A global nutrition and skin care product company providing nutrition supplements to its customers for almost 40 years. The company operates in more than 90 countries with over 8,000 employees around the world. The company facilities benefit from the latest technology and are among the most advanced in the world. All their laboratories are ISO 17025-certified. The company employs more than 300 scientists to ensure customers enjoy the highest quality.
The company’s APAC Event Ticket Sales System was built in 2012. Many changes were made in the business and process since then, which the old system did not support. Therefore, all the modules needed to be redesigned to accommodate those new business needs and changes.
Additionally, the client wanted to develop a mobile App (Android and iOS) to provide their customers a seamless journey.
Create the main backend web application for:
Ensure cyber security in the Mobile App and Web Application
Preventing a Man-in-the-Middle attack involving a malicious actor intercepting conversations between two parties, impersonation, and accessing information the parties share. While making an SSL connection, the client checks the server’s trusted (root) certificate and the requested hostname by default. However, it does not check if the certificate in question is a specific certificate or the client-server it is using. It just matches certificates between the device’s trust store opening a security gap in the remote server. Therefore, the device’s trust store can easily be compromised, i.e., installation of unsafe certificates allowing man-in-the-middle attacks.
Preventing XSS attacks where potentially untrusted content could be inserted from the user to the website, or even information stored in a database. The data coming from the URL or an HTTP POST can be a threat. The input from the URL has untrusted data content as the data could have been supplied by an attacker.
We followed the Agile Sprint model for delivery. We divided the task into 8 sprints and created user stories for each component.
We used Microsoft ASP.NET 4.5 for high speed, low cost, and language support.
The IT Admin module has two sub-modules: Admin and Admin Event. We created:
For order processing, we created operator processes for order management and ticket management processes.
We created a smooth and quick registration process, search Member/Ticket functionalities, check-in, and full registration.
For each functionality ─ event, order, ticket assignments, order processing, etc., a separate login screen was created along with the permissions.
Prevent Man-in-the-Middle Attack ─ We protected the website and mobile app from malicious actors. We added further security along with the default SSL security that checks.
We checked the threat to the device’s trust store from being compromised and installation of malicious certificates by Certificate pinning. For this, we hard-coded the certificate (s) that will be the mobile app servers. The app will ignore the device’s trust store and rely on its inbuilt trust store. It will only allow SSL connections to hosts that are signed with certificates stored inside the application. The hard-coded trust store cannot be compromised easily. It will also not be possible to sign in to the same Android key-store that the original developer of the app used.
To prevent CSRF attacks we used token-based CSRF defense (either stateful/stateless) as a primary defense to mitigate CSRF in the applications. We achieved the token-based mitigation with a stateless (encrypted/hash-based token pattern).
To prevent XSS attacks we used the strategy of building application code is to encode potentially untrusted content appropriately for the context in which it’s being output on the page.
We successfully developed the new modules with quicker output and multiple language support. The customer had a secured web application and a mobile app that provides a smooth customer journey and better customer engagement.
Digital Business People Pte. Ltd. is a technology outsourcing firm helping brands and businesses digital transformation with a key focus on Omni-channel customer experience and engagement management. Founded in 2018, the company is headquartered in Singapore and has its offshore development centers in India. DBP offers a wide spectrum of solutions that include Customer Communication Management (CCM), Web Content Management (WCMS), Campaign Management, BI & Analytics, Robotic Process Automation, CRM, Application Development and Managed Services, Cloud Deployment and Management Services amongst others. The company believes that both internal and external customers connect, through future-ready technology solutions are a critical component of any business. DBP’s services and partnerships are centered on this philosophy. The company has strong partnerships with some leading global companies namely SAP, Quadient, Microsoft, Adobe, Intense Technologies, XpertDoc, Objectif Lune, Sisense, and Dimensional Insight amongst others. DBP has been listed amongst the Top 20 salesforce consultants in Singapore and is also a member of the Singapore Fintech Association. Visit https://www.dbppl.com for more information.