Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Magento Security Best Practises - MM17DE

1,103 views

Published on

Software development can sometimes be a mess: live database dumps needed for testing lying around, development files being forgotten or accidentally transferred to the live environment, untested code being written and deployed in a hurry. It’s easy to mess up and fail, often without noticing for a long time. In this talk we’ll have a look at how to bullet-proof your development workflow. It covers best practices and tools which you should use in your daily work that will improve the overall security and also speed up software development.

Published in: Software
  • Be the first to comment

Magento Security Best Practises - MM17DE

  1. 1. Magento Security Best Practices Best practises and tools to improve the overall security of your Magento shops Anna Völkl / @rescueAnn #mm17de, Anna Völkl / @rescueAnn
  2. 2. Anna Völkl ! Lead Magento Developer ! E-CONOMIX ! Wels & Linz / Austria @rescueAnn #mm17de, Anna Völkl / @rescueAnn
  3. 3. http://bouk.co/blog/hacking-developers/ http://extractdata.club #mm17de, Anna Völkl / @rescueAnn
  4. 4. Who is responsible for security? "I didn't know it had to be secure..." #mm17de, Anna Völkl / @rescueAnn
  5. 5. Source: Zend - The State of PHP in 2017 #mm17de, Anna Völkl / @rescueAnn
  6. 6. Magento Security Best Practises ! https://magento.com/security ! Sign up for Magento security alerts • Be prepared #mm17de, Anna Völkl / @rescueAnn
  7. 7. Magento Security Best Practises ! https://magento.com/security ! Sign up for Magento security alerts • Be prepared • Patch early & • Use magereport.com #mm17de, Anna Völkl / @rescueAnn
  8. 8. Magento Security Best Practises ! https://magento.com/security ! Sign up for Magento security alerts • Be prepared • Patch early • Use magereport.com • Monitor for Signs of Attack #mm17de, Anna Völkl / @rescueAnn
  9. 9. Magento Security Scan • very detailed report about security of a Magento shop • not public • Beta will begin in early June • multiple testing cycles throughout the summer • possible release in Q3-Q4 2017 Infos: ! securityinfo@magento.com #mm17de, Anna Völkl / @rescueAnn
  10. 10. Recommended Extensions I Passwords & Login ! #mm17de, Anna Völkl / @rescueAnn
  11. 11. Recommended Extensions I Passwords & Login • EW_NativePasswords #mm17de, Anna Völkl / @rescueAnn
  12. 12. Recommended Extensions I Passwords & Login • EW_NativePasswords • MageHackDay_TwoFactorAuth #mm17de, Anna Völkl / @rescueAnn
  13. 13. Recommended Extensions I Passwords & Login • EW_NativePasswords • MageHackDay_TwoFactorAuth • BranchLabs_AdminPasswordStrength #mm17de, Anna Völkl / @rescueAnn
  14. 14. Recommended Extensions I Passwords & Login • EW_NativePasswords • MageHackDay_TwoFactorAuth • BranchLabs_AdminPasswordStrength • Shopliebe_PasswordStrength #mm17de, Anna Völkl / @rescueAnn
  15. 15. Recommended Extensions I Passwords & Login • EW_NativePasswords • MageHackDay_TwoFactorAuth • BranchLabs_AdminPasswordStrength • Shopliebe_PasswordStrength • Ikonoshirt_Pbkdf2 #mm17de, Anna Völkl / @rescueAnn
  16. 16. Recommended Extensions II Configuration & Monitoring ! #mm17de, Anna Völkl / @rescueAnn
  17. 17. Recommended Extensions II Configuration & Monitoring • Ikonoshirt_StrictTransportSecurity #mm17de, Anna Völkl / @rescueAnn
  18. 18. Recommended Extensions II Configuration & Monitoring • Ikonoshirt_StrictTransportSecurity • ET_IpSecurity #mm17de, Anna Völkl / @rescueAnn
  19. 19. Recommended Extensions II Configuration & Monitoring • Ikonoshirt_StrictTransportSecurity • ET_IpSecurity • FireGento_AdminMonitoring #mm17de, Anna Völkl / @rescueAnn
  20. 20. Recommended Extensions II Configuration & Monitoring • Ikonoshirt_StrictTransportSecurity • ET_IpSecurity • FireGento_AdminMonitoring • Nexcessnet_Alarmbell #mm17de, Anna Völkl / @rescueAnn
  21. 21. Recommended Extensions II Configuration & Monitoring • Ikonoshirt_StrictTransportSecurity • ET_IpSecurity • FireGento_AdminMonitoring • Nexcessnet_Alarmbell • Mhauri_Slack / Moogento_SlackCommerce #mm17de, Anna Völkl / @rescueAnn
  22. 22. Recommended Extensions for M2 ! #mm17de, Anna Völkl / @rescueAnn
