Application Penetration Test

YaelBY
New Member
2 0 1

Hi

We're in the process of devloping an app , part of our dev process (pre-submission) includes penetration tests.

In order to perform the Penetration Test (PT) for our app, we'll API calls both to Our Platform and to Shopify
Main goal here is mostly to find weaknesses in our app only.  
First, we'd like to make sure this is OK on your end?
Second, we are planning to test on our internal staging environment and would also like to find a similar solution on your end, can you suggest what can be a similar solution to a staging environment from your side?
 
0 Likes
_JB
Shopify Staff
Shopify Staff
809 95 176

Hey @YaelBY,

 

Shopify has many safeguards in place that protect the platform from requests that have the potential to cause problems or overload the system. For this reason, it's likely that pen testing your app will trigger these safeguards and give unreliable results. However with this in mind, you're free to test as long as you abide by the partner terms of service and API terms of service.

 

With regards to a staging environment, you can open development stores from your Partner Dashboard, which allow you to install apps and test without using a live shop. This doc contains instructions for creating a development store.

JB | Developer Support @ Shopify 
 - Was my reply helpful? Click Like to let me know! 
 - Was your question answered? Mark it as an Accepted Solution
 - To learn more visit Shopify.dev or the Shopify Web Design and Development Blog

0 Likes
PeteHarris
Tourist
3 0 0

Hello support,

I have a similar situation where we want to run pen tests against the website we have on shopify (not live yet). I have looked at the partner agreement but apologies as it is not obvious what obligations are necessary to be met to allow us to pen test but not trigger defences which would mitigate our tests.

Please can you advise how we go about testing?

Thanks in advance,

Pete

0 Likes
PeteHarris
Tourist
3 0 0

Hi,

 

Thanks for your response. From what you are saying I believe we can run pen tests against our store (which is currently in development) but we may encounter the defences you have in place to secure the environment. We do not intend any DOS/DDOS just tests to confirm what information is exposed to a possible attacker and that the wesite which has been built for us has not got any inate security issues.

I will direct my pen test supplier to carry out tests on our site alone, both the customer facing and admin interface. Do I need to have them use a @wearehackerone.com email account for you to identify them correctly?

Thanks in advance,

Pete

 

 

0 Likes
PeteHarris
Tourist
3 0 0

Hello again,

With no response to this I am taking it we can go ahead.

Kind regards,

Pete

0 Likes