ÃÛ¶¹ÊÓƵ

Transcript

Hi, everyone. Good morning. Good afternoon. Good evening. Depending on where you are to the session on overview of security in ÃÛ¶¹ÊÓƵ Commerce, I’m your host for today. My name is Smith Obama. I’m senior product manager within. It’ll be commerce. I’m really excited to participate in this webinar today. I want to start off with introducing myself. So I am a senior product manager responsible for ÃÛ¶¹ÊÓƵ Commerce, Core Security and Compliance. So which basically means that my team along with us, like, you know, we work on adding security features and functionalities, addressing security vulnerabilities, a compliance needs such as PCI, hip, etc… I have ten plus years of experience in application and data security, seven plus years, years of experience in product management. Um, previous to entering the world of product management, I was a do software development. So twice have said six years there working in security, legal and banking sectors. I’m based in Austin, Texas. So with that, let’s get started with our topic for today. That is a security overview for it will be commerce. We will discuss the security challenges that e-commerce platforms face due to increasing cyber threats and, you know, the consumer data protection regulations. Then we’ll talk about how can ÃÛ¶¹ÊÓƵ help in addressing some of these challenges. We will cover security best practices and then will conclude by talking about upgrades and the recommendation of when to upgrade from security perspective. So with that, let’s jump into our topic for today, which is Commerce Security. So just to start off with a little bit of overview of the e-commerce threat landscape. As you’re attending this webinar, you already recognized the need for a solid security posture in your e-commerce. All right. So we need to understand that e-commerce is the most attacked industry right now. And the main goal of most attackers on e-commerce system is to scrape as many credit card data as possible from the site and sell it online. So if you look at the statistics behind selling credit card information on Darkweb, you’ll find out that the price of card, which is obtained online, is higher than the price of physical cards that get stolen at gas stations. So if you look at some of the largest credit card skimming attacks that has happened over the last few years, you know, we have Ticketmaster, AT&T, recently there was a Chinese e-commerce giant panda buy that got hit by cyber attack. Macy’s. So, you know, these are some these are some of the large retailers that have encountered a data breach. But, you know, none of these are actually it will be Commerce Store. But they’re all they all have one thing in common, which is, you know, all these are large e-commerce vendors and attackers. They are actually targeting large retailers. You know, as with large vendors, everything scales, you know, that includes threats of fees or the quantity of attacks and cyber criminals. They’re also employing more sophisticated techniques such as ransomware, phishing and malware attacks, targeting especially on the e-commerce platforms. These attacks, the aim to steal customer data, financial information and, you know, basically disrupt the business operation. And retailers are experiencing about 260,000 monthly Web attacks. And one of the common, you know, attack vectors, which we have seen, is the account takeover. You know, it was this is a significant threat on e-commerce businesses where, you know, these cybercriminals, they are targeting customer accounts to exploit sensitive information and conduct fraudulent activities. It accounts to about 29.8% of all attacks on e-commerce site. So basically what the attackers are doing here is they are acquiring login credentials through data breaches or through phishing schemes, and then they’re using automated tool to test these credentials across multiple e-commerce sites, basically resulting in financial losses because of fraudulent transactions, refunds and chargebacks. So keeping all these things in mind, how can it be called mass help? So let’s talk about some of the things that we are doing, ÃÛ¶¹ÊÓƵ Commerce, to make sure that, you know, our merchants of Appstore system stay secure. So securing commerce sites and merchant operation, it’s absolutely mission critical, critical for commerce to be commerce. You know, we have an increased focus on security and we are taking a three pronged approach to providing a more secure ÃÛ¶¹ÊÓƵ commerce application or platform. First, we are integrating with ÃÛ¶¹ÊÓƵ’s robust security organization and tooling. So ÃÛ¶¹ÊÓƵ runs a rigorous set of several hundreds of, you know, security specific activities, which spans from software development practices, processes, tools, and it will be secure product lifecycle defined as clear repeatable processes that help with the that that would help a development team build security, do the product and continue and continuously evolve based on the, you know, changes that are happening in the industry. We have also increased our capacity on delivering reactive fixes and proactive enhancements. You know, as a part of our it’ll be commerce application code. We are also securing the infrastructure with ÃÛ¶¹ÊÓƵ Commerce on cloud. So for cloud customers, we directly own the security of the underlying infrastructure and we can take additional steps there, which we basically can’t do front for an on prem customer. But our cloud