Magento
Application
Security
Anna Völkl / @rescueAnn
Anna Völkl / @rescueAnn
• Magento Certified Developer
• IT & Telecommunication, IT-Security
• PHP (2004), Magento (2011)
•...
Anna Völkl / @rescueAnn
• 200 Magento Installations*
• 68 good passwords**
• 10 endless loops***
• 3 forgotten phpinfo.php...
Security-Technology
Department of Defense
Computer Security Initiative
1980
Magento Application Security
 Logins & Passwords
 Admin Backend protected
 SSL installed
Magento Application Security
 Logins & Passwords
 Admin Backend protected
 SSL installed
…there‘s more!
Magento Application
Security
Magento Application
Security
Software Development
Life Cycle
Software Development
Life Cycle
...
http://blogs.technet.com/b/rhalbheer/archive/2011/01/14/real-physical-security.aspx
Security
Confidentiality
Confidentiality
IntegrityIntegrity
AvailabilityAvailability
Unsecure Software?
•No time
•No knowledge
•No priorities
•Performance
•SEO
•New features
Potential attackers
✗ (organized) criminals
✗ Defacer
✗ Script-Kiddies
✗ Former developers, agencies
✗ Competitors
✗ The m...
Interest?
➢Payment data
➢Customer data
➢Personal gain
➢Damage competitors
Most critical web application security flaws
A1 Injection
A2 Broken Authentication and Session Management
A3 Cross-Site Sc...
web application security flaws
OWASP Top 10 2013,
https://www.owasp.org/images/4/42/OWASP_Top_10_2013_DE_Version_1_0.pdf, ...
Secure Coding
Principles
Minimize attack
surface area
Every feature adds a risk.
Secure defaults
Secure configuration „out of the box“
Least Privilege
Least amount of privilege required to
perform actions
Fail secure
Fail secure vs. Fail safe
Don't trust services
...they can be wrong.
Don't trust user input
Validate the expected
Expect the unexpected
Longest place name (1 word)
Taumatawhakatangihangakoauauotamateaturipuk
akapikimaungahoronukupokaiwhenuakitanatahu
(New Ze...
https://xkcd.com/327/
Security by obscurity
Security by lack of knowledge?!
KISS
Keep security simple
Simplicity vs. complexity
Fix security issues correctly
Understand the problem
Find related code
Write tests
...now what?!
Functional & non functional
Requirements
Be curious!
Read, learn, try to understand.
Secure Coding Guidelines:
OWASP Secure Coding Practices
Secure Coding
Validate your input
Expected input: Whitelist vs. Blacklist
Secure Coding
https://quadhead.de/cola-hack-sicherheitsluecke-auf-meinecoke-de/
User:
allowed to access a resource?
Admins:
ACLs
Mage::getSingleton('admin/session')
->isAllowed('admin/sales/order/action...
●
PHPSniffer
●
Magento ECG Coding Standard
●
Dependencies:
Sensio Labs composer.lock check
Security Testing
Scrutinizer CI
Code Climate
SensioLabsInsight
Security Testing
Scrutinizer CI
Code Climate
SensioLabsInsight
Security Testing
●
.git, .git/config
●
composer.lock
●
Standard /admin path
●
/downloader
●
app/etc/local.xml
●
Logfiles
●
phpinfo.php
●
Da...
SUPEE-5344
SUPEE-5994
Latest security patches
●
Magento Community Edition 1.9.1.1 & Enterprise
Edition 1.14.2 contain SUPEE-5344
●
Magento Shoplift Bug Tester:
https://...
Leave your code more
secure (better) than you
found it.
Magento Application Security [EN]
Magento Application Security [EN]
Magento Application Security [EN]
Upcoming SlideShare
Loading in …5
×

Magento Application Security [EN]

3,320 views

Published on

Presentation from Meet Magento Netherlands 2015

  • Be the first to comment

Magento Application Security [EN]

