64 2 Website vulnerability inspection and penetration testing service EC-CERT vulnerability inspection and penetration testing service has been developed for a couple of years. The purpose of the service is help E-Commerce firm understand the what, why, when, where, and how to testing web applications. The service delivers complete inspection of website, not only a simple checklist or security issues that should be addressed but also correction procedures. 3 Information security alert service EC-CERT gathers various data regarding security threats, exchange security information with domestic and foreign information security organizations, then interpret these data into alerts such as security leaks, malicious websites, hackings and phishing, and recommend defensive measures so that E-Commerce operators can take advance prevention measures to reduce their information security threats and to avoid potential loss. In additional, EC-CERT has been regularly issued lists of hacker relay station domain and IP addresses so that E-Commerce operators can renew their relay station blacklist and update their information defense mechanism, and effectively protect consumers from being linked to malicious relay stations, thus preventing security breach and sensitive information leaks. 4 E-Commerce security incident investigation and response EC-CERT work with Criminal Investigation Bureau to intervene security incident investigation and response with in E-Commerce firms depend on necessary. When EC-Commerce website been security assaulted caused personal information and transaction data leakage, EC-CERT offers security investigation and incident response handle. 5 E-Commerce transaction security regulations assessment service EC-CERT work out E-Commerce transaction security regulations, integrate information safety management standard to provide E-Commerce operators with free on-site regulation assessments in order to help them keep and follow security regulations. 2. Activities Operations

2.1. Active information security consulting service

65 1 EC-CERT recorded 42 E-Commerce industry information security reporting in 2014. Those reports including website system security on line consulting records and step by step real case resolution procedures and suggestions. 2 Due to EC-CERT provided E-Commerce security recommendations and improvement instructions to a web develop company owned 19 E-Commerce websites after then they have never been reported any security incident from 2014, Aug.

2.2. Website vulnerability inspection Service

EC-CERT provided website vulnerability inspection service for information security event of E-Commerce industry. The results explained of the most common high-risk as in Figure 2. About 31 of the HTML forms without CSRF protection, 15 of the Cross site scripting verified and 10 of the Application error message. Figure 2.Web vulnerability inspection statistics

2.3. Information security alert service

EC-CERT informs member notices regarding the latest information security threat warnings and Internet vulnerabilities as in Figure 3. About 53 of the Alert reports HTML form without CSRF protection, 31 Cross site scriptingverified, 15 Application error message, 10 8 7 5 5 3 2 2 2 2 2 2 2 2 2 Web vulnerability inspection statistics HTML form without CSRF protection Cross site scriptingverified Application error message Vulnerable Javascript library Cross site scripting jQuery cross site scripting User credentials are sent in clear text SSL 2.0 deprecated protocol TLS1SSLv3 Renegotiation Vulnerability Blind SQL Injection ColdFusion User-Agent cross-site scripting Microsoft IIS tilde directory enumeration Error message on page Unencrypted _VIEWSTATE parameter Host header attack HTTP parameter pollution Directory listing 66 are on Announcement Advisory, and early Warning and website defacement as well as Feedback Information. Figure 3.Information security alert statistics

2.4. E-Commerce information security regulation evaluation service