![[Shopify] E-commerce site security: Main and third-party の
アイキャッチ](http://cavedescript.com/cdn/shop/articles/security-third.png?v=1737424327&width=800)
[Shopify] E-commerce site security: Main and third-party
When creating an e-commerce site and considering security, it is necessary to think of the "main body" and "third-party apps" separately.
why?
I think you may have some questions, so I will explain it as simply as possible! If you run an e-commerce site, you will almost certainly use third-party apps!
So, first you need to understand it to a certain extent, and then there will be situations where you need to weigh the risks against the convenience, so please read it as basic knowledge for now.
Also, check out our other articles on security:
table of contents
What are the main unit and third parties?
When creating an EC site, security issues need to be considered separately in terms of the "main body" and "third parties."
Please refer to this blog for more details about the main unit.
This time, the topic is third-party apps.
When you Google "information leaks from Shopify ," a topic that we specialize in, you will always come across one article.
---
Shopify customer data breach: 179,873 details exposed due to third-party app
---
You should find news headlines like this.
Yes, this "third party app" is the same as "third party app."
In other words , the information did not leak from the "device itself" but simply from a third-party app .
When it comes to creating an EC site, you can think of the "main body" as the platform.
For more details, please read another blog, but when using an ASP or mall, the risk of information leaking from the ``main unit'' is quite small.
Related links here
However, you may be wondering, "Isn't this a Shopify app?"
So, let’s start by understanding what an app is.
Generally speaking, what is an app?
When creating an e- commerce site, it is common to install and use "apps" and "plugins" in addition to the main site.
The concept of the apps you are installing at this time can be thought of as "smartphone apps."
As a representative example of an ASP , think of " shopify " as the " iPhone ."
So, apps like " Gmail " and " Instagram " and also games like "Uma Musume" right?
All of them are third-party apps (though there are some genuine Apple apps as well).
Even if your personal information was leaked due to a "game" you installed, you wouldn't say that it was leaked from your iPhone , would you? I think you would realize that it was leaked from the server of that "game."
Although the "information itself" is indeed information that was initially registered via the Apple Store, I don't think many people would use this to attack Apple .
Furthermore, I think it is fairly well known that for large games, the servers used are not those operated by Apple , but by the game company itself.
When it comes to games, you often hear things like, "The management servers are a pain!" But if you think about it, it's pretty obvious that the app company is the one managing those servers.
First of all, please understand that an app is something separate from the main device .
Apps on EC sites
When creating and running an e- commerce site, the functions of the device itself are not enough, so in most cases you will need to use an "app."
The apps you install at that time may be "apps that do not take out information" that use the database of the device and output only processed information.
Both also have "information sharing apps" that link information or upload it to a server, process it, and send it back.
Insert image
You need to be especially careful with apps that involve sharing information.
In most cases, app companies run their apps on cloud servers using services such as " AWS " or " Azure ," and security on that side is "up to the app company."
As I wrote in the main security blog, when it comes to security, capital is important, and there is a tendency to think that major apps tend to have higher security to a certain extent, but this is not absolute.
It is true that it is impossible for a company to improve the security of third-party apps , so to some extent there is no choice but to "trust" them.
No, that's too scary to use
Developing an app in-house can be very expensive, so it's best to know from the start that you'll have to use some kind of app.
A commonly used example would be a CRM (customer relationship management) tool.
It may be difficult to understand what CRM is, but if you say something like "email newsletter stand," it may be easier to imagine what it is.
There has long been something called an "email newsletter stand" for issuing e-mail newsletters, but doesn't that mean entrusting the management of the information to a location other than your own company?
The "mailing list" for distributing e-mail newsletters should be registered in the e-mail newsletter distribution software (usually a cloud-based server).
At that time , there is not much that a company can do in terms of security, so it will have to depend to a certain extent on the email newsletter stand company .
Therefore, when it comes to third-party apps that handle "customer information," it may be a good idea to carefully consider whether they have a proven track record and their reliability.
Not only ASPs , but also apps that can be downloaded from official stores such as malls must have passed a certain level of screening , so you can only trust that most of them are fine!
If you are still interested, it is best to choose products with a "high track record."
summary
The use of third-party apps is very convenient in terms of operations, and there are many that can contribute to increasing sales and significantly reduce the operational effort at hand, so I think that using them is basically unavoidable when operating an e-commerce site.
So, instead of increasing the number of apps that handle personal information unnecessarily, plan ahead and only use trustworthy apps!
Unfortunately, there is no such thing as perfect security in the world.
How do you balance security and convenience in this environment?
I can't say that you have to accept risk, but it is very important to always keep an eye on information and be sensitive enough to detect dangerous information.
Among hackers, there are also trends like "this is what's popular right now."
If you're worried, it's a good idea to find a company that can provide support in these areas!