Melonheads

View Original

Top 3 Vulnerabilities Often Missed in Commerce Cloud

One of the key drivers of the U.S. economy is consumer spending. Retailers have been on the forefront of innovation in advancing the customer experience. Not too long ago, prognosticators suggested the internet would lead to the demise of brick-and-mortar stores. Today, retailers have responded with a sophisticated fabric of the web, social media, and traditional stores. They have been able to unite these customer experiences by using powerful, customizable software like Salesforce Commerce Cloud.

Protecting Customer Data & Your Brand

These retailers are presented with a complex task. In order to empower their employees to respond to customer requests, they must make sure that customer data is available, but also protected. Relying on a trusted partner like Salesforce makes abundant sense. But, every retailer is different and the speed at which they can both innovate and provide better experiences can be a competitive advantage. Because Salesforce Commerce Cloud is customizable, they can quickly develop and deploy new software.

These developers need to be able to focus on the demands of their business, but at the same time, they need to be cybersecurity experts. After all, it is possible to introduce security vulnerabilities when developing for Salesforce. This means those developers need to spend precious time reviewing their code for cybersecurity vulnerabilities and having a robust review process to avoid overlooking a flaw. 

DigitSec Enhances Security

There is only one product on the market that can assist Developers who are developing for Salesforce Commerce Cloud: DigitSec. Melon works with DigitSec to automate security scanning at every step of the development process, focusing developers' expertise and time on client innovation, along with cybersecurity.

Some of the most concerning flaws we have seen in Salesforce Commerce Cloud code and config are the type of things that could affect customer data and impact trust in your brand. This puts the data that the business relies on at danger of unauthorized access, but it also potentially exposes customer personally identifiable information (PII) to exposure and theft. Either of these consequences could have disastrous results for a brand, so it is critical to protect against potential vulnerabilities.

3 Common Commerce Cloud Vulnerabilities

  1. Data Leakage

    A particularly pernicious vulnerability that one often sees in the realm of eCommerce stems from the fact that developers are often tasked with making multiple web systems work together. One system might manage the shopping experience, while another website might manage the checkout experience and a third website might manage the customer service experience. The developer's goal is to try and provide as seamless of an experience to the end user as possible and they might rely on API integrations. But there needs to be safeguards in place to protect those API integrations to ensure that customer data is not exposed due to manipulation attacks. 

  2. Cross-site Scripting

    One security flaw that Salesforce Commerce Cloud could be vulnerable to is Cross-Site Scripting (XSS). This covers a wide array of code injection attacks, meaning that malicious code can be executed in a way that circumvents typical browser protections. It would potentially be possible for a malicious hacker to use this vulnerability to essentially enlist the Salesforce Commerce Cloud to load injected code and have an unsuspecting employee accidentally trigger execution. 

  3. Cross-site Request Forgery

    Another vulnerability that is similar to XSS, is Cross-Site Request Forgery (CSRF). Again, hackers are taking advantage of browser vulnerabilities to initiate malicious requests. If the code is not constantly checking to make sure that all requests are coming from authenticated, valid user-sessions, attackers can figure out ways for a script to execute a commercial transaction without a customer’s knowledge. This could mean purchasing and shipping products according to an attacker's wishes.

A System for Security

Each of these vulnerabilities can be addressed by following safe coding practices, such as using certain functions to protect user generated input from code injection or by eliminating the practice of passing user-generated input to the browser for redirects. But sometimes, in the interest of getting things to work or not realizing the danger, developers might overlook implementing these safeguards. Having a system in place that can quickly and reliably guard against these issues allows the entire team to focus on their business. The transparency that comes from the regular reports can also benefit administrators and managers who also need a clear understanding of any potential threats.

Proof-of-Concept to demonstrate the value
Melon/DEPT® is the go-to-partner for the planning, launch, marketing, and promotion of a successful Salesforce Commerce Cloud site(s). DigitSec is the platform that brings automated security which is fast and highly accurate to your online stores. They offer a complimentary PoC that gives you full access to the platform so you can experience it for yourself.
Contact DigitSec to start yours today.