Như với các hệ điều hành, các máy chủ Web nên được quét các lỗ hổng được biết đến trước khi hệ thống được đặt trong sản xuất. Nó có thể là có thể sử dụng máy quét tương tự như được sử dụng cho hệ điều hành nhưng chắc chắn rằng máy quét sẽ bao gồm kiểm tra đối với các máy chủ Web. Một khi hệ thống được sản xuất, các quét Web nên được tiến hành trên cùng một lịch trình quét hệ điều hành | 197 Chapter 11 E-Commerce Security Needs As with the operating system the Web server should be scanned for known vulnerabilities before the system is placed in production. It may be possible to use the same scanner as that used for the operating system but make sure that the scanner includes checks against the Web server. Once the system is in production the Web scans should be conducted on the same schedule as the operating system scans. APPLICATION SECURITY The security of the e-commerce application as a whole is perhaps the most important part of e-commerce security. The application is the overall design and coding of the thing that sits on top of the operating system and the Web server software. The application also includes the procedures for handling operations such as page changes and software upgrades. Proper Application Design Let s start the discussion of application security with the design of the application itself. When an e-commerce application is being designed an organization should perform the same project steps as the design and development of any large complex system namely Requirements definition System design Development Testing Deployment All of these steps should be laid out in the organization s development manual. Security requirements should be included in the requirements definition phase of the project. Security requirements that should be specified include Identification of sensitive information Protection requirements for sensitive information Authentication requirements for access or operations Audit requirements Availability requirements If these requirements have been defined then when the system design phase begins we can identify potential design issues. All sensitive information should be protected in some manner. This will govern what parts of the application require HTTPS vs. HTTP. Sensitive information may not require only encryption in transit. Some information such as private information about the customer may require .