OpenCommerce Group: Extraordinary Journey Through Vulnerability Remediation

CyStack’s solution supports OpenCommerce Group to identify and address vulnerabilities, safeguard critical information, and minimize expenses.

OpenCommerce Group is a leading technology company providing e-commerce solutions in Vietnam, founded in 2017. With a modern technology platform and a team of experienced experts, OpenCommerce Group has created optimal products and services, helping businesses operate e-commerce effectively and cost-effectively.

With the mission of connecting and creating a launching pad for e-commerce businesses and domestic and foreign brands, OpenCommerce has built a technology ecosystem that integrates the online shopping journey. For cross-border shopping, OpenCommerce created ShopBase.

ShopBase is one of the leading Dropship sales platforms supporting sellers in Vietnam, providing complete solutions from building an online store, posting and optimizing products, to processing orders. To best support sellers, ShopBase provides both web applications and mobile applications (Android and iOS).

For businesses operating in the field of e-commerce in general and OpenCommerce Group in particular, security vulnerability attacks are always one of the most worrying challenges. Loss of network security can lead to unfortunate consequences, from the loss of important data to the disclosure of customer information, affecting the reputation of the business.

Aware of the potential danger from security vulnerabilities, OpenCommerce Group decided to choose the Vulnerability Management and Managed Bug Bounty from CyStack to ensure the security of the ShopBase e-commerce platform – one of the two main areas in the business ecosystem, created to improve the Drop Shipping and Print-On-Demand (POD) experience for buyers and sellers.

Vulnerability management is the process of identifying, prioritizing, and addressing vulnerabilities in customers' systems and network infrastructure. This process helps organizations prevent security breaches, protecting sensitive information, systems, and infrastructure.

Vulnerability Management service includes:

• Vulnerability assessment: To simplify and automate the Vulnerability Assessment process, CyStack has developed CyStack Web Security (CWS), a vulnerability scanning and monitoring tool for web applications. CWS assists organizations in scanning subdomains and IP addresses within the internal network, along with detecting vulnerabilities through fuzzing techniques and CyStack's vulnerability database. Additionally, CWS provides a platform to manage, track, prioritize, and recommend actions for findings. In addition, organizations can integrate CWS with CI/CD tools and other performance management tools.
• Penetration testing: A form of simulating a cyber security attack on a system, computer network, or web application to detect security vulnerabilities that can be exploited. Conducted by security experts, this process uses a variety of tools and techniques to assess the security level of a specific environment and, in turn, identify vulnerable areas that can be attacked.
• Bug bounty program: A form of community security to honor white hat hackers. They are involved in detecting and reporting security vulnerabilities in a business's software or systems. Businesses establish rewards, which can be cash, souvenirs, or other forms of recognition, to encourage white hat hackers to search for and report security vulnerabilities they discover.

After organizing a bug bounty program on the WhiteHub business security platform, experts at CyStack worked with ShopBase's IT Security team to handle security issues that arose or remained on the system. application system, and offer the best treatment solutions. CyStack experts checked again to make sure that the problems were completely resolved, ensuring maximum safety for the ShopBase application system.

Through the bug bounty program, a total of 40 reports were awarded. The total reward value reaches 80,000,000 VND, of which the highest reward is worth 4,000,000 VND.

A total number of vulnerabilities discovered: 8 critical, 32 high, 36 medium, 17 low, and 4 info.

We have fixed these issues:

• 39 Stored XSS vulnerabilities.
• 13 Insecure Direct Object References (IDOR) vulnerabilities.

CyStack has assessed the severity of each vulnerability in the ShopBase team's system, helping to determine priorities for the remediation process. This helps ShopBase optimize the vulnerability remediation process and effectively minimize risks.

In addition, we have consulted on solutions for system-wide vulnerabilities, especially issues related to insecure design. In this way, we help ShopBase build a stronger and better-performing security system.

Finally, we conduct a thorough reassessment of the vulnerabilities that have been fixed, looking for every possibility to bypass them before concluding that the vulnerabilities have been completely fixed. This process ensures that every measure is thoroughly tested and evaluated before the system is deemed secure.

CyStack is a cybersecurity company based in Vietnam since 2017. We offer comprehensive solutions, including testing, security consulting, and managed services. With over 200 businesses and 20,000 users worldwide, we are recognized as a trusted partner for organizations and a strong leading firm in cybersecurity research and development.

For more information, please visit: https://cystack.net/

“We appreciate the importance of vulnerability management and understand that it is essential for any professional enterprise.” – Mr. Truong Bui, CTO OpenCommerce Group.

“CyStack has demonstrated great dedication and professionalism in supporting us with managing incidents, resolving issues, and providing comprehensive process consultation.” – Mr. Truong Bui, CTO OpenCommerce Group.

“The researchers here are dedicated, professional, and ready to support 24/7. With a large number of researchers, the process of identifying vulnerabilities is fast and straightforward. Additionally, we greatly value their knowledge and expertise.” – Mr. Truong Bui, CTO OpenCommerce Group.