Pentest Shopify

MitMMitM Member Posts: 622 ■■■■□□□□□□
I have a website that hosted on Shopify's platform.  I'm having a 3rd party perform a penetest/security assessment and want to include that website.

I know this can't be done without consent from Shopify, but I was wondering if they'd even allow this?  Is it common to do it?

This is new to me :)

Comments

  • DZA_DZA_ Member Posts: 467 ■■■■■■■□□□
    I would recommend submitting a service request to the Shopify's support team to inquire whether this violates their terms of service and if they do allow, what are their restrictions. I haven't heard personally whether someone was successful at performing a pentest against Shopify's platform. Subscribed as I am interested to know.  
  • tedjamestedjames Member Posts: 1,179 ■■■■■■■■□□
    At a previous job, when a customer would request a test of an application hosted by a third party, the customer would always be required to get said third party's written permission. I would consult with Shopify's legal department. You certainly don't want them (or any big provider, especially not AWS or similar) to come after you for hacking without a get-out-of-jail-free card.
  • MitMMitM Member Posts: 622 ■■■■□□□□□□
    100% agree. I put a request to shopify earlier, but am still waiting to hear back
  • SylabicumaSylabicuma Member Posts: 26 ■■■□□□□□□□
    Following because I am interested!
  • DZA_DZA_ Member Posts: 467 ■■■■■■■□□□
    On a side note, I did a quick browse on authorizations against hosting providers for pentesting and this quick reference came up: https://www.4armed.com/blog/list-of-hosting-provider-penetration-testing-authorisation-forms/
  • MitMMitM Member Posts: 622 ■■■■□□□□□□
    DZA_ said:
    On a side note, I did a quick browse on authorizations against hosting providers for pentesting and this quick reference came up: https://www.4armed.com/blog/list-of-hosting-provider-penetration-testing-authorisation-forms/
    nice find.  I'm still waiting to hear back.  I'm hoping to have an answer on Monday
  • tedjamestedjames Member Posts: 1,179 ■■■■■■■■□□
    If Shopify agrees, they'll want full disclosure including all contacts, especially 24-7, your source IPs, etc.
  • MitMMitM Member Posts: 622 ■■■■□□□□□□
    Update: Still waiting for the team to get a response from Shopify
  • MitMMitM Member Posts: 622 ■■■■□□□□□□
    wish I had better news on this. Shopify's response was pretty much, we've heard about people running these tests but we don't get involved. We don't find them necessary, as our platform is secure and we're PCI compliant.

    Still trying to get answers
  • paul78paul78 Member Posts: 3,016 ■■■■■■■■■■
    MitM said:
    .... We don't find them necessary, as our platform is secure and we're PCI compliant.

    Still trying to get answers ...

    LOL - sounds like a company that doesn't get it. I look forward to reading about Shopify being breached in the news.

    Usually, if they claim PCI compliance, then they should have a pentest report you can review. And depending on their PCI level, I would normally ask for the ROC or SAQ. If they give you an AOC, you should push back.

  • MitMMitM Member Posts: 622 ■■■■□□□□□□
    edited January 2019
    paul78 said:
    MitM said:
    .... We don't find them necessary, as our platform is secure and we're PCI compliant.

    Still trying to get answers ...

    LOL - sounds like a company that doesn't get it. I look forward to reading about Shopify being breached in the news.

    Usually, if they claim PCI compliance, then they should have a pentest report you can review. And depending on their PCI level, I would normally ask for the ROC or SAQ. If they give you an AOC, you should push back.

    This has been so annoying.  They said Shopify is Level 1 PCI DSS compliant.

    I'm not all that knowledgeable in this area, so any advice is appreciated
  • paul78paul78 Member Posts: 3,016 ■■■■■■■■■■
    @MitM - so if Shopify is Level 1 - that's the highest level. If I understand their business correctly, they are probably classified as a Service Provider so the PCI requirements should be a lot more stringent. It also means that they must have been assessed by a PCI QSA.

    So if you can't include them in your pentest, you could still do a formal third-party risk review of their solution as it pertains to the service that they are providing to you. (assuming of course that's in your contract with them). I would normally start by asking for their PCI ROC or Report on Compliance. They try to give you their AOC (attestation of compliance) instead but that document is usually not as detailed and not as useful. 

    One issue with PCI is that many companies will define an extremely narrow scope of their card data environment (CDE) so being PCI compliant will not give you a good idea of how secure an organization is. You could also ask if they have a SOC report which could cover a broader scope. 

    Unfortunately - many companies believe that compliance to a standard like PCI or a SOC audit is a destination when it is actually the start of a journey. 
  • tedjamestedjames Member Posts: 1,179 ■■■■■■■■□□
    MitM said:
    wish I had better news on this. Shopify's response was pretty much, we've heard about people running these tests but we don't get involved. We don't find them necessary, as our platform is secure and we're PCI compliant.
    When companies make this statement, it's as if they're inviting people to try to hack them, kind of like this guy:

    https://www.wired.com/2010/05/lifelock-identity-theft/
  • MitMMitM Member Posts: 622 ■■■■□□□□□□
    I was able to get written authorization from Shopify. No set date or time, just a "we approve you to test".

    Totally ridiculous but it'll do
  • DaskeryDaskery Member Posts: 7 ■■□□□□□□□□
Sign In or Register to comment.