Pentest Shopify

I have a website that hosted on Shopify's platform. I'm having a 3rd party perform a penetest/security assessment and want to include that website.

I know this can't be done without consent from Shopify, but I was wondering if they'd even allow this? Is it common to do it?

This is new to me

Find more posts tagged with

Comments

DZA_

I would recommend submitting a service request to the Shopify's support team to inquire whether this violates their terms of service and if they do allow, what are their restrictions. I haven't heard personally whether someone was successful at performing a pentest against Shopify's platform. Subscribed as I am interested to know.

tedjames

At a previous job, when a customer would request a test of an application hosted by a third party, the customer would always be required to get said third party's written permission. I would consult with Shopify's legal department. You certainly don't want them (or any big provider, especially not AWS or similar) to come after you for hacking without a get-out-of-jail-free card.

MitM

100% agree. I put a request to shopify earlier, but am still waiting to hear back

Sylabicuma

Following because I am interested!

DZA_

On a side note, I did a quick browse on authorizations against hosting providers for pentesting and this quick reference came up: https://www.4armed.com/blog/list-of-hosting-provider-penetration-testing-authorisation-forms/

MitM

DZA_ said:

On a side note, I did a quick browse on authorizations against hosting providers for pentesting and this quick reference came up: https://www.4armed.com/blog/list-of-hosting-provider-penetration-testing-authorisation-forms/

nice find. I'm still waiting to hear back. I'm hoping to have an answer on Monday

tedjames

If Shopify agrees, they'll want full disclosure including all contacts, especially 24-7, your source IPs, etc.

MitM

Update: Still waiting for the team to get a response from Shopify

MitM

wish I had better news on this. Shopify's response was pretty much, we've heard about people running these tests but we don't get involved. We don't find them necessary, as our platform is secure and we're PCI compliant.

Still trying to get answers

paul78

MitM said:

.... We don't find them necessary, as our platform is secure and we're PCI compliant.

Still trying to get answers ...

LOL - sounds like a company that doesn't get it. I look forward to reading about Shopify being breached in the news.

Usually, if they claim PCI compliance, then they should have a pentest report you can review. And depending on their PCI level, I would normally ask for the ROC or SAQ. If they give you an AOC, you should push back.

MitM

paul78 said:

MitM said:

.... We don't find them necessary, as our platform is secure and we're PCI compliant.

Still trying to get answers ...

LOL - sounds like a company that doesn't get it. I look forward to reading about Shopify being breached in the news.

Usually, if they claim PCI compliance, then they should have a pentest report you can review. And depending on their PCI level, I would normally ask for the ROC or SAQ. If they give you an AOC, you should push back.

This has been so annoying. They said Shopify is Level 1 PCI DSS compliant.

I'm not all that knowledgeable in this area, so any advice is appreciated

paul78

@MitM - so if Shopify is Level 1 - that's the highest level. If I understand their business correctly, they are probably classified as a Service Provider so the PCI requirements should be a lot more stringent. It also means that they must have been assessed by a PCI QSA.

So if you can't include them in your pentest, you could still do a formal third-party risk review of their solution as it pertains to the service that they are providing to you. (assuming of course that's in your contract with them). I would normally start by asking for their PCI ROC or Report on Compliance. They try to give you their AOC (attestation of compliance) instead but that document is usually not as detailed and not as useful.

One issue with PCI is that many companies will define an extremely narrow scope of their card data environment (CDE) so being PCI compliant will not give you a good idea of how secure an organization is. You could also ask if they have a SOC report which could cover a broader scope.

Unfortunately - many companies believe that compliance to a standard like PCI or a SOC audit is a destination when it is actually the start of a journey.

tedjames

MitM said:

wish I had better news on this. Shopify's response was pretty much, we've heard about people running these tests but we don't get involved. We don't find them necessary, as our platform is secure and we're PCI compliant.

When companies make this statement, it's as if they're inviting people to try to hack them, kind of like this guy:

https://www.wired.com/2010/05/lifelock-identity-theft/

MitM

I was able to get written authorization from Shopify. No set date or time, just a "we approve you to test".

Totally ridiculous but it'll do

Daskery

Sounds cool.