offering, it provides building features such as, you know, data encryption, secure payment processing and also regular security updates. So basically this helps our customer. It will help the customer protect the data. And like, you know, business operations from cyber threats. So over a period of time, we’ve also integrated with it will be best practices. So we have started following, you know, a certain respect. This is just applicable across ÃÛ¶¹ÊÓƵ. So first we are leveraging ÃÛ¶¹ÊÓƵ Steam’s security researchers. Basically that has helped us to identify architectural improvements, right? We we go to deep security analysis with larger security team to figure out like, you know, where the security gaps exist in the application and we mitigate those or address those, you know, through security fixes we work towards. It will be open source common control form book, which is basically a superset control, you know, which is found in PCI, SOC, ISO 2001 HIP, etc., which helps to comply with like, you know, all of these regulatory and audit compliance standards. We also are started assigning CV’s, you know, to all the vulnerabilities that are discovered, which helps to ensure that there is transparency and ultimately it gets published into the National Vulnerability database. Um, we run bug bounty through hacker when they’re, you know, ethical hackers do get paid for finding bugs within within data. We call this application. So we utilize that as well. Then we have we also have higher sales for low severity issues. Now let’s talk about, you know, some of the proactive enhancements that we have added into the product to strengthen the security posture of the application. So what do you see on the screen is a brief list of security features that we have added, which demonstrates our commitment to strengthen the security posture of the Cosmos application. So first, two factor authentication. So we have enabled to fact rotate detection by default on admin panel, basically to log in to enhance log in security and prevent unauthorized access. We added API rate limiting. So basically API read limited protect protects against denial of service attacks by, you know, limiting the number of apps request by user or you know for API what IP address. You also added content security policies. So basically this helps in detection and mitigation of cross-site scripting and related data injection attacks by defining approved content sources. We also worked on a Gosa plugin which basically prevents the dependency confusion attack by safely or security managing, you know, package dependencies dependencies during installation. We have out of the box reCAPTCHA integration, which is implemented both on storefront and admin UI, which defense against the bot attacks and ensures that there is legitimate legitimate user interaction that you do have. But traversal mitigations as best we have a harder to file systems operation across confidence to prevent unauthorized access and bot traversal vulnerabilities. We have data sanitization and input validation so that just basically protecting against exemplary remote code execution injections by, you know, validating and sanitizing inputs. We have a number of cross-site scripting and CSS sort of prevention techniques added into the product to make sure that, you know, we have additional control to mitigate these application vulnerabilities. So these are some of the proactive, you know, security enhancements that we have added into ÃÛ¶¹ÊÓƵ Commerce, which actually contributes towards having a robust security posture, safeguarding against a range of cyber threats and ensuring the integrity and reliability of our e-commerce operation. So I’m going to switch gears a little bit and talk about, you know, a tool that we have available for all It’ll be called most customer, which is, you know, which has a thread detection. So while we as you saw on the previous slide that we are working very hard to prevent, you know, security threats from ever happening on a merchant’s Web store, we are also improving the thread detection, right? So sometime back it’ll be Commerce, you know, partnered with Sanguine Security to incorporate this threat signatures into security scan tool. So basically, this enhanced security scan was able to now proactively and efficiently detect malware on customers. Webstore, including BW stores, do notify customers, you know, if there is any security issues or risk or malware on their Web store. In addition to this, you know, security tool also has we have also added custom scans and test for insecure coding practices. We also investigated alert cloud customers on potentially potential critical issues like missing heart fixes. So all of these as possible, you know, through our security scandal, security scandal over the past has been also very effective in notifying the customers of any malware on their site. So out of the many customers who have, you know, benefited from the scan tool notification, you know, there are some prominent ones. One of them is like, you know, fashion and give free data who had malware on their site and were notified by scandal a few days later when the site was reinfected, scanned again re notified them and the merchant was able to take necessary action to remove malware from this site. So as we continue to improve the scan to our goal is to ensure that, you know, our customers are able to stay informed and take necessary actions in time for