Content management systems (CMS) and e-commerce platforms are great together — like mixing chocolate and peanut butter. Think of an enterprise CMS as a rich database system that holds all of the images and information about the products and services a company offers. An e-commerce platform functions as the store, offering everything from a product search and recommendation engine to an interface to customer records to transaction management to payment processing.
Put a CMS and e-commerce platform together, and customers can find everything in one place, from product spec sheets to price lists to sales records. It’s everything a company needs to run a flourishing and successful business, nurturing customers before, during, and after the sales transaction.
However, if the technology isn’t implemented correctly, this marvel also represents everything that a bad actor needs to gain access to a company’s online assets. That includes trade secrets (such as inventories and price discount sheets), lists of partners and suppliers, discount codes, and legally protected information about customers.
Whether the CMS and e-commerce platforms are combined in an all-in-one comprehensive suite, or are disparate systems integrated together, the risks and potential weak spots are mainly the same. If a company has an all-in-one system, a single exploited vulnerability or phishing-enabled breach could give cybercriminals everything in one fell swoop. If the company has integrated separate CMS and e-commerce platforms, not only does the tech team now have multiple potential sources of intrusion, but the integration points themselves may be vulnerable to attack, or at least to snooping.
Fortunately, there are plenty of steps security teams can take to protect any content-driven e-commerce architectural model:
- Follow all the usual cybersecurity best practices. That means applying patches and fixes to operating systems, applications, drivers, and libraries. This sounds simplistic, but failure to make these updates in a timely fashion is a leading cause of breaches. Also, employ strong encryption for data in transit and at rest. Make sure that the company always uses secure (strong and hard to guess) passwords and activate two-factor authentication wherever possible, for all communications, and change all passwords from their defaults.
- Gather the least amount of customer information possible and be careful where (and how) the company stores that data. If bad actors steal inventory or pricing data, that hurts. If bad actors steal customer credit card numbers or medical information, the market impact, civil lawsuit penalties, and adverse publicity could put the company out of business. Oh, don’t forget those expensive HIPAA and GDPR fines, depending on what and where data gets stolen.
- Use penetration testing tools and services. No matter whether it’s off-the-shelf software, tailored by consultants, or home-grown, security teams still need to: test, test, test. Conduct pen tests regularly and thoroughly. Not only do systems become less secure if not maintained properly, also the service landscape changes and attackers are becoming more sophisticated as well. If the company hasn’t pen tested recently, or used a white-hat firm to assess defenses, the security team is flying blind.
- Subscribe to a threat assessment news and reporting service. The security team needs to watch for zero-day threats and other vulnerabilities published by organizations like the U.S. Cybersecurity and Infrastructure Security Agency. It’s not enough to receive the reports. The team needs to read and act upon. An issue with a very large impact appeared for example in the popular Log4j library recently. Every organization that uses Log4J needed to update to version 2.16 or later immediately. Is there someone in the organization responsible for knowing about that sort of incident? If not, there’s a vulnerability right there.
- Vet all software suppliers, and make sure they follow secure coding and operation practices. If the company uses cloud services, examine them carefully. Consider everything. For example, the CMS company I work for has been certified at the highest level for its security practices. These protocols include regular code reviews, strict access control, anomaly detection and rigorous security testing. Expect nothing less from every supplier.
- Make sure the company’s own developers, contractors, and consultants follow secure coding practices. This applies to local applications, web applications, mobile apps, integration APIs, and even reporting systems. Developers need to stay aware of the most common problems and apply the learnings from the OWASP Top 10. Use developer tools and test suites that mandate and audit secure coding practices.
- Enforce multi-factor authentication for every authorized user, and institute least-privilege security. Nobody needs full access to everything, and not every system should access every other system. That’s because if a user account, access key, or certificate becomes compromised (such as through phishing) or a computer system gets hacked (such as by exploiting a zero-day vulnerability), the security team needs to contain the damage.
- Log everything and analyze those logs for anomalies and attack patterns. The security team should log every transaction, every privileged login to the CMS or e-commerce platform, and every error caused by someone entering a bad password. Don’t trust humans to understand those logs; modern-day attacks are both fast and subtle, and there’s too much data to correlate for patterns. Use machine learning-based tools to monitor events and logs, and as in the fourth point above, make sure there’s someone responsible for receiving, reading, and following up on those reports.
- Work with banks and payment processors to ensure the company implements ecommerce correctly. There are many practices for working with ACH transfers and credit-card payments. Some of these appear obvious, such as using CVV values on credit cards, and verifying that shipping addresses match the bank account’s address—but e-commerce platforms may not enable those extra levels of validation by default. I would also use a service that specializes in payment transactions. These services are certified according to PCI DSS requirements and the company can focus on its core competencies.
Tying a content management system into an e-commerce platform can drive the business forward, by giving customers and partners access to the richest possible experience before, during, and after the sale. There’s every reason embrace CMS-enriched e-commerce. Just do it safely and securely.
Sebastian Gierlinger, vice president of engineering, Storyblok