results of a penetration test, which gives an indication of how difficult it is for ethical hackers to get past the security controls. Where this testing is done by experienced professionals this can be very useful.

However


Any security test is a point in time: a new 0-day exploit could be released the day after the attack and if the site is vulnerable the security certification is effectively useless.
For organisations that handle credit card data, PCI-DSS is supposed to certify that you protect your data appropriately, however the inadequacies are demonstrated in the media by famous attacks against PCI compliant organisations (eg Worldpay in 2009) - despite that, there are a lot of good activities described in PCI which you should look at.


So if you are worried about your site, good practice for security generally includes:


Risk assess your assets
Patch your platforms and your code!!!
Training your developers in secure coding - certifying them is useful (see this SANS initiative)
Look at the OWASP top ten for the most common attacks and what to do about them
Understand what platforms you use, and monitor scurity advisories for those platforms
Regular penetration testing - annually, on every major update, on changes to your risk profile or threat landscape
A defence in depth approach, so if a particular layer of security fails you will spot it before you are compromised

Vote Up Vote Down

@Shelton105

I'm not an expert, but to me its nothing but a bit of a sham, users want to see that a website is secure, so owners pay money to get 'verified'

some are Trust Guard, Mcafee and truste

Vote Up Vote Down