any security issues that affect their Web stores. So let’s now let’s talk about some of the security best practices that we recommend are much to follow for the VIPs to us. So I spoke about two factor authentication a while back. But I also want to again, talk about it because, you know, this is some of the building controls that we have in the product to make sure, like, you know, we can avoid attacks like Bruce was attacks, which basically, you know, is possible if you don’t have an extra layer of authentication built in. So as you know, to FIA prevents brute force attacks as well as you know unauthorized access. Right. So the commerce two factor authentication, then it improves the security by adding a two step authentication to access the admin y from all the devices. And you know, we do support a number of authenticators like Google Authenticator or TDA. You do have keys. The next piece is setting up a non default. You are right. So this is as simple as like, you know, making sure that you’re changing the you are you know you are all from its default values and changing it to something which is, you know, not easily kissable by the attackers. So using, you know, automated password guessing. So basically by by default it will be does create a random admin do either when you install the product. But you know we are going to talk about a little bit more about this in the next slides as well how you can make sure that you’re actually securing the admin panel. The next piece is installing the latest application updates and security patches. Right? So it’s very important that you keep your codes updated by upgrading the commerce, your commerce projects to the latest releases of it to be Commerce, Commerce Services extension, including the security patches and hot fixes or any other patches provided by ÃÛ¶¹ÊÓƵ. Right. So we have to make sure that, you know, you are you’re actually adopting those patches and hard fixes to fix that, to resolve those critical vulnerabilities on your Web stores. And we’ll talk a little bit more about this in depth in the future in the as we move forward as well. So the next one is lock config and lock lock, lock. Environmental variables. Right? So we recommend that you use configuration management to lock critical configuration values, the lock config and the lock up in the like commands. Configure environmental variables such that, you know, they prevent them from being changed or updated from admin. I spoke about this, but I really want to reiterate that, you know, we highly recommend our merchants to use the security scan tool to monitor their e-commerce sites for known security risk and malware. And, you know, you can also sign up to receive some patch updates, security notification, etc… So let’s not talk about securing admin banner, right? Because it’s it’s really important for for us to make sure our admin panel secured as we have seen that you know majority of the attacks these start from the admin panel. So the first thing to start to do is, you know, to make sure that you’re changing the default admin URL to protect against this automated attack. So basically, instead of using a default admin or a common term such as backend, you know this, you change this configuration to reduce the exposure to the scripts that would basically try to gain unauthorized access to your site. The next piece is enabling to a fee. So again, like, you know, to a is an extra layer of protection. It you know it provides Two-Step authentication so very helpful in preventing brute force attacks as well as like you know unauthorized access to admin banner enabling reCAPTCHA. So this would actually help protect like, you know again from brute force attacks, bought attacks, etc. and then, you know, updating the admin security admin account security, right. To protect against admin account compromise, you know, which can lead to high risk activities and increase the likelihood of it choosing, introducing malicious code, basically that would take advantage of the unpatched vulnerabilities. So I highly recommend to configure the advanced security settings basically like, you know, adding a secret key to your requiring passwords to be sensitive and then limiting the, you know, admin session length password, lifetime intervals, the number of in attempts that are allowed before you log the admin user accounts, it’s for increased security. You know, you can also configure the length of keyboard in activity before the current current session expires and you know, require username and password to be sensitive. So these are some of the things that, you know, you can make sure that you do, you know, in order to make sure that you are securing your admin panel. And then again, like, you know, we also recommend that you follow the principle of list privilege when you’re assigning admin permission to the rules, to the rule and rules to the, you know, admin user account. Um, but that I do want to, you know, talk about what to do when you find a vulnerability within ÃÛ¶¹ÊÓƵ Commerce application. So our recommendation is that you reported to a bug bounty program which is the hacker one program. Um, and you know, and as you report these vulnerabilities and you’re able to, you know, with a proof of concept, prove that this is a valid ability that can be reproduced on, it’ll be as instance, then you do get paid as well. So you can do that. You can also open a customer support case, or you could even