OpenCart is an open source shopping cart web application. It is installed on more than 300,000 business and e-commerce websites which vary from one-person start-up company to large organizations and charities. Such popularity also brings along a lot of attention, sometimes the wrong type of attention. Therefore the OpenCart developers team try their best to deliver the most possible secure software.
Many open source projects have loyal followers which sometimes go the extra mile for the better of the project. Being the good product it is, OpenCart enjoys such benefit; community users share the results of independent security audits and are cooperative when reporting on issues, thus allowing the developers to fix any possible security flaws and release updates before they are made public.
In today's fast paced world, a responsive community is just not enough. Imagine what could happen if a malicious attacker finds a zero-day vulnerability and instead of reporting it to the OpenCart developers he starts exploiting it in the wild.
The OpenCart developers are well aware of such risk and had previously tried to use several automated tools to identify any possible security flaws in their project's code. But like almost any other open source project, resources are limited and as James Allsup, the projects Technical Consultant explained "most of the other tools and suites that we tried were always either over complex or under developed, and are usually ridiculously overpriced!"
"When we learnt that Netsparker Enterprise is available for free for open source web applications we went ahead and tried it out," explained Mr Allsup. "Since we started using it, our experience has been perfect. From an excellent easy to use interface and a neat API solution, down to the minor details like support for two-factor authentication and security audit logs. It's an amazing tool that ticks all the boxes".
We've always taken great pride of our fully fledged API, and brag about it quite a lot (rightly so). But today we are leaving it up to someone who is using it to tell you on how good it is;
"We use Jenkins to automate a lot of our tests such as code scanning for errors, standards, repetition etc. We also create a full installation of each build to save time when wanting to test improvements on a fresh, live install. At the end of our build stage we now hook into the Netsparker Enterprise API to trigger an automated web vulnerability scan on the new installation.
The fact that we can hook into our existing infrastructure was a huge bonus and saves us the time on manually starting scans for a new install."
Since its inception, the Netsparker web vulnerability scanner found hundreds of zero-day vulnerabilities in open source projects (and counting), though it did not find anything critical yet in the OpenCart project, and the developers hope it remains so. Still, by integrating automated web application security scans in their development process, the OpenCart developers are "more confident in our code thanks to scanning it with Netsparker Enterprise. Knowing that we can deploy a test site and have it scanned for the latest security threats in just minutes does help ensure that we keep the most recent releases as secure as possible."
Do you have an open source web application? Do you form part of a team that has an open source web application? Get in touch with us for a free Netsparker Enterprise account, no strings attached!
“Netsparker are not just another vendor from where we purchase any other software, they are like business partners. We have to trust their products do a good job to ensure the security of our cloud-based platforms, else our business’ reputation could on the line. And Netsparker have earned such trust.”Read the RPM
"As opposed to other web application scanners we used, Netsparker is very easy to use and does not require a lot of configuring. An out of the box installation of Netsparker Web Application Security Scanner can detect more vulnerabilities than any other web application..."Read the ING
“We like Netsparker not only because it is able to be configured quickly, but also the scans themselves are completed quickly, reliably and without false positives (a large timesaver in and of itself).”Read the Sumeru