Security comparison of popular e-commerce shopping carts

Calendar October 26, 2009 | Posted by ioi

Recently I had to choose a free open source e-commerce platform for one of my projects which involved setting up an online store. After some research and lots of reading of various forums and blogs, I identified the following shopping cart software packages to be most recommended by other people:

Why does the security matter?

One of the main concerns when setting up an online store should be the security of the store. You do not want some malicious person to steal all your confidential customer data, divert your customers’ payments to their own account or mess up your site. You can also have your site easily black-listed by the search engines if someone injects some malicious code in your site. Many webmasters do not seem to be too concerned about this. They install a shopping cart software and purchase a SSL certificate and think that they are fine because they have the SSL enabled. Many on-line shoppers seem to think that way too. This does not help at all if someone breaks into the server which is running the software.

After the shopping cart software has been installed it is way too often left unmaintained. That kind of practice is just asking for trouble beacuse one day someone will find a security hole in your chosen e-commerce platform. You need to closely monitor relevant security mailing lists or web sites to be able to quickly notice when you have a problem and to fix it swiftly. Obviously this does not apply just to the shopping cart software, but you need to be aware of vulnerabilities in any underlying software (like the web server, PHP interpreter and operating system) as well as any third-party add-on modules or plugins.

Analyzing security of software

All software is bound to have bugs and inevitably some of them cause security vulnerabilities. This is generally unavoidable, but there are two things which really matter:

  • The overall design quality of the sofware. Is it designed and programmed by knowledgeable security-conscious people from the very start? Or is it a pile of garbage cut and pasted together by code monkeys without any overall design and principles?
  • The development team’s attitude to security vulnerabilities. The speed of issuing corrected versions when vulnerabilities are found.

The likelihood of having serious vulnerabilities varies from one software to another and the responsiveness of the vendor or the development team matters a lot when a serious bug is eventually found.

Secunia is a Danish company which is doing a very good job of analyzing, documenting and tracking security vulnerabilities in software. In addition to issuing initial security advisories, they also track the identified problems later on to see if they get fixed or not. They are indexing their vulnerability database by products and are also providing historical data on the vulnerabilities found in the past on per software product and vendor basis. They are a great resource for doing an initial security analysis when considering use of any pre-established software.

Comparison

Below I have briefly compared the listed e-commerce platforms. Please note that this comparison is current only at the time of writing this article. I am providing links for checking the vulnerability status of each software yourself in case you are reading this article at a later date. Please note that the Secunia vulnerability statistics may have been updated after writing this comparison as new vulnerabilities may have been found or some old ones may have been fixed.

I recommend that you read the advisory summaries at Secunia site yourself before making your decision. Some bugs are more critical than others. I have included links to Secunia advisory and statistics pages.

Magento

Secunia advisories for Magento.
Magento 1.x Solution Status

Magento seems like the most promising complete online commerce platform available now. It is modern, well designed and well maintained. Unfortunately I could not use it for my project because the management interface is painfully slow on low-bandwidth high-latency communication links. Updating a single product takes more than one minute to complete if you have a bad connection to the server which is hosting the store. It is also somewhat resource-intensive on server side.

osCommerce

Secunia advisories for osCommerce.
osCommerce 2.x Solution Status

The grand old daddy of shopping carts. Poorly maintained. No plugin system. Lots of security holes with no releases to fix them (you have to hunt for the patches in osCommerce forums and apply them manually to your installation). All customization must be done by manually editing poorly written PHP code, which makes a future upgrade a nightmare. Avoid at all costs!

VirtueMart

Secunia advisories for VirtueMart.
VirtueMart 1.x Solution Status

Frequently updated when problems are found. Evolving and well maintained product. Requires Joomla CMS and therefore shares some stupidities with Joomla. On the other hand it integrates very well into an existing Joomla site. Very easy to update automatically from within the control panel.

Zen Cart

Secunia advisories for Zen Cart.
Zen Cart 1.x Solution Status

Fork of osCommerce. Many add-on modules available. Editing core files may be necessary for customization. Lots of security holes with no new releases to fix them (you have to hunt for the patches in Zen Cart forums and apply them manually to your installation). Avoid!

Zeuscart

Secunia advisories for Zeuscart.
ZeusCart 2.x Solution Status

Developed by a single commercial entity and thus there is no real community effort to improve the software. No free add-on modules. It looks like this software exists only to promote their commercial offerings. Security holes with no new releases to fix them (you have to hunt for the patches in Zeuscart forums and apply them manually to your installation). Avoid!

Conclusion

My conclusion is that Magento is the clear winner regarding the overall design, functionality and security. Unfortunately it is un-usable in some environments (server resource hog, slow management interface) but if that does not bother you, go for it. Virtuemart is also a good option, especially for people who are comfortable with Joomla. Other software which was evaluated is just plainly un-usable due to various deficiencies and can not really be recommended for any serious use.

No matter which online store platform you choose, you need to keep a close look on the security of the system. If you are unable to do it yourself for whatever reason, it is best to use a reputable e-commerce solution hosting provider who takes care of maintaining the platform or to hire some knowledgeable person to take care of your site.


Related posts

Category Categories: IT, Security | Tag Tags: , , , , , , , | Comments No Comments »

Leave a Reply