It is of major concern that you secure your servers, network, and operating system. One thing that's often ignored is the transfer of information between users and Web sites. According to a recent report, while 73 percent of Internet users check out product Web sites, due to security and privacy concerns only 15 percent make online purchases. Secure Socket Layer (SSL) is one method to keep that data secure as it passes through the many machines and points of interception along the way. A basic security marketing paper shows this risk area (along with others) quite well: www.prospect-tech.com/ec/download.html.
Even with SSL, one of the weaknesses I often see is form-to-e-mail CGI gateways, where credit card or personal information leaves the site for other destinations. While the form interaction with the user may be encrypted by SSL, Webmasters seem to forget that once the e-mail is sent offsite, it passes through a large number of other systems in clear text (unencrypted) format. This means transaction security can be jeopardized at any point along the way. Hackers armed with sniffers love this! I highly discourage this kind of information passing if you would like to stay in business. Encrypt this data before sending the e-mail, using PGP or other methods.
Peter Galvin's Unix Insider security columns and past Webmaster columns show alternate password and user ID methods using .htaccess and/or .htpasswd.
Users worry, as I do, about malicious applets on sites' Web pages. Hackers love to plant unobtrusive applets on Web pages, prompting for user IDs and passwords or collecting them as the information is entered. Most of the time this information will be forwarded to a dropoff point on the Net, from which the hacker will later arrange to pick up the information.
What assurances have you made to your users that your applets and applications are safe from this type of tampering?