Industry: IT & Telecommunications
Company: OpenCart
Location: Tuen Mun, Hong Kong
Company size: 11-50 employees
Product: Invicti Enterprise
“With Invicti Enterprise scanning, we now have more confidence in our code. Knowing that we can deploy a test site and scan it for the latest threats in minutes helps us maintain the highest level of security for the latest versions,”
James Allsup
Technical Project Consultant at OpenCart
OpenCart is an open-source web shopping cart application. It is installed on over 300,000 business and e-commerce websites, ranging from one-person startups to large organizations and charities. With this popularity comes a lot of attention, and sometimes malicious one. Therefore, the OpenCart development team is working hard to create the most secure software possible.
What does it take to develop a secure open-source web application?
Pros: Community
Many open source projects have dedicated followers, who sometimes go out of their way to improve the project. A good product like OpenCart has this advantage; community users share independent security audits and collaborate to report issues, allowing developers to fix any potential security flaws and release updates before they are released.
Cons: Lack of (available) resources and automated tools
In today’s fast-paced world, a community is simply not enough. What could happen if an attacker finds a vulnerability and instead of reporting it to the OpenCart developers, they start exploiting it in real-world settings?
OpenCart developers are well aware of this risk and have previously tried to use several automated tools to detect security flaws in their project. But, as with almost any other open-source project, resources are limited, and as James Allsup, the project’s technical advisor, explained:
“Most of the other tools we have tried have always been either too complex or not advanced enough.”
Using Invicti Enterprise for OpenCart security
“From the very beginning, the experience with the product has been perfect. From the great, easy-to-use interface and neat API solution, to the little things like support for two-factor authentication and audit logs. It’s an amazing tool that meets all our requirements.”
Automated Web Application Security Scanning via API
Invicti has always prided itself on its API (and rightly so). But also its quality is proved by customers:
“We use Jenkins to automate many of our tests, such as scanning for errors, standards, repetitions, etc. We also create a full installation of each build to save time when we want to test improvements on a new, live installation. At the end of the build stage, we connect to the Invicti Enterprise API to run an automated web vulnerability scan on the new installation.
Being able to connect to our existing infrastructure has been a huge bonus and saves us time manually running scans for the new installation.”
Developers have more confidence in security with Invicti Enterprise
Since its implementation, Invicti has found hundreds of vulnerabilities in open-source projects (and counting), although it has yet to find anything critical in the OpenCart project, and the developers expect that to continue. However, by integrating automated web application testing into the development process, they “have more security confidence with scanning with Invicti Enterprise. Knowing that we can deploy a test site and scan it for the latest threats in minutes helps us keep the latest releases as secure as possible.”
