Pentest Shopify
I have a website that hosted on Shopify's platform. I'm having a 3rd party perform a penetest/security assessment and want to include that website.
I know this can't be done without consent from Shopify, but I was wondering if they'd even allow this? Is it common to do it?
This is new to me
I know this can't be done without consent from Shopify, but I was wondering if they'd even allow this? Is it common to do it?
This is new to me
Comments
-
DZA_
Member Posts: 467 ■■■■■■■□□□
I would recommend submitting a service request to the Shopify's support team to inquire whether this violates their terms of service and if they do allow, what are their restrictions. I haven't heard personally whether someone was successful at performing a pentest against Shopify's platform. Subscribed as I am interested to know. -
tedjames
Member Posts: 1,182 ■■■■■■■■□□
At a previous job, when a customer would request a test of an application hosted by a third party, the customer would always be required to get said third party's written permission. I would consult with Shopify's legal department. You certainly don't want them (or any big provider, especially not AWS or similar) to come after you for hacking without a get-out-of-jail-free card. -
MitM
Member Posts: 622 ■■■■□□□□□□
100% agree. I put a request to shopify earlier, but am still waiting to hear back -
DZA_
Member Posts: 467 ■■■■■■■□□□
On a side note, I did a quick browse on authorizations against hosting providers for pentesting and this quick reference came up: https://www.4armed.com/blog/list-of-hosting-provider-penetration-testing-authorisation-forms/
-
MitM
Member Posts: 622 ■■■■□□□□□□
nice find. I'm still waiting to hear back. I'm hoping to have an answer on MondayDZA_ said:On a side note, I did a quick browse on authorizations against hosting providers for pentesting and this quick reference came up: https://www.4armed.com/blog/list-of-hosting-provider-penetration-testing-authorisation-forms/ -
tedjames
Member Posts: 1,182 ■■■■■■■■□□
If Shopify agrees, they'll want full disclosure including all contacts, especially 24-7, your source IPs, etc.
-
MitM
Member Posts: 622 ■■■■□□□□□□
wish I had better news on this. Shopify's response was pretty much, we've heard about people running these tests but we don't get involved. We don't find them necessary, as our platform is secure and we're PCI compliant.
Still trying to get answers -
paul78
Member Posts: 3,016 ■■■■■■■■■■
MitM said:.... We don't find them necessary, as our platform is secure and we're PCI compliant.
Still trying to get answers ...LOL - sounds like a company that doesn't get it. I look forward to reading about Shopify being breached in the news.Usually, if they claim PCI compliance, then they should have a pentest report you can review. And depending on their PCI level, I would normally ask for the ROC or SAQ. If they give you an AOC, you should push back.
-
MitM
Member Posts: 622 ■■■■□□□□□□
This has been so annoying. They said Shopify is Level 1 PCI DSS compliant.paul78 said:MitM said:.... We don't find them necessary, as our platform is secure and we're PCI compliant.
Still trying to get answers ...LOL - sounds like a company that doesn't get it. I look forward to reading about Shopify being breached in the news.Usually, if they claim PCI compliance, then they should have a pentest report you can review. And depending on their PCI level, I would normally ask for the ROC or SAQ. If they give you an AOC, you should push back.
I'm not all that knowledgeable in this area, so any advice is appreciated -
paul78
Member Posts: 3,016 ■■■■■■■■■■
@MitM - so if Shopify is Level 1 - that's the highest level. If I understand their business correctly, they are probably classified as a Service Provider so the PCI requirements should be a lot more stringent. It also means that they must have been assessed by a PCI QSA.
So if you can't include them in your pentest, you could still do a formal third-party risk review of their solution as it pertains to the service that they are providing to you. (assuming of course that's in your contract with them). I would normally start by asking for their PCI ROC or Report on Compliance. They try to give you their AOC (attestation of compliance) instead but that document is usually not as detailed and not as useful.
One issue with PCI is that many companies will define an extremely narrow scope of their card data environment (CDE) so being PCI compliant will not give you a good idea of how secure an organization is. You could also ask if they have a SOC report which could cover a broader scope.
Unfortunately - many companies believe that compliance to a standard like PCI or a SOC audit is a destination when it is actually the start of a journey. -
tedjames
Member Posts: 1,182 ■■■■■■■■□□
When companies make this statement, it's as if they're inviting people to try to hack them, kind of like this guy:MitM said:wish I had better news on this. Shopify's response was pretty much, we've heard about people running these tests but we don't get involved. We don't find them necessary, as our platform is secure and we're PCI compliant.
https://www.wired.com/2010/05/lifelock-identity-theft/
-
MitM
Member Posts: 622 ■■■■□□□□□□
I was able to get written authorization from Shopify. No set date or time, just a "we approve you to test".
Totally ridiculous but it'll do