sometimes like, you know, reach out to us at Community Slack. So you can, you can ask ÃÛ¶¹ÊÓƵ team about the vulnerability. But what we we discourage our customers to do is like report availability on GitHub or post about it in social media like you know or you know ask the community slack channels if this is a non-issue, ignore it, you know, sell it on Darkweb or basically, you know, use it to use it for hacking other merchants. So we definitely discourage that. Our customers don’t do all of that, but we do want them to report it to hacker one. And like, you know, you can also open a customer support keys as well for that. And with that, I want our like, you know, just shared top three recommendation and with the section with sharing top three recommendations are actions that should be taken by merchants to secure site. So first and most important, you know, keeping the code up to date by installing botulism from ÃÛ¶¹ÊÓƵ. So we have seen that most exploits, they tend to target installations which are not up to date with the latest security patches. So we highly recommend that, you know, merchants adopt either our full patch or our security only patch to stay up to date, set up and run the ÃÛ¶¹ÊÓƵ Commerce Security Scan service. So it’s a free tool. It’s available for both on prem and commerce customers to monitor the web stores. And um you know it it this, this tool basically is running thousands of security tests to identify potential malware. So, you know, it’s a great tool to keep in your back pocket and then adhering to the security best practices. Right? There are some security best practices that I covered in the previous slides, but they are much more if you if you go to our white people, which is on our experience league, you can find that. And then, you know, if there is a malware and get injection, our recommendation is that, you know, you engage with system integrators to to start doing investigation and remediation effort and then you can always reach out to us for, you know, and email us your questions with at security admission do not come. So with that I want to talk about upgrades and upgrade but best practices. Um, so I want to, I want to share the statistics because this is very important from a security perspective that, you know, 80% of the hacked stores are either due to using a core all version or forum and compromised admin credential where, you know, after compromise of the admin credential, the hacker is actually utilizing any unpatched vulnerability which is on a previous version. So at ÃÛ¶¹ÊÓƵ Commerce, our objective for our release strategy is to reduce total cost of ownership for our merchants by minimizing frequency and complexity of core commerce, application by releases, making upgrades more predictable and easier to adopt. So keeping this goal in mind, ÃÛ¶¹ÊÓƵ Commerce, BHP could release, you know, the number of releases that we have a real. So we do have one full core code patch release for the 242.4.2 x release every year in April. So these releases, they have an expanded three year of support window. We have five security patch releases in the year, which is February, April-June, August and October. And then we do also have two beta version releases for the upcoming full patch quarter release, which happens every year. So basically the beta versions are released in October, which is when you have your Beethoven and then February would be the beta two. So the basic principle behind our release strategy is the one gold patch release that we have once in a year. It is focused on security performance improvements, graph Clio coverage and then high severity bug fixes. Any new feature and functionality that we release. They are released as independent SAS services, so they are outside of the core commerce application and they basically through that, we’re basically providing new ways to integrate, customize and deploy new features without actually making changes to the core code. And then security only patches, you know, they are intended to be lightweight updates to help customers ensure that, you know, they are running a secure and compliant application without minimal impact to their business and budgets. So this is a release cadence. Basically, like I mentioned in the previous slide, we have five major release windows and we have different kind of releases during each of these. So the first one is in February, we do have new feature release. So this is basically a combination of updates to assess services, infrastructure and extensibility. This is outside of the core commerce scoreboard. So basically these are all changes that are happening on the SAS service. There’s no code update required for that. The security only patch releases, which is basically just security fixes and it is done for all the supported release lines. And then we also in beat in February have a beta release for the upcoming full patch release in April. We again have the feature release, we have the we have the for the full core patch release, the only only one release in the whole year, but it’s the full patch release and then we have security patch releases as well. In June. Again we have new feature release security patch, same thing August and then October as well. We have the new features, which is like updates to the SAS service’s security only release and then we have a second beta for the upcoming full patch release. So let me talk a little bit about our software and support