  23. 23. Recommended Extensions for M2 • creaminternet/module-secure-passwords #mm17de, Anna Völkl / @rescueAnn
  24. 24. Recommended Extensions for M2 • creaminternet/module-secure-passwords • Git Status Security Report #mm17de, Anna Völkl / @rescueAnn
  25. 25. Recommended Extensions for M2 • creaminternet/module-secure-passwords • Git Status Security Report • MageSpecialist SecuritySuite • Two Factor Auth, User lockout, reCaptcha, Admin IP restriction, Digest Auth #mm17de, Anna Völkl / @rescueAnn
  26. 26. Who has access to your code? You. Your colleague. Your company. Your GitLab Server Server. An external developer. GitHub/Bitbucket Your CodeClimate Integration. Your build/deployment tools. #mm17de, Anna Völkl / @rescueAnn
  27. 27. #mm17de, Anna Völkl / @rescueAnn
  28. 28. Isolate Development from Production reduce unwanted errors, improve security #mm17de, Anna Völkl / @rescueAnn
  29. 29. Dev vs. Testing/ Staging vs. Production #mm17de, Anna Völkl / @rescueAnn
  30. 30. No keys in your code, put them in settings files. Don't add the settings files (esp. production) into your repo. #mm17de, Anna Völkl / @rescueAnn
  31. 31. #mm17de, Anna Völkl / @rescueAnn
  32. 32. #mm17de, Anna Völkl / @rescueAnn
  33. 33. Database dumps I Because dumping big databases is boring #mm17de, Anna Völkl / @rescueAnn
  34. 34. Remove log data$ n98-magerun.phar db:dump --strip="@stripped" Available: @log, @dataflowtemp, @stripped See: n98-magerun Stripped Database Dumps #mm17de, Anna Völkl / @rescueAnn
  35. 35. Database dumps II Because you don't need thousands of orders, customers and logs in your dev-environment #mm17de, Anna Völkl / @rescueAnn
  36. 36. Remove sales and customer data $ n98-magerun.phar db:dump --strip="@development" Available: @log, @dataflowtemp, @stripped, @sales, @customers, @trade, @development See: n98-magerun Stripped Database Dumps #mm17de, Anna Völkl / @rescueAnn
  37. 37. Use an environment configuration tool Because accidentally using the wrong environment is embarrassing #mm17de, Anna Völkl / @rescueAnn
  38. 38. Environment Configuration • LimeSoda_EnvironmentConfiguration • n98-magerun Script • Cti_MagentoConfigurator • HarrisStreet ImpEx #mm17de, Anna Völkl / @rescueAnn
  39. 39. Code analysis • CodeClimate • SensioLabs Insight • Scrutinizer #mm17de, Anna Völkl / @rescueAnn
  40. 40. GrumPHP A PHP code-quality tool • Tests running via git hooks • improve codebase • write better code following best practises • Extra packages like sensiolabs/ security-checker ! https://github.com/phpro/grumphp #mm17de, Anna Völkl / @rescueAnn
  41. 41. #mm17de, Anna Völkl / @rescueAnn
  42. 42. Security advisories https://github.com/FriendsOfPHP/security-advisories Checking for Vulnerabilities • Upload composer.lock to https://security.sensiolabs.org • Use web service (curl) • Use CLI tool php checker security:check composer.lock #mm17de, Anna Völkl / @rescueAnn
  43. 43. Magento Malware Scanner wget git.io/mwscan.txt grep -Erlf mwscan.txt /path/to/magento https://github.com/gwillem/magento-malware-scanner #mm17de, Anna Völkl / @rescueAnn
  44. 44. Magento Project Mess Detector https://github.com/AOEpeople/mpmd #mm17de, Anna Völkl / @rescueAnn
  45. 45. Admin password cracking #mm17de, Anna Völkl / @rescueAnn
  46. 46. Warnings on HTTP websites in Google Chrome 62 As part of Google's quest to compel all websites to use the more secure HTTPS protocol, Chrome 62 will flash more warnings when you visit HTTP sites. A few months ago, Chrome 56 (rightly) started labeling unencrypted sites as "not secure" right next to their URLs in the address line if they're asking for passwords and credit card details. — engadget.com ! More Info #mm17de, Anna Völkl / @rescueAnn
  47. 47. To do ! Read & apply Magento Security Best Practises ! Sign up for Magento security alerts ! Test & check your code and settings ! Full HTTPS ! Follow @piotrekkaminski, @gwillem, @_Talesh, @pete_cags, @PeterJaap, @Fabian_ikono, @RicTempesta #mm17de, Anna Völkl / @rescueAnn
  48. 48. Thanks! Questions? @rescueAnn github.com/avoelkl #mm17de, Anna Völkl / @rescueAnn
  49. 49. #mm17de, Anna Völkl / @rescueAnn

×