OWASP and Code Review

6 年 前
Our security team is asking for supporting documentation for assertions of the security of this app.  Essentially, what frameworks are used like OWASP to build the security of the application?  What makes nopCommerce secured?  Does code review happen and any specifics to go with that?  Anyone had success with valid and high quality penetration testing?  I'm just trying to make these people happy which is difficult.  Any links to supporting documentation would be fantastic!  We purchased the User Guide, nothing in there, I have perused the forums, again not finding what I need.  We intend on getting the premium support but not before these questions are answered.

Thanks in Advance!
6 年 前
sdom726 wrote:
Essentially, what frameworks are used like OWASP to build the security of the application?

We did not use such frameworks. But some users tried (e.g. here). All reported issues have been fixed.

sdom726 wrote:
What makes nopCommerce secured? Does code review happen and any specifics to go with that?

Proper architecture, usage of the best security patterns, a lot of code approaches to avoid some other potential issues.
6 年 前

I appreciate your quick response and the link to the bug fixes.  Yikes! "proper architecture", etc. that's like saying trust me and that's the issue with security folks they don't trust much.  

If anyone has more information that would be great!

2 年 前

Like the very first question, we are preparing an e-commerce grant scheme report and one of the questions is about OWASP with nop commerce. We' re using the latest version of nop commerce. Can we get a confirmation that NOP commerce is compliant with this or from where I can get it?

2 年 前
Any feed back please?
11 个月 前
A few things on QWASP, Code reviews and Security Groups.

First - you have a provided code base to review all code used within the applications.  There are many approaches one code use to manage code reviews including the use of such tools as SonarQube, Resharper, Veracode and others.  Since nopCommerce provides the full code base, approval is probably not required.  

Second, as developers, you should learn to do this work yourself.  You should understand proper and secure coding, understand different compliance requirements (PII, PCI, PHI) and the ability to code for those, understand hacking techniques, the tools used for hacking so you have an understanding of where the weak points could be in your application.

Finally - with this knowledge, you can keep security people in their place.  Most security folks today do not code, and only understand the rules.  In essence, they know what the rule is, but they cannot tell you how to apply it.  That's why they get grumpy and short - then cannot help you resolve it.  

Getting a good understanding of security and secure development is a necessity now, and should be a forefront of skill development for developers.

In other words - DO IT YOURSELF!