and lifecycle policy. Right? So starting from 2.4.4 every it will be Commons version is supported for three years. So as you can see in the table, the end of support date is due date plus three years. So what that means is like if you take an example 244 it released in April on April 12, 2022, it is supported for three years. So the end of support for 2.4.4 would be on April 12 to 2025 and a full patch release gets released only once every year, which is in April. So that’s why, like, you know, starting from from two, four, six, you see that you have to for six in 2023 the only one release that do four seven in 2024 and two for eight in 2025. Security only patches they provide, they are provided for all the supported version until they’re BHP end of life eight. So after BHP end of life date security heart fixes would be provided instead. It will be also provides compatibility with third party services and software dependencies. While the customer is on this three year support period for I would be scope and adobe be commas in scope of the security only patch releases, but only when it is possible to do so without introducing any backward incompatible changes. So in the second and the third year of security, only bad support and the compatibility with the least insecure version of platform dependencies such as BHP, you know, Elasticsearch or Maria DB, it’s not guaranteed. And to be PCI compliant, a customer is always required to stay on the latest batch release version, but the latest platform updates and apply the latest security patches. So I do want to talk a little bit about, you know, the third party dependencies as well. So ÃÛ¶¹ÊÓƵ does not provide security and quality fixes for third party services and software dependencies such as BHP and Maya Square that may reach end of life where the customers are on the three year support period for ÃÛ¶¹ÊÓƵ Commerce. So the simply means that like, you know, even though our support period is four three years from the date, but in case like, you know, if there are a third party dependencies which is going to end of life in between that period, we will not be providing, you know, security and quality fixes for that third party service or one like, you know, the main reason behind this is also is mainly backward incompatible changes. So we don’t be drawn introduce any backward, incompatible changes in our security only patches. And basically if one of these third party dependencies is going and of live, there’s no way for us to add support for that other than like you know, adding it in the fold in the next full batch release. So basically our recommendation at that point would be for our merchants to, you know, upgrade to the next full patch release. And all of this information can be found on our system requirement document. In the experience leak, I have captured snapshots of what you see on the screen are like, you know, snapshots for for our system requirement which is on the experience leak. So you can go there, you can check the version you’re on and like you would see the base, the various third party dependency and the version that is supported for that particular version. So this is the versions that we have tested against ÃÛ¶¹ÊÓƵ Commerce in a version. So basically you can you can be sure that some of these third party dependencies, the washer that we have mentioned there, would work perfectly fine with the with the ÃÛ¶¹ÊÓƵ Commerce release version. So I do also want to talk a little bit about security only patches since we touched a little bit about them in the previous slides. So security only patches, they’re only allowed to contain vulnerability fixes any hotfix ID that was that were released since the last version. Some compliance items and in various cases feature like fixes for vulnerabilities. So that is the only scope for security, only patches. When we created security only patches, it was made with an intention that it is lightweight and easier to adopt for a margin. So that’s why we don’t add, you know, any backward incompatible changes, you know, except when it becomes inherently a part of a fix, a fix for a security vulnerability. We don’t add any non hotfix important bug fixes, any library updates, new features, quality fixes, performance fixes because the intention behind having security only patch is to just provide, you know, bug fixes for any security vulnerabilities that is that is encountered on a on A to B commerce version. So with that thing in mind, we are not including anything additional other than the security fixes in the security only patches. And then talking a little bit about the various, you know, adobe commerce grade strategies. Right. So when we talk about upgrading that it will work almost instantly. And your strategy to stay up to date with all the updates, you know, you have a couple of options, right? So you option is that you can always stay on the latest batch release version and get performance updates and security fixes. So this will be basically adopting our full patch version that we release once every year. Your next option is to stay on the current version and basically keep applying the latest security only patch. Like I said in the in the previous slide, any version is supported for three years from the date of its two years. So you will you will continue to receive security patch support for that version. So you can basically continue to be in your current version and keep applying the