September 11, 2020
The internet offers an abundance of opportunities, which can be positive or negative depending on who’s taking advantage of the opportunity presented. At Bazaarvoice, we aim to provide opportunities for brands and retailers to better connect with their customers and for customers to make more informed purchasing decisions. We take our role in commerce seriously, which is a huge reason why security is of the utmost importance.
This blog post is part of a series on picking a trustworthy ratings and reviews provider. Read more about the importance of authenticity in the selection process here.
We have worked hard since our inception to ensure that we have the best-in-class security in place in order to protect ourselves, our clients, and their consumers from cyber attacks. As part of our trust and privacy blog series, we interviewed Anji Greene, our Director of Security and Privacy. Here’s what she had to say:
Can you talk through Bazaarvoice’s security processes?
“We see security and privacy as an ongoing journey. We are continually striving to improve our software development processes and internal infrastructure controls so that our products and services exceed our customer’s security and privacy expectations.
Bazaarvoice systems and services are hosted in the cloud. We control access to our cloud environments through the use of virtual private cloud (VPC) routing, firewall rules, and role-based access controls. Our privileged users require multi-factor authentication and proxies for direct system access.
During the product planning and throughout the software development lifecycle, security and privacy architecture is being reviewed. We use threat modeling to understand the specific security and privacy risks associated with a product or feature. Generally speaking, threat modeling is a brainstorming session between security, privacy, engineering, and the product manager of an application or service. Understanding the threat landscape helps to identify the security controls needed during development and testing.
Our engineers go through security awareness and secure coding training and we have regular brown bag sessions to help teach engineers on best practices such as Infrastructure as Code, patch management, privacy by design, and applying proper network access controls to your services.“
What specific policies does Bazaarvoice have surrounding security, protecting consumer privacy?
“Our team is focused on ensuring that the services we provide for our clients support full transparency to the consumer. If we need to collect personal information, the consumer is made aware and has the ability to opt out. We offer privacy tools that are available for our clients to support privacy requests from their consumers. For example, if a client has 50 requests from consumers to remove personal information from their systems, the client can securely leverage the Bazaarvoice Privacy API to automate those requests and remove the personal information from all of our systems as well.
We’re currently in the process of aligning all of our security and privacy policies and procedures to the ISO 27001 and ISO 27701 framework. The ISO implementation project has given us an opportunity to take a fresh look at existing processes, improve and simplify where needed, and really improve security and privacy awareness throughout the organization. Achieving this certification is a common request from our clients. ISO 27001 is one way that Bazaarvoice can demonstrate to our clients that we are following information security and privacy best practices.”
How do we help our clients if they experience a security breach?
“As a provider, Bazaarvoice collects user-generated content on brands and retailers websites. In the event that our clients experience a security breach related to these services, there are a couple of scenarios where Bazaarvoice can help.
Our web services (API and Display) are protected by a web application firewall (WAF). A WAF analyzes incoming application requests and blocks attacks from bots or other threats. Since Bazaarvoice services are running on our client’s website, that protection is available to our client’s on the content that Bazaarvoice displays and collects. Those logs can be made available to clients as well if needed.
Another scenario that comes to mind is a form of Denial-of-Service protection. A pattern that we have seen before where an attacker attempts to overflow client submission forms through reviews, comments, or any type of content. Bazaarvoice has various layers of control to thwart these DOS attempts on our submission services such as fraud detection, rate limiting, and WAF protection. When our controls identify these malicious attacks, it is often necessary to work directly with the client throughout the incident.”
––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––
Want to learn more about how we keep our clients and their customers’ best interests in mind? Connect with us here.