Integrity Requirements

The Integrity requirements define anti-malware and identity verification requirements, and how the system will ensure data contained within stays consistent.

Definitions

Goals

  1. To prevent unauthorised access to the system.
  2. To protect the system, store owners, and customers from malware.
  3. To enshrine the privacy and safety of data entered.
  4. To verify the identity of the entity performing an action before allowing the action to proceed.

Exclusions

  1. HTML entered by the store owner for page content is assumed to be safe.

Requirements

  1. The system shall require any administrative action to require a valid login session from a store owner.
  2. The system shall automatically expire a store owner login session after seven days, to prevent session reuse attacks.
  3. The system shall allow a store owner to sign out of a login session at any time, upon which no further administrative action can take place until the store owner signs in again.
  4. The system shall allow a store owner to manage any authentication token(s) or external device sign ins from a centralised page.
  5. The system shall scan all files uploaded by the store owner for malware.
    1. If the system detects malware, the system shall perform the following actions:
      1. The system shall remove the file containing malware from storage.
      2. The system shall notify the store owner that the file contained malware and that it could not be uploaded.
      3. The system shall write a log message with all of the following information:
        1. The remote IP of the computer where the upload originated.
        2. The logged in store owner account that attempted the upload.
        3. All request headers of the request containing the malware.
      4. The system shall put the store into maintenance mode until an administrator with WTI can review the store and the account.
  6. The system shall allow a customer to sign up for an account to track their order history and optionally receive offers via email.
    1. The system shall send a confirmation email to the email provided to ensure the customer has control of the email address they provided.
    2. The system shall consider the email address already authenticated if the customer authenticates using an external service.
    3. If the system identifies previous orders under the same email address, the system shall associate them with the account after the email address has been confirmed.
  7. Upon the request for deletion of customer PII from a customer or store owner, the system shall replace the PII with placeholder data. The existing data must not be able to be recreated using this placeholder data. The account must be disabled in a way that does not allow further logins. The account must not be removed from the database to preserve referential integrity in the database.
  8. The system shall not allow items that have been previously purchased to be removed. The system shall instead offer to hide them.
  9. The system shall not allow collections that contain items to be removed. The system shall instead offer to hide them.
  10. The system shall not allow shipping services that are associated with an order to be removed. The system shall instead offer to hide them.
  11. All data stored by the system in any database system shall be stored in a manner that prevents access to the data by unauthorised parties. This shall include, but is not limited to:
    1. The data shall be encrypted at rest to prevent tampering and unauthorised access.
    2. The data shall be encrypted at all points in transit.
    3. The data shall be stored in a volume that is inaccessible to any other container-based workloads on the system.
    4. The data shall be backed up no less often than once per week, and the contents of the backup shall be encrypted in a manner that allows only authorised WTI administration to read and restore it.
  12. All pages that contain store owner-controlled HTML stanzas shall be scanned no less often than once per week for malicious links, code, iframes, images, and other data that may cause any harm to a visitor or another storefront.
    1. If malicious data is found, the system shall immediately be placed in maintenance mode until an administrator with WTI can review the store and the account.
  13. All changes made to the store data shall be logged to an Audit Log with at least the following properties:
    1. The logged in store owner account that made the change.
    2. The remote IP of the computer that initiated the change.
    3. The properties that were changed, including old and new values.
  14. The Audit Log shall be stored in a manner that it cannot be tampered with, modified, or read by a store owner or customer. The Audit Log shall only be readable by authorised administrators with WTI.