security on the patch just to make sure that you are fixing any security vulnerabilities that has encountered on that version. And then the option C is you can become an early adopter. Basically, you can try out on betas, which we released twice a year, and you get an opportunity to do like try the latest features before it gets you, you know, by upgrading to the latest beta version patches. I do also want to talk about, you know, upgrade from from a security perspective as well. Right? So when when you’re when you’re not upgrading, you basically are at a risk of unpatched vulnerabilities. And this data will basically summarize this, the number of unpatched vulnerabilities you would have if you are on a particular version. So if you if to start off with, if, for example, if you are on if you are two for two and you have not upgraded your A to B commas instances, then then you would have about 88 unpatched vulnerabilities. It is not possible to stay PCI compliant without, you know, adopting some of the security patches or fixing the security vulnerabilities. At the same time, it’s not still supported as well. The same goes with two for three. You know, you would have 55 unpatched vulnerabilities your non PCI compliant and you are not supported from two for four. You must have seen in the previous lts that since we have a three year window we have support until 2025 for two for four. So it is still supported. But like I said, there are dependencies on third party, you know, systems which if they go end of life in between that, in that creepy three year period because of backward incompatible changes, we do not release, you know, a fix for them. And our recommendation is that the margins then upgrade to the next cool patch release. So although like you know of a two, four, four and above you get you are supported. But our advice is always to make sure that you know, your third party dependencies are also still supported and like you know they are not reaching end of life. In that case, our recommendation is like you know that you need to upgrade earlier than that three year window that you have available for upgrade. So I’m almost reaching to the end of my slides here. I wanted to share some of the, you know, resources that we have available. So some of the things that I covered here are also available as documentation and I experience leave. So we do have a release schedule published, which is the full release, the versions that are getting released in each of the release window. We do have our lifecycle policy and the release strategy figure you published as well, as well as we do have our ÃÛ¶¹ÊÓƵ Commerce Upgrade Guide. So these are some of the resources which comes in very handy as you’re planning for updates for your ÃÛ¶¹ÊÓƵ Commerce instance. So with that I am towards the end of my presentation and I want to open up and see if you have questions. So Charlie, is there anything on the chat, any question. At the moment there, there are no questions, so I might give people 30 seconds just to post a question. Now if they have any questions. But otherwise, yeah, that was a really good overview. Thank you. But yeah, we’ll give it a few minutes. Yeah. And see if anyone has any questions while we’re waiting for those that couldn’t attend, this webinar will be recorded or is being recorded. So we’re going to post the recording on Experience Leg. It takes around about one week’s time, so if any of your team members weren’t able to join, we can definitely share with them the recording of this session. So it’s made it. There is a question, it says in terms of rate limiting, what is the best practice. Yeah, great question. So the best practice, the recommendation that we would have for rate limiting actually differs a lot between like, you know, the web stores, every merchants have their own requirement for the amount they want to restrict in terms of API request to receive. Right. So it is it’s very difficult to pin point out at one number of what should be the number of like an API request or IP address or request that we should be receiving from one IP address. So it differs a lot from like minimum merchants to margins. So our advice would be to evaluate like, you know, your business and figure out what works best for you. We do have some default values which, you know, obviously you could change through the admin panel, but this is definitely dependent on like your know your businesses and the requests that, you know, you see seems feasible from like, you know, from your day to day operations perspective. Thanks. Made it that’s your only question for now again we’ll give it a few seconds to see if there are any more questions. Okay. There’s another question. Okay. It says you mentioned that one of the attack identified is to get control of an account when this occurs. What can we do to find out which accounts are impacted, how it happened, and also what was done with that access and data within the commerce platform? Yeah, so we have a couple of options there. So first of all, like, you know, it’s very important to get notified, right? When when you have an attack going on on your commerce Web store. So you can definitely sign up to use security scan tool to see if like, you know, there wasn’t malware but like in case of account takeover. Right. It can happen because of a compromised admin credential or it can happen because of various reasons because of someone. Virtual reality is that that gets