OpenCart: (Why) The Open Source Project Uses Invicti Enterprise
We are now more confident in our code thanks to scanning it with Invicti Enterprise. Knowing that we can deploy a test site and have it scanned for the latest security threats in just minutes does help ensure that we keep the most recent releases as secure as possible.– James Allsup, OpenCart project Technical Consultant
OpenCart is an open source shopping cart web application. It is installed on more than 300,000 business and e-commerce websites which vary from one-person start-up company to large organizations and charities. Such popularity also brings along a lot of attention, sometimes the wrong type of attention. Therefore the OpenCart developers team try their best to deliver the most possible secure software.
What Does It Take to Develop a Secure Open Source Web Application?
The Good: Depending on the Community
Many open source projects have loyal followers which sometimes go the extra mile for the better of the project. Being the good product it is, OpenCart enjoys such benefit; community users share the results of independent security audits and are cooperative when reporting on issues, thus allowing the developers to fix any possible security flaws and release updates before they are made public.
The Bad: Lack of (available) Resources and Automated Tools
In today’s fast paced world, a responsive community is just not enough. Imagine what could happen if a malicious attacker finds a zero-day vulnerability and instead of reporting it to the OpenCart developers he starts exploiting it in the wild.
The OpenCart developers are well aware of such risk and had previously tried to use several automated tools to identify any possible security flaws in their project’s code. But like almost any other open source project, resources are limited and as James Allsup, the projects Technical Consultant explained “most of the other tools and suites that we tried were always either over complex or under developed, and are usually ridiculously overpriced!”
Using Invicti Enterprise for a More Secure OpenCart Project
“Since we started using it, our experience has been perfect. From an excellent easy to use interface and a neat API solution, down to the minor details like support for two-factor authentication and security audit logs. It’s an amazing tool that ticks all the boxes”.
Integrating Automated Web Application Security Scans via the API
We’ve always taken great pride of our fully fledged API, and brag about it quite a lot (rightly so). But today we are leaving it up to someone who is using it to tell you on how good it is;
“We use Jenkins to automate a lot of our tests such as code scanning for errors, standards, repetition etc. We also create a full installation of each build to save time when wanting to test improvements on a fresh, live install. At the end of our build stage we now hook into the Invicti Enterprise API to trigger an automated web vulnerability scan on the new installation.
The fact that we can hook into our existing infrastructure was a huge bonus and saves us the time on manually starting scans for a new install.”
Developers have More Confidence in their Code with Invicti Enterprise
Since its inception, the Invicti web vulnerability scanner found hundreds of zero-day vulnerabilities in open source projects (and counting), though it did not find anything critical yet in the OpenCart project, and the developers hope it remains so. Still, by integrating automated web application security scans in their development process, the OpenCart developers are “more confident in our code thanks to scanning it with Invicti Enterprise. Knowing that we can deploy a test site and have it scanned for the latest security threats in just minutes does help ensure that we keep the most recent releases as secure as possible.”