Loading...

Loading...

Security and your commerce implementation

  • Posted on August 21, 2019
security and commerce implementation
SamBraid
Sam Braid

Today many people are still concerned about the security of their information online, especially their financial data when they participate in shopping and financial experiences. There is still some hesitation to use credit cards to shop online, or provide information in order to bank online, etc. A fundamental aspect of the commerce experience is confidence that transactions will occur securely and customer data is protected.

Commerce Platforms and Security

A decade ago (e-)Commerce solutions for large brands were generally implemented by a limited selection of large and potentially expensive all-in-one enterprise commerce platforms. These platforms were packaged on-premises, providing maximum control over implementation but also very costly in terms of pricing, IT intervention and maintenance required. Securing these could be done within the implementation of the platform as well as by establishing governance.

Today there are many more commerce platforms and many of them are service-based. There are also experience based platforms like Sitecore Experience Commerce and Adobe Magento. These encapsulate modern services rather than just one platform. There could be a service managing Shopping Cart, one managing your entire checkout flow, one managing your catalog and assets, one managing your user generated content, etc. Securing these is more complex as there may be many endpoints and potential vulnerabilities, not all controlled by your organization.

Commerce implementations face a variety of security concerns today. The STRIDE analysis below attempts to model these threats.

STRIDE = Spoofing, Tampering, Repudiation, Information disclosure, Denial of Service, Elevation of Privilege. Each of these threats is a violation of primary security properties – Confidentiality, Integrity, Availability, plus secondary properties Authenticity, Non-repudiation and authorization.

Spoofing Authenticity
Tampering Integrity
Repudiation Non-repudiation
Information Disclosure Confidentiality
Denial of Service Availability
Elevation of Privilege Authorization

There are areas and use cases in the Commerce experience that would be vulnerable to each of these threats.

Spoofing

Threat Vulnerability Risk
Phishing
  • Basic login without controls/OTP/security image controls
  • Missing authentication guidance for your customers
  • Basic login UX that can be duplicated
  • Domain name that can easily be mimicked using alternative characters
  • Customer Financial Loss
  • Unauthorized Customer Data exposure
  • Loss of brand credibility
Third party Spam
  • Lack of anti-bot or captcha validation
  • Weak validation on public forms
  • Weak moderation on user generated content forums
  • Email Data Exposure
  • Customer spam
  • Poor customer UX
  • Customer Financial Loss
  • Loss of brand credibility
Session Hijacking
  • Formula calculated Session IDs that can easily be calculated and injected
  • Weak input validation that can execute XSS, SQL Injection and CSRF
  • Unsecure third-party modules that can inject code (through cart, ads, etc.)
  • Customer data exposure
  • Customer Financial Loss
  • Admin hijacking
  • Virus/malware propagation
Credential stealing
  • Weak governance around credentials
  • Weak password policy that can be brute-forced
  • Weak or outdated hashing technique for sensitive data
  • Customer or internal employee data exposure
  • Customer Financial Loss
  • Admin hijacking

Tampering

Threat Vulnerability Risk
Faked product data
  • Weak validation or exposure around API that writes product data such as ratings & reviews
  • Weak security in third party modules allowing script attack on pricing and catalog data
  • Loss of product credibility
  • Loss of brand credibility
  • Loss of merchandiser credibility
Price Manipulation
  • Weak (input or XSD) validation in request to price-sensitive services such as Shopping Cart and Payment Gateway)
  • Cleartext parameters in calls to these services that can be manipulated
  • Financial loss to brand
  • Financial loss to merchandiser
SQL Injection
  • Lack of validation on key inputs
  • Improper or default database “user” access
  • Attacks on the SQL database
  • Unauthorized information disclosure
  • Unauthorized data manipulation
  • Loss of credibility by brand
  • Privilege Elevation
  • PCI-DSS downgrade

Repudiation

Threat Vulnerability Risk
Log Manipulation
  • Reading and writing log data is publicly accessible or accessible to attacker
  • Incorrect log hiding attacker information, unauthorized transactions or important system exceptions

Information Disclosure

Threat Vulnerability Risk
Unauthorized admin access
  • Use of well-known default credentials on the commerce platform
  • Loss of brand credibility
  • Unauthorized system information exposure
  • Unauthorized customer data exposure
Brute Force URL injection
  • Improper access control on URLs
  • Improper content workflow
  • Loss of brand credibility
  • Bypassing Merchandiser processes
XSS and CSRF injection
  • Lack of validation on inputs and outputs
  • Improper HTML encoding
  • Services/APIs not secure
  • Loss of brand credibility
  • PCI-DSS downgrade
  • Cookie stealing
  • Financial loss to customer
Directory Traversal Attack
  • Default platform folder names
  • Improper redirects
  • Improper access control outside of platform root folders
  • Unauthorized system information disclosure
  • Unauthorized access to system commands
Non Secure sessions
  • Missing TLS/SSL
  • Invalid Certificate
  • Loss of brand credibility
  • Financial loss to brand
  • Customer data exposure over transport layer
Error Disclosure
  • Using default error messages rather than custom
  • Improper exception framework
  • Visible Stack Trace
  • Loss of brand credibility
  • Unauthorized system information disclosure

Denial of Service

Threat Vulnerability Risk
Insecure third party advertisements
  • Insecure or malicious third party advertisements may inject malware/virus to client
  • Malware injection
  • XSS/CSRF injection
Out of memory
  • Poor coding techniques allows old processes to not expire
  • Insufficient Heap size
  • Major performance impacts
  • Site down
  • Financial Loss to brand
Request flooding and resources exhaustion
  • Lack of request throttling control
  • Lack of system control and governance around system behavior when resource limits are reached
  • Major performance impacts
  • Site down
  • Financial Loss to brand
System crash
  • Improper error handling due to poor coding techniques
  • Site down
  • Financial loss to brand

Elevation of Privilege

Threat Vulnerability Risk
Unauthorized access to admin console
  • Improper access controls to admin URL
  • Public exposure to elevated privilege URLs
  • Improper access controls to admin
  • Unauthorized system information disclosure
  • Financial loss to brand

Take countermeasures to mitigate security risks

Some of the countermeasures to mitigate the risks identified above can include the following:

  1. Change well-known default credentials on the platform (e.g. Sitecore admin/b).
  2. Obfuscate or change folder and node names from default (e.g. Sitecore item names).
  3. Identify all APIs and services (REST included, if any) and make inaccessible the ones that don’t need to be publicly exposed.
  4. Do not allow outside access to public endpoints (URL, form, etc.) without tokenization or some other form of authentication.
  5. Implement and review PCI-DSS and compliance for your site (currently V3.2.1).
  6. Establish governance on code reviews and ensure all code follows OWASP guidelines.
  7. Ensure platform is always up to date as security vulnerabilities are often patched.
  8. Consider enhanced authentication beyond simple login id/password credentials (like two factor authentication or one time password) for your site
  9. Establish proper governance on backups, incident response, business processes and content processes.
  10. Establish clear communication paths from your brand to your customers.

Additional details on Sitecore Security is located here, and additional tips on securing the Sitecore Experience Platform is here.

Many of the above countermeasures will apply to Sitecore Experience Commerce, along with the following:

  1. Establish least-privilege on all roles. Basic authors should have Experience Editor access only, etc.
  2. Clearly defined roles and item level access.
  3. Customize roles rather than using the defaults.
  4. Use Active Directory or central IAM for authentication, rather than Sitecore.
  5. Keep the Sitecore Experience Platform and Sitecore Experience Commerce versions up to date.
  6. Minimize roles with admin access.
  7. Disable public access to /sitecore URL.
  8. Limit or disable access to Sitecore Desktop.

Want to find out how you can secure your Sitecore Experience Commerce or eCommerce implementation? Connect with Avanade to get started.

Category Security

Tags

More

Techs and Specs Newsletter

Stay up to date with our latest news.

Share this page
CLOSE
Modal window
Contract