exploited. So in that case, I think our recommendation is like you know that you, you engage system integrator integrator start the investigation and then, you know, let us know as well. Reach out to our questions with respect when you when you see such attacks and we will investigate on our on our side, you know, through logs and other means to try to figure out like what exactly happened. It can be like, you know, in many cases, it’s it’s a combination of like, you know, it could be a vulnerability in the in the application or it could be because of the custom code. Right. So we don’t have access to some of the custom code that managers have built for their VIPs does. So in that case, that’s why our first recommended is to make sure, like, you know, you’re involving a system integrator in starting off an investigation. When you see such a data breach or such an account takeover basically happening. Thank you. We’ve got another question. How would you get alerted if someone has taken over accounts on your store using linked credentials from elsewhere? Yeah. So that’s a that’s a great question. And like I mentioned that, you know, we do have security scandal. It’s currently a frontend only tool, but we are working on, you know, making it, making back and scanning possible through that as well. So that will sort of help that that as well to you know, detect if you have some of these like, you know, compromises happening when you engage as a system integrator to investigate if there is an account where basically you would see the reason the way you would find out that your store is under attack is when you will start seeing like, you know, fraudulent activities. Right. You would see one of the biggest things that we have seen is like, you know, a lot of $0 transactions and like, you know, things like that. So basically guarding attacks happening on on your Web store. So when you start seeing that and your your stores will get affected because of that, you would know that there is a data breach happening. And then, you know, it’s very important to start investigating and trying to figure out that, you know, what is the reason behind that. Yeah. So there’s there is like, you know, you would require a need to do some investigation, try to figure out, look at logs and other means to try to figure it out. Like, you know, if such a breach has happened and there is an account take over from leaked credentials. I’ve got another question. This is a screenshot as well. Made it. So I don’t know if you can see the chart, but I’ll read out the question says we’ve got a lot of malicious requests coming through with very obvious attack intentions such as and there’s a get image is the Farsley offer that comes with ÃÛ¶¹ÊÓƵ eCommerce includes fastly next gen worth and if it does, should those requests be blocked by fastly? Yeah. So that is something that we are working on with respect to fastly next generation Vaf and you know, we should hope to have that shortly. And in terms of, you know, blocking these requests through fastly. So I would say that like, you know, we need to put those rules through fastly. So the best, you know, a course of action would be to make sure that you’re raising a support request and make sure that you’re working with a support professional so that you can add those fastly rules and for your the app stores and make sure that you can block, you know, such requests from coming in. Last minute, there was a follow up question. I’m not sure if you answered it. I think you may have, but it said if it does, should those requests be blocked by fastly? Yeah, So I did. I said that we need to make sure that, like, you know, we have those fastly rules in place. So it would be best for for the customer to work with the support to basically raise a support request and make sure you’re working with a support professional to that to ensure that you have the fast fast leverage rule applied to ensure that such requests are getting blocked. Thank you. Another question Do we have an ETA on when next gen wealth is to be included in our license? The malicious requests come in different shapes and forms, so it’s hard to write support tickets for each of them. Yeah, I understand. And with respect to next Generation VAP, I know that, you know, our cloud team is working on that and it’s very coming very shortly, I think within the next quarter. And but with respect to your other question, with respect to like, you know, making sure that we are able to, you know, stop the malicious requests coming in from coming in through various means, I think, you know, we we have to work together to make sure that we put such a rule together, like, you know, that we can stop all of this request. Sometimes it requires like, you know, changing strategies as we are applying those rules. But I think we I mean, you know, we have to make sure that we are putting together effective rules to stop such requests from coming in. That looks like it might I think we might just still give it one more minute. Okay. That looks like it. So similar. Thanks for that overview of security. ÃÛ¶¹ÊÓƵ Commerce. That was really informative. I mentioned that we’re going to be posting the recording of the session on Experience Lake and shortly we’ll also share the details for the next webinar in next month. So it’s pretty Chevron’s time. That concludes the webinar. Thanks for joining and see you next time. Thanks everyone. Have a great day. I.