How We Implemented Security Testing for CS-Cart and Multi-Vendor and Made It More Secure

How did we implement security testing for CS-Cart and Multi-Vendor

Security is important for any business. And information security is critical if you have a website, especially if you have an online store with customer data. Most of our readers use solutions built on CS-Cart and Multi-Vendor. Today we will talk about how we make our clients’ projects and CS-Cart core safer.

Every system is hackable

There are no 100% secure systems and companies – absolutely everything can be hacked. It is just the matter of time and money to hack a more secure system.

Anyone who thinks that security products alone offer true security is settling for the illusion of security.

“The Art of Deception”, Kevin D. Mitnick

Note that in order to maintain the safety of the project as a whole, it is necessary to monitor and check for safety:

  • The very core of the CMS (CS-Cart or Multi-Vendor in our case)
  • Changes made to the core of the system by developers
  • Add-ons
  • Third-party themes and their updates
  • Additional integrations and scripts
  • Configuration of the server and its components

A mistake or oversight in any of the above points can potentially lead to a disclosure of sensitive and critical project data or even compromise it. In this post, we will tell you how our team helped make the core of CS-Cart safer. The next posts will cover each point individually.

Continuous Security as a CI process

During each release of a new version of CS-Cart and Multi-Vendor (starting from version 4.12.0), we conduct testing to identify information security issues. After completing the Static application security testing (SAST), we launch Dynamic application security testing (DAST). Once all the tests are done, our cyber security specialist analyzes the test results and proceeds to manual analysis. He manually compares the results, checking and confirming the problems or marking them as false-positive.

This set of continuous tests and studies helps make sure that vulnerabilities are not overlooked in customer projects. That is how we maintain overall security.

After a vulnerability or some other problem is confirmed, we study the root cause. We analyze the application code that relates to this problem, regardless of who the developer is. Sometimes, concerns reside within third-party libraries and we inform their developers. We form a set of patches to fix or mitigate the risk of vulnerability exploitation.

When a vulnerability is confirmed, we know how to reproduce it. What is required? To classify the problem. We use the OWASP framework to identify, STRIDE to classify, and DREAD to rate, compare, and prioritize.

Then, we connect with the CS-Cart team via a secure channel. We discuss the plan of action to fix the vulnerability and, if necessary, the plan of information disclosure, to follow them further.

Workflow of how the asaplab.io team does the information security tests for the CS-Cart and Multi-Vendor and communicate with the CS-Cart team
Workflow of how the asaplab.io team does the information security tests for the CS-Cart and Multi-Vendor and communicate with the CS-Cart team

One topic here should be addressed separately. If a vulnerability is critical or we understand that there is a risk to exploit it, we contact our customers and help them apply patches or schedule a fix.

Result

Over the past two months, we have identified and helped fix 7 vulnerabilities in CS-Cart (including, the core and default add-ons) at different severity levels.

We continue our research of security gaps further and commit ourselves to introduce this practice in all future releases of CS-Cart and Multi-Vendor. We plan to implement security testing for third-party add-ons and themes.

ASAP Lab LTD is a partner of Simtech Development for server and project information security and performance optimization.

Share:

Tired of solving complicated hosting issues? Focus on your business with complete peace of mind!

Save time, money and effort on hosting work!
We use cookies to personalise content and ads, to provide social media features and to analyse our traffic. We also share information about your use of our site with our social media, advertising and analytics partners who may combine it with other information that you’ve provided to them or that they’ve collected from your use of their services.