Our security team is asking for supporting documentation for assertions of the security of this app. Essentially, what frameworks are used like OWASP to build the security of the application? What makes nopCommerce secured? Does code review happen and any specifics to go with that? Anyone had success with valid and high quality penetration testing? I'm just trying to make these people happy which is difficult. Any links to supporting documentation would be fantastic! We purchased the User Guide, nothing in there, I have perused the forums, again not finding what I need. We intend on getting the premium support but not before these questions are answered.
Thanks in Advance!
OWASP and Code Review
团队成员
- 16611
- 155810
- 2008/10/22
- Armenia
sdom726 wrote:
We did not use such frameworks. But some users tried (e.g. here). All reported issues have been fixed.
sdom726 wrote:
Proper architecture, usage of the best security patterns, a lot of code approaches to avoid some other potential issues.
Essentially, what frameworks are used like OWASP to build the security of the application?
We did not use such frameworks. But some users tried (e.g. here). All reported issues have been fixed.
sdom726 wrote:
What makes nopCommerce secured? Does code review happen and any specifics to go with that?
Proper architecture, usage of the best security patterns, a lot of code approaches to avoid some other potential issues.
- 3
- 35
- 2020/2/28
- United States
A few things on QWASP, Code reviews and Security Groups.
First - you have a provided code base to review all code used within the applications. There are many approaches one code use to manage code reviews including the use of such tools as SonarQube, Resharper, Veracode and others. Since nopCommerce provides the full code base, approval is probably not required.
Second, as developers, you should learn to do this work yourself. You should understand proper and secure coding, understand different compliance requirements (PII, PCI, PHI) and the ability to code for those, understand hacking techniques, the tools used for hacking so you have an understanding of where the weak points could be in your application.
Finally - with this knowledge, you can keep security people in their place. Most security folks today do not code, and only understand the rules. In essence, they know what the rule is, but they cannot tell you how to apply it. That's why they get grumpy and short - then cannot help you resolve it.
Getting a good understanding of security and secure development is a necessity now, and should be a forefront of skill development for developers.
In other words - DO IT YOURSELF!
First - you have a provided code base to review all code used within the applications. There are many approaches one code use to manage code reviews including the use of such tools as SonarQube, Resharper, Veracode and others. Since nopCommerce provides the full code base, approval is probably not required.
Second, as developers, you should learn to do this work yourself. You should understand proper and secure coding, understand different compliance requirements (PII, PCI, PHI) and the ability to code for those, understand hacking techniques, the tools used for hacking so you have an understanding of where the weak points could be in your application.
Finally - with this knowledge, you can keep security people in their place. Most security folks today do not code, and only understand the rules. In essence, they know what the rule is, but they cannot tell you how to apply it. That's why they get grumpy and short - then cannot help you resolve it.
Getting a good understanding of security and secure development is a necessity now, and should be a forefront of skill development for developers.
In other words - DO IT YOURSELF!