Hardening site security checklist

To harden the security of your WebSphere Commerce site, you can enable and configure various security features. In addition, site customizations must always be made to comply with best practices as outlined in this document.

This is not an all-inclusive list of security measures for your site. This list is designed primarily to facilitate navigation of the WebSphere Commerce security section of the IBM Knowledge Center, and to highlight security considerations for WebSphere Commerce customizations and the secure configuration of other IBM products. Further security hardening might be required to ensure the security of your site. For more information about security standards, see Security Standards.

Development

This list is provided for the purposes of development. Ensure that your site customizations conform to the best practices laid out in the following topics:

Configuration

This list is provided for the purposes of site administration. Ensure that your site is configured to be hardened against common attack vectors with the following topics:

Maintenance and operations

This list is provided for the purposes of site administration on an ongoing basis. Timely review and application of security and maintenance patches ensures that you are aware of ongoing security issues, and that your site is up-to-date and hardened against attacks that would otherwise succeed:
  • Subscribe to WebSphere Commerce security bulletins, and review all published security bulletins. For more information, see Security bulletins.
  • Ensure that you keep your product up to date with the latest cumulative interim fix. In addition, review and install all additional APAR interim fixes in a timely fashion. Pay particular attention to security-related APARs.
  • Test your site thoroughly, and on an ongoing basis. Pay particular attention to any site customizations. Remember: Security is an ongoing process, not a product, or task that is ever complete.
  • Implement an encryption key rotation schedule, and ensure that the process is secure. This process reduces the chance of a successful brute force attack, and mitigates the potential outcomes of a compromised key. For information on how to change your encryption key, see MigrateEncryptedInfo utility.
  • Use the -passwordFile parameter for all command-line utilities that have such a parameter to limit the exposure of plain text passwords.

Other software

WebSphere Commerce is just one piece of a larger group of software that is required to run your site. Ensure that you correctly configure and harden all software that is part of your installation. Ensure that you are prompt with all maintenance and security releases. Any customizations made to these products must also adhere to the respective documented best practices.

Review the following documentation for each piece of software that you use for more security recommendations:

Note: This list is not exhaustive, and is limited to IBM products.