Over the last couple of months we reviewed Microsoft-IIS based ecommerce sites and the significant improvement in their security prompted by the combination of Code Red and Microsoft's first cumulative patch. A reasonable interpretation of the significant fall in the number of vulnerable Microsoft-IIS tested by Netcraft is that Code Red was so disruptive that sites could ignore security no longer, and the cumulative patch gave them a convenient solution whereby addressing the Code Red problem solved several other standard vulnerabilities as well.

One technology that is yet to have this kind of stimulus towards security is Java Servlet Pages. Although not widely deployed by rank and file sites, JSP is quite a common technology on ecommerce sites that prefer a Sun based solution to the Microsoft platform. Often, users of JSP technology have invested very significant sums in their sites, and their sites often provide core stockbroking, banking, retail, ticketing and ecommerce services to the internet community, where large sums of money can change hands.

On these sites identity theft is a very serious issue, enabling an attacker to, for example, buy goods or transfer money, using the identity and account information of another customer of the site.