Security Aspects for E-Commerce

Using SSL for data transfers is something that should go without saying, and it does for E-Commerce B2B. SSL is enabled by default for the Storefront, keeping your customers safely connected to your e-commerce. Similarly, SSL is enabled by default for the connection between your Dynamics NAV and the Storefront for secure e-commerce date updates and order taking.

In fact, just having SSL enabled does not yet tick the box for ensuring efficient and up-to-date security. Our infrastructure team keeps track of having SSL properly configured to exclude any SSL vulnerabilities. All the Storefronts are regularly tested and ensured to get A/A+ ratings with SSL testing suites, e.g. Qualys SSL Labs.

E-Commerce B2B uses the data replication technology, and mirrors some of your Dynamics NAV data to the web server where your E-Commerce Storefront runs. The replicated data set includes e.g. your Item cards from Dynamics NAV.

With E-Commerce B2B, we only replicate the data that is logically needed for the e-commerce to operate, e.g. product descriptions, prices etc., and do not replicate irrelevant or internal-use data, e.g. product cost or purchase prices. The data set (tables, fields) that is replicated is clearly visible in Dynamics NAV setup, so you can easily audit what data is replicated, and also remove any data from the replicated set if you decide having that data on the web server will not comply with your security policies.

Your Dynamics NAV database is naturally the most sensitive part of the system. To exclude any means of compromising your NAV data even in the unlikely case when the Storefront server is compromised, E-Commerce B2B does not require or allow any incoming connections to be made to your Dynamics NAV from the internet or even the Storefront web server.

The replication technology is organized in a manner of all connections being outgoing from Dynamics NAV to the Storefront, i.e. - Dynamics NAV will push any data updates to the Storefront, and Dynamics NAV will pull any new transactions from the Storefront. By design, the Storefront has no technical means of connecting to Dynamics NAV.

Consequently, you do not need to open any firewall ports or enable any incoming connections to Dynamics NAV, keeping Dynamics NAV highly secured.

Our infrastructure for the Storefronts is not “multi-tenant”. In fact, each of the hosted Storefronts is run on a separate dedicated VPS server, clearly isolated from the other Storefront installations.

This has been an important design and security decision made to both enable customer-level infrastructure scaling, and to protect our customers from unlikely security compromises originating at the Storefronts owned by other customers.

Still the Storefront servers are managed farm-style to ensure none is left behind in terms of latest security patches and platform upgrades.

E-Commerce B2B has passed penetration testing according to ISO/IEC 27002, OWASP, PCI, OSSTMM, WASC and similar guidelines to ensure no security compromises can be achieved due to infrastructure configuration and the application coding itself.

The penetration tests cover the essential web application safety requirements, e.g. properly handling known attacks like DoS, XSS, XSRF, SQL injection and similar.