Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Magento Security Best Practises - MM17PL

1,120 views

Published on

Software development can sometimes be a mess: live database dumps needed for testing lying around, development files being forgotten or accidentally transferred to the live environment, untested code being written and deployed in a hurry. It’s easy to mess up and fail, often without noticing for a long time. In this talk we’ll have a look at how to bullet-proof your development workflow. It covers best practices and tools which you should use in your daily work that will improve the overall security and also speed up software development.

Presentation given on 18th September 2017 at Meet Magento Poland #mm17pl

Published in: Software
  • Hello! Get Your Professional Job-Winning Resume Here - Check our website! https://vk.cc/818RFv
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

Magento Security Best Practises - MM17PL

  1. 1. #mm17pl, Anna Völkl
  2. 2. Magento Security Best Practices Best practises and tools to improve the overall security of your Magento shops Anna Völkl / @rescueAnn #mm17pl, Anna Völkl
  3. 3. Anna Völkl ! Lead Magento Developer ! E-CONOMIX ! Wels & Linz / Austria @rescueAnn #mm17pl, Anna Völkl
  4. 4. http://bouk.co/blog/hacking-developers/ http://extractdata.club #mm17pl, Anna Völkl
  5. 5. Who is responsible for security? "I didn't know it had to be secure..." #mm17pl, Anna Völkl
  6. 6. Source: Zend - The State of PHP in 2017 #mm17pl, Anna Völkl
  7. 7. Magento Security Best Practises ! https://magento.com/security ! Sign up for Magento security alerts • Be prepared #mm17pl, Anna Völkl
  8. 8. Magento Security Best Practises ! https://magento.com/security ! Sign up for Magento security alerts • Be prepared • Patch early & • Use magereport.com & Magento Security Scan #mm17pl, Anna Völkl
  9. 9. Magento Security Best Practises ! https://magento.com/security ! Sign up for Magento security alerts • Be prepared • Patch early • Use magereport.com & Magento Security Scan • Monitor for Signs of Attack #mm17pl, Anna Völkl
  10. 10. Magento Security Scan • very detailed report about security of a Magento shop • currently by invite only, partners • ,,Magento’s official security monitoring service'' (John Steer, Head of Product Security at Magento) • more official news soon :) Infos: ! securityinfo@magento.com #mm17pl, Anna Völkl
  11. 11. Recommended Extensions I Passwords & Login ! #mm17pl, Anna Völkl
  12. 12. Recommended Extensions I Passwords & Login • EW_NativePasswords #mm17pl, Anna Völkl
  13. 13. Recommended Extensions I Passwords & Login • EW_NativePasswords • MageHackDay_TwoFactorAuth #mm17pl, Anna Völkl
  14. 14. Recommended Extensions I Passwords & Login • EW_NativePasswords • MageHackDay_TwoFactorAuth • BranchLabs_AdminPasswordStrength #mm17pl, Anna Völkl
  15. 15. Recommended Extensions I Passwords & Login • EW_NativePasswords • MageHackDay_TwoFactorAuth • BranchLabs_AdminPasswordStrength • Shopliebe_PasswordStrength #mm17pl, Anna Völkl
  16. 16. Recommended Extensions I Passwords & Login • EW_NativePasswords • MageHackDay_TwoFactorAuth • BranchLabs_AdminPasswordStrength • Shopliebe_PasswordStrength • Ikonoshirt_Pbkdf2 #mm17pl, Anna Völkl
  17. 17. Recommended Extensions II Configuration & Monitoring ! #mm17pl, Anna Völkl
  18. 18. Recommended Extensions II Configuration & Monitoring • Ikonoshirt_StrictTransportSecurity #mm17pl, Anna Völkl
  19. 19. Recommended Extensions II Configuration & Monitoring • Ikonoshirt_StrictTransportSecurity • ET_IpSecurity #mm17pl, Anna Völkl
  20. 20. Recommended Extensions II Configuration & Monitoring • Ikonoshirt_StrictTransportSecurity • ET_IpSecurity • FireGento_AdminMonitoring #mm17pl, Anna Völkl
  21. 21. Recommended Extensions II Configuration & Monitoring • Ikonoshirt_StrictTransportSecurity • ET_IpSecurity • FireGento_AdminMonitoring • Nexcessnet_Alarmbell #mm17pl, Anna Völkl
  22. 22. Recommended Extensions II Configuration & Monitoring • Ikonoshirt_StrictTransportSecurity • ET_IpSecurity • FireGento_AdminMonitoring • Nexcessnet_