Last week, CQL teamed up with Rehmann Technology Solutions to co-host a webinar focused on protecting your business’ online network. Experts from ecommerce development, security operations, and technical security formed a panel to address common security concerns and how to mitigate future security breaches.
These seasoned experts included Rehmann’s Information Security Manager, Kevin Yenglin; CQL’s Co-Owner/Software Architect, Mike Eldred; and Security Expert and Entrepreneur, Dr. Jared DeMott. The webinar was moderated by Rehmann’s Chief Digital Officer, Jim Carpp.
In case you missed it, you can watch the video below, or follow along as we recap the webinar on “Ensuring Your Ecommerce Network is Secure.”
The Basics of Ecommerce and Software Security
You’ve heard it many times, now more than ever before: people are shopping online. If you’re a business owner, this means you’re either familiar with the ecommerce space or you’re thinking of moving your business online. This could be in the form of a custom network or with an ecommerce platform, like Salesforce Commerce Cloud, Magento, Workarea, or Shopify. Whatever the case, keeping your software and network secure is imperative as hackers are becoming more advanced in this digital age. So, what can you do to ensure your backend systems, processes, and transferring of data are secure? We asked our panel of experts.
Kevin Yenglin says, “If you’re going to conduct any business online or through an ecommerce site, you’ll need an SSL certificate. That certificate is going to help with encryption and communications between the customer and the browser they are viewing your website on.” He explains that this SSL certificate grants your site the “s” in “https”, which you can see on secure websites (‘http” browsers do not include an SSL certificate and are not entirely secure). You will also see the green lock in the URL if the site is SSL certified. This ensures your website is protected at a basic level. This SSL certificate can be implemented through your hosting provider.
So, how long does an SSL certificate last? Kevin notes that as of September 1st, 2020, you can no longer purchase SSL certificates that are good for three years. Now, they only offer one-year certification. This is because the longer the certificate lasts, the more opportunity attackers have to try and decrypt the certificate, which creates a potential security breach.
Besides security, an SSL certificate actually affects your ranking in Google and most major search engines. Google does not like to rank sites that are not secure and has directly stated that it favors secure domains in its search results. So, if you want to improve your search results, consider implementing and maintaining an SSL certificate.
Mike Eldred added, “Google Chrome and Firefox typically want you to have that SSL on your site so it doesn’t flag inputs on the browser. HTTPS brings along with it some performance benefits, especially when it comes to pipelining data and caching.”
Treat Security as a Feature for Your Website
When it comes to your site, our panel agrees that security should be treated as a feature, just like your products, checkout, shipping options, and unique service tools. Mike points out, “If your checkout system was failing to transact money, how would you react to that? You would fix that immediately. Same as if your site was leaking data or exposing customers to undue risk. You would treat that as a feature and fix it.”
Speaking from a developer’s perspective, Mike says that there are processes or features (which we’ll touch on later) that you can implement to meet both timing and budgetary needs for ecommerce projects. However, it’s important to allocate your development teams to ramify those technical debts. One thing to keep in mind: if you are not testing security, someone else will, and that’s something you do not want.
So, What About Passwords and Policies? How Do These Come Into Play When Securing Your Network?
When it comes to managing your online website, you most certainly have people on staff that are granted administrative privileges. These privileges come with usernames and passwords to access backend and frontend systems. Both Mike and Kevin have some advice for protecting these systems from being penetrated by outside sources.
They recommend these policies to help protect your company’s passwords:
- Make sure your passwords are rotated and are difficult to reproduce
- Use 2Fa/Multi-factor Authentication
- Utilize tools like LastPass to generate a 20-25 character password
With these in mind, Kevin noted that, “The National Institute of Standards and Technology (NIST), which generates much of the cyber security and industry best practices, recommends an eight-character password. Now, it’s really too weak. The longer and more complex the password the better.”
How about Platform Updates and Installations?
No matter what industry you’re in, your site regularly undergoes a series of updates and adjustments to stay up-to-date. In terms of these updates and ecommerce platforms, Mike says, “Depending on who you’re using, you want to make sure those platforms are up-to-date. Developers in charge of those platforms are constantly developing, patching, and fixing bugs.” He adds that this is especially important when it comes to using an open-source solution for your online business. “While it’s getting more eyes on those solutions, the hackers are looking at that source code, as well, and can find those vulnerabilities and can exploit them quicker, and compromise your site.”
Tips for Protecting Your Source Codes
Staying up-to-date with upgrades and installations is only part of the battle when it comes to protecting your ecommerce site. As we mentioned, open-source code solutions have some vulnerabilities, but so do solutions that do not use an open-source code base, or those that require developers to make custom code changes. Here are some tips from Mike on protecting these source codes:
- Make sure developers are doing source code peer reviews. At CQL, a developer writes code and a peer looks at that to make sure it’s safe, and that sensitive information is not exposed.
- Keep your credentials out of source control. These are credentials to external web services that your website may call to get information from, which is then automated into the build process and deployed to the production environment.
- Source code access should be limited to the correct users.
- Whoever is deploying the source code should have multi-factor authentication (MFA). This is something we’ll talk about in the coming sections.
The Secure Development Lifecycle: Ensuring Software, Operational, and Network Security
Switching gears, the panel’s security expert, Dr. Jared DeMott, weighed in on the three different domains of development and the practices around software security, as well as operational and network security.
Jared explains, “In 2002, Bill Gates put out a memo called the Trustworthy Computing Memo that covered the idea that we’re all getting hacked left and right, and we need to find a way to do better. So, Microsoft came up with the Secure Development Lifecycle (SDL).”
In this cycle, touchpoints and processes on network security include training, requirements, design, implementation, verification, release, and response. These are outlined below in the SDL chart:
Jared says, “The first three (training, requirements, and design) happen without ever writing a line of code. Once you get into implementation, you ask ‘what tools would we use to write the software?’” In terms of security, Jared emphasizes that DevOps is not enough, you need DevSecOps from the very beginning of the cycle to ensure bugs are spotted early on. “The earlier you find the problem, the cheaper it is to fix. The more automated the process, the more time your security team has to focus on challenging and non-trivial issues, instead of solving the same thing over and over again,” he says.
In terms of security automation, there are tools that help build the path to automatically verify and monitor code – providing quick feedback to developers. Jared shares this Continuous Integration and Continuous Delivery (CI/CD) chart that shares some of these tools.
Disclaimer: not all of these tools are one-size-fits-all solutions, and are largely dependent on your company’s size and budget. More mature organizations will most likely employ more techniques.
In regards to the CI/CD Pipeline, Jared says, “It’s enough to say that as much of a security program as you can build, even if it’s just one engineer at a very small company, is an admirable goal to work towards.” This can start with getting some plug-ins for IDA or some for Pre-Commit Hooks.
Security as Code
When it comes to stand-up dynamic environments, understanding security as code can help secure your network. Jared explains this down to infrastructure. “Infrastructure as code means that you are dynamically spinning up a cloud environment of infrastructure and scripting that can be spun up and spun down every time there is a deployment. We want to be sure that the configurations, firewall rules, scanning of docker images, and more are part of that automation.”
For more information on this, check out https://github.com/hysnsec/DevSecOps-Studio.
How to Mitigate and Manage Web Application Risks
Now that we’ve covered the security processes and measures you can implement with your development teams in your network, we can turn to securing web applications and learn how potential risks are mitigated in the web app environment. From a developer’s perspective, Mike says there is a lot that can be done to prevent vulnerabilities. To help cover most of them, he referenced a site commonly used by developers in the web app space – Open Web Applications Security Project (OWASP).
Mike says, “One of the top ones on the list is SQL Injection. This is letting untrusted data be sent to your system and treating it as part of a command or query.” If you have an SQL Injection vulnerability, someone could write a query and list out the tables in the system as products on your page. He continues, “The attackers progress through the tables could eventually find an account password and apply them to your admin tools. To mitigate this from happening, you parameterized queries and other forms based on your ecommerce platform.”
In support of Mike’s web application recommendations, Jared shared the “Top Attack Types Q2 2020” chart, which shows some of the attacks that are still pretty common and well-known (including SQL Injection):
One important element not displayed above is the potential for sensitive data exposure through Insecure Direct Object Reference (IDOR). Mike explains this as allowing somebody to access a piece of data via some sort of ID that can easily be guessed. He says, “Without the necessary protections in place, somebody could take that integer and decrement it and see prior orders or invoices in your system or portal. Customer data could be compromised.”
Kevin added you can help mitigate these attacks with web app firewalls or protections placed in front of your website or ecommerce site, usually in a hardware or software form factor. He says, “The most common type we see nowadays is some type of SASS solution. They typically use signature based policies or rule sets to look up types of attacks.”
In terms of application security (appsec) programs to protect against threats, Jared said, “Good appsec teams will likely find less bugs, because they’ve invested in working upfront with engineers.” It’s better if these teams communicate. Tools like Slack help bridge communication between the security engineers and development teams.
What Threats Should We Look Out For?
Our panelist outlined three common threats to look out for when it comes to securing your network.
- Malicious Bots, such as analytics, scalpers, and fraud: Scalpers can use your information to buy items and sell them for profit. They can also mess with website analytics by misrepresenting actual page views and visits.
- Phishing: Malicious emails that aim at getting users to click on a fake link or call a fake number to gain access to your network.
- Typo-squatting: When an attacker buys a domain similar to yours with a mistyped URL that leads them to a fake or fabricated site that steals your information.
This is All Great, but How Do I Get Started?
Jim asked the panel a key question to wrap up the topic of ecommerce and network security: “If I am a business person, where do I get started? How do I bring this to light?”
Here’s what our expert panel members had to say:
“The number one thing would be education and training.” Said Mike.
“Setting your sites on security, and getting started.” Said Kevin.
“For me, I would start with the business case. Security is like a form of risk-management in a way. What’s the worst-case scenario if our company were to get completely breached and we lost all of our customer source code, data, and credit card information? What would that cost your company? Then, kind of work backwards from there and figure out what’s appropriate.” Said Jared.
Still have questions or have inquiries about ecommerce and network security? Contact us today and we can put you in touch with CQL’s ecommerce development experts, or a member from the webinar panel.