Secure the Storefront
After completing this unit, you’ll be able to:
- List three things a security expert can do to help keep your storefront secure.
- Describe how you can protect against malicious bots in a CDN.
- Explain how a WAF protects your storefront.
- List three pen test considerations.
- Explain how the B2C Commerce APIs use authentication (AuthN) and authorization (AuthZ).
Protect Your Added Capability
Cloud Kicks products are wildly successful, and the Cloud Kicks storefront is attracting more visitors than the company founders ever imagined. That means both friendly customers and malicious robots can access its storefront 24/7.
Commerce-specific bots include bots that impact availability through distributed denial of service (DDoS) attacks, scrape inventory/pricing information for competitive advantages, hotlink images, or attempt to purchase highly coveted products for resale on secondary markets.
It’s critical that companies like Cloud Kicks safeguard their storefront so it can handle all traffic, good or bad.
As Vijay Lahiri, Cloud Kicks developer, plans his headless implementation, he wants to make sure that trust, the most important Salesforce value, is at the forefront of his decisions. He’s all about keeping his company’s data and applications secure. He starts by reviewing security in the system components and layers that work together to make the storefront happen.
First up is the B2C Commerce platform. Like many cloud providers, B2C Commerce engineering regularly patches each platform component to keep the risk of security-related incidents as low as possible. Vulnerabilities also exist outside the platform, such as in the third-party libraries of custom applications. It’s a lot to consider.
That’s why hiring an in-house security expert who’s well-versed in security concepts and technologies is a good investment. Here’s what they can do.
- Ensure developers like Vijay are trained to take the right security measures when building custom applications.
- Keep security in mind when planning for routine software patching.
- Monitor and review application logs in the event of potential security-related incidents.
- Understand a wide variety of web-based vulnerabilities.
- Run security scans and penetration tests on test/sandbox instances to eliminate the risk of corrupting production data if penetration tests modify it.
Vijay wants to protect his storefront anyway he can. His top methods include bot detection, web application firewalls (WAF), penetration testing, and API authentication.
Malicious bots are a real and growing threat to ecommerce websites. Because Vijay runs his custom head outside the B2C Commerce platform, it’s important that he consider the various endpoints that malicious bots can target, and learn how to protect them.
One technique to protect against brute force attacks is to implement CAPTCHAs on login pages. Here are some other common types of attacks.
- Account takeover (ATO): A bot takes over a user’s account.
- Carding: Bots use stolen credit cards.
- Checkout abuse: Bots scalp or hoard products that are in tight supply.
- Web scraping: Bots spy on prices and steal content.
Vijay investigates techniques offered by his content delivery network (CDN), such as rate limiting on commonly abused endpoints (for example, login pages and gift card/loyalty balance checks). He wants to block requests to sensitive endpoints unless they contain the headers he expects to see coming from a real user’s browser. (You learned about rate limiting in the previous unit.)
Enable a WAF
Vijay imagines malicious robots busily scanning the Cloud Clicks website for known vulnerabilities, and he is eager to implement a WAF at the CDN level. This protects the application stack at the first point of entry by filtering requests that violate rules based on the Open Web Application Security Project (OWASP) Core Rule Set (CRS). He enables Cloudflare’s WAF in log-only mode so he can review incoming requests that violate OWASP rules before he enables strict (blocking) mode. We recommend you do this to ensure you are comfortable with the traffic being blocked by your CDN. You don't want to block legitimate requests from your users.
Vijay uses the CDN’s firewall rule configuration to build conditions and actions for the firewall to take based on the characteristics of a request issued to the system. For example, to block access to a public endpoint intended for employees, he creates a firewall rule that blocks access unless the request comes from a certain range of IP addresses, or contains a certain header in the HTTP request.
Multi-Factor Authentication (MFA)
Vijay insists on MFA for his Business Manager users, and any other custom applications he has that support or implement it. MFA has become a standard for authenticating to any system. By implementing multi-factor authentication within his system, he eliminates the possibility of someone authenticating as another user with stolen credentials alone.
Penetration testing (often called pen testing) is when you perform destructive tests against the system by trying to exploit a wide range of vulnerabilities. Performed throughout the development cycle, they identify application vulnerabilities that allow an attacker to gain access to sensitive back-end data through the front end. They are typically web-based, with no prior knowledge of the systems architecture. Because they are destructive, Vijay performs them in an environment he can easily rebuild, such as a sandbox or development instance.
Here are some considerations.
- Use an environment that mimics the production environment as closely as possible from an architectural perspective. If the test is successful in modifying back-end data, make sure you can restore or discard the environment when testing is done.
- Review test results with your team and the third party to ensure you understand which vulnerabilities must be fixed prior to go-live, and have a plan to fix the lower-priority items.
- Conduct scans regularly, especially prior to each release. A previous good scan doesn’t mean new vulnerabilities don’t exist, or that new versions of libraries used in your application don’t contain vulnerabilities.
- As you review potential vulnerabilities found during testing, consider how your team would have identified the severity of the breach and who might have been affected. List the data you need to capture and log so you can do a post-mortem analysis in the event of an attempted breach.
Though Vijay is familiar with a variety of pen test tools, he prefers to use a third party with pen test expertise that can present the results in a meaningful way.
Vijay uses B2C Commerce APIs, which require authentication (AuthN) and authorization (AuthZ) for a client to communicate and retrieve data. The application passes the required authentication token for each API request to ensure the application or user can access the requested resource. Once the token is provided within the API request, B2C Commerce determines if the client is authorized to access the requested resource based on the configuration (in Business Manager).
Vijay wants to use NodeJS SDK for his headless implementation. Lucky for him, it automatically handles authentication as part of a method call.
Vijay follows these best practices to help smooth his implementation.
- For traffic analysis, pay attention to the user-agent IDs.
- Make sure they are descriptive to make traffic analytics more meaningful, and avoid traffic from the client being flagged as potentially malicious.
- Set a user agent by passing a user-agent header with each request that contains a custom value containing the name of the application.
- Add a user-agent property to your implementation.
- Implement continuous implementation and continuous deployment to ensure quality code.
- Manage code in a central repository and use tooling and automation to provide feedback on the quality of changes.
- Automatically deploy code to staging, development, and production instances.
Let’s Wrap It Up
In this unit, you learned how security experts can help keep your storefront secure, how you can protect against malicious bots in a CDN, and with a WAF. You also learned about the importance of penetration tests, and how some of your components, such as the B2C Commerce APIs and the NodeJS SDK, come with authentication.
In the module, you learned a lot about headless implementation for your B2C Commerce storefront application. Now take this final quiz, and earn an amazing badge.