  1. 1. Magento Application Security Anna Völkl / @rescueAnn
  2. 2. Anna Völkl / @rescueAnn • Magento Certified Developer • IT & Telecommunication, IT-Security • PHP (2004), Magento (2011) • LimeSoda (Vienna, AT)
  3. 3. Anna Völkl / @rescueAnn • 200 Magento Installations* • 68 good passwords** • 10 endless loops*** • 3 forgotten phpinfo.php • 1 Stroopwafel purchase * roughly estimated, including test-setups ** thanks to KeePass *** last one 12/2012
  4. 4. Security-Technology Department of Defense Computer Security Initiative 1980
  5. 5. Magento Application Security  Logins & Passwords  Admin Backend protected  SSL installed
  6. 6. Magento Application Security  Logins & Passwords  Admin Backend protected  SSL installed …there‘s more!
  7. 7. Magento Application Security Magento Application Security Software Development Life Cycle Software Development Life Cycle UserUser DatabaseDatabase WebserverWebserver Version control & delivery Version control & delivery RequirementsRequirements Software-DesignSoftware-Design DevelopmentDevelopment Extensions / 3rd Party Extensions / 3rd Party Out of serviceOut of service Updates & PatchesUpdates & Patches LoginsLogins PasswordsPasswords Web-Application Firewall Web-Application Firewall FirewallFirewall File owner & permissions File owner & permissions Config filesConfig files IDS, IPSIDS, IPS
  8. 8. http://blogs.technet.com/b/rhalbheer/archive/2011/01/14/real-physical-security.aspx
  9. 9. Security Confidentiality Confidentiality IntegrityIntegrity AvailabilityAvailability
  10. 10. Unsecure Software? •No time •No knowledge •No priorities •Performance •SEO •New features
  11. 11. Potential attackers ✗ (organized) criminals ✗ Defacer ✗ Script-Kiddies ✗ Former developers, agencies ✗ Competitors ✗ The merchant theirselves
  12. 12. Interest? ➢Payment data ➢Customer data ➢Personal gain ➢Damage competitors
  13. 13. Most critical web application security flaws A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure Direct Object References A5 Security Misconfiguration More: https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
  14. 14. web application security flaws OWASP Top 10 2013, https://www.owasp.org/images/4/42/OWASP_Top_10_2013_DE_Version_1_0.pdf, modified version
  15. 15. Secure Coding Principles
  16. 16. Minimize attack surface area Every feature adds a risk.
  17. 17. Secure defaults Secure configuration „out of the box“
  18. 18. Least Privilege Least amount of privilege required to perform actions
  19. 19. Fail secure Fail secure vs. Fail safe
  20. 20. Don't trust services ...they can be wrong.
  21. 21. Don't trust user input Validate the expected Expect the unexpected
  22. 22. Longest place name (1 word) Taumatawhakatangihangakoauauotamateaturipuk akapikimaungahoronukupokaiwhenuakitanatahu (New Zealand, 85 letters)
  23. 23. https://xkcd.com/327/
  24. 24. Security by obscurity Security by lack of knowledge?!
  25. 25. KISS Keep security simple Simplicity vs. complexity
  26. 26. Fix security issues correctly Understand the problem Find related code Write tests
  27. 27. ...now what?!
  28. 28. Functional & non functional Requirements
  29. 29. Be curious! Read, learn, try to understand. Secure Coding Guidelines: OWASP Secure Coding Practices Secure Coding
  30. 30. Validate your input Expected input: Whitelist vs. Blacklist Secure Coding
  31. 31. https://quadhead.de/cola-hack-sicherheitsluecke-auf-meinecoke-de/
  32. 32. User: allowed to access a resource? Admins: ACLs Mage::getSingleton('admin/session') ->isAllowed('admin/sales/order/actions/create'); Secure Coding
  33. 33. ● PHPSniffer ● Magento ECG Coding Standard ● Dependencies: Sensio Labs composer.lock check Security Testing
  34. 34. Scrutinizer CI Code Climate SensioLabsInsight Security Testing
  35. 35. Scrutinizer CI Code Climate SensioLabsInsight Security Testing
  36. 36. ● .git, .git/config ● composer.lock ● Standard /admin path ● /downloader ● app/etc/local.xml ● Logfiles ● phpinfo.php ● Database-Dumps: livedb.sql.gz Block access to
  37. 37. SUPEE-5344 SUPEE-5994 Latest security patches
  38. 38. ● Magento Community Edition 1.9.1.1 & Enterprise Edition 1.14.2 contain SUPEE-5344 ● Magento Shoplift Bug Tester: https://shoplift.byte.nl ● Coming soon: Magento Alert Registry ● @magesecurity Patch!
  39. 39. Leave your code more secure (better) than you found it.

×