E-commerce is an ever-growing industry, with more and more attention paid to keeping consumer data safe. Take Shopify: the platform is trusted by millions of brands to easily sell, ship, and process payments all around the world. Its numerous e-commerce and point-of-sale features allow online merchants to start, run, and grow their operations. A large part of that process is to build branded websites that provide a seamless customer experience. That is exactly what GemPages aims to deliver.
GemPages’ web design platform makes it easy to build beautiful branded websites and high-converting Shopify stores without having to write a single line of code. But to further support their customers' operations, GemPages is committed to thorough security standards. This ensures they successfully defend highly sensitive store, product, and customer information, and that they comply with Shopify’s privacy policy and partner agreement.
By partnering with Cobalt, GemPages has taken a proactive approach to review security practices including arranging web application and API pentests. During testing, our pentesters identified a variety of vulnerabilities that were fixed by GemPages' team within a month after finalizing the pentest, which shows GemPages’ commitment to following security best practices. These fixes were then verified by the Cobalt team.
We sat down with them to learn more about how they tackle security in a world as dynamic as e-commerce.
What can you tell us about the security landscape in the e-commerce industry?
There are many underground forums that sell data such as credit card information, email information, and users’ phone information. E-commerce sites are the target of hackers because shoppers often use credit cards to make purchases. From there, hackers can use a number of methods such as XSS and SQL Injection to obtain customer credit card information.
The buyer's personal information will also be easily hacked if the e-commerce site has a poor security system. And when a site is hacked, it will cause a heavy impact on the brand’s business and reputation.
How do you protect and process data in-app? GemPages stores a lot of information about customers, such as personal information on Shopify and customer tokens — on the app, and not encrypted in the database. The team carefully validates and checks the code so that the APIs do not return redundant data and uses a scanning tool to check all possible SQL Injection errors in the system, to ensure customer data is very unlikely to be exposed.
We utilize common frameworks and libs in the software development process, such as:
- Server: Heroku, Amazon Web Services
- Framework: Ruby on Rails
- Lib devise: shopify_app, shopify_api
What role does penetration testing play in your security program?
In May, we detected that our security measures, though put in place, needed improvement to ensure the safety of our customers. Our team researched and rectified any existing risks. As a safety precaution, our team found that it was necessary to test our current system and guarantee the privacy of our customers.
It became clear: a pentest was necessary to tighten up all security gaps & prevent future breaches.
What have been some of the challenges you’ve faced with setting up and running penetration tests? And, how does Cobalt remove some of those challenges?
Cobalt provides excellent coverage with a lot of requirements like authentication, data protection, validation, and more. For every issue they find, they provide a lot of context such as details about the issue, how to reproduce it, and a suggested fix. Cobalt was professional throughout the process, and if there is an issue the customer misunderstood, their pentester support has been very enthusiastic to explain and provide support.
Final Thoughts From the Team at Cobalt
In an industry as dynamic and targeted as e-commerce, it’s great to see companies like GemPages truly commit to good cybersecurity practices. They take a proactive and collaborative approach to improve their security controls. The GemPages’ team was very active in the Slack channel created for the pentest to allow real-time communication with pentesters. GemPages also provided a detailed and well-documented scoping brief to facilitate pentester research during the 14 days of engagement. Their approach signaled to us that they were driven, proactive, and committed to improving their security. We consider them a great example for other e-commerce companies to follow, and look forward to working further with them in the future.