some thoughts on the security of e-commerce business

Posted by millikan at 2020-02-27

Red team for business security

Party A's safety construction is to guard the city, protect the target in the city, but the main battlefield is in front of the city, heighten and thicken the city wall, set up checkpoints, dig trenches, check the entrance and exit gates, and arrange controls layer by layer. This is the daily and duty of safety construction. The imaginary enemies of e-commerce business safety are the wool party and the brush. Although they always stare at the cracks in the city wall, but the cost of attacking the city wall is too large The huge amount of loss of the event of being collected is mostly caused by the fault of the defense side or the error of activity matching, which is equivalent to the opening of the city gate and the incompetence of the guard. If you want to carry out business security attack and defense with the idea of the red team, essentially test the hardness of the city wall, but the real attacker is to detect the city gate and the guard general. The battlefield is staggered. Inside, you need to detect the city gate and the guard general, through patrol inspection or system Is the most appropriate way, through the business safety red team model is extremely low cost-effective. (2019.11.8)

Looking back, the red team model can only be used as a small part of business security. In fact, the systematic construction can refer to the emergency response architecture and follow the model of before, during and after:

E-commerce business security can also improve the security level through systematic construction. (2020.01.21)

Differences between security and business perspectives

There are 1000 pieces of a product with a heat of D, with a cost price of 2000 and a price of 2600. Do inventory clearing activities, and generate 2600 - 650 discount volume, only for new employees. As a result, they were swept away by crowdsourcing.

From the perspective of security: the activity is paid by crowdsourcing. The value of new users is 0, the cost of goods is 2000, and the actual payment after the roll is 1950. The approximate loss of the activity is: (2000-1950) * 1000 = 50000, the cost of warehouse storage and express delivery. The loss of this activity is 5W+

(2000-1950) * 1000 = 50000

Business perspective: for unsalable products with a popularity of D, according to the trading formula, the floating range of price is 0.97 - 1.1, the end of stock order, the storage cost is 1 yuan per piece per month, and the new cost is 30 yuan per person. The approximate income of the activity is (1950-2000 * 0.97 + 30 + 1) * 1000 = 41000, and the new, active and Gmv increase is 4W. The income of this activity is 4W+

(1950-2000*0.97+30+1)*1000 = 41000

There is a gap between security and business, which is determined by the characteristics of the Department. It is very difficult for security to understand the business or activity mechanism. It is only necessary to care about the "security" of the business, but not the security of the business. It is only necessary for the business to have the ability to "cover the bottom".

Tactics and tactics

Can we reexamine the business and security work in the way of red team, enable the business from the perspective of security, and supplement the security from the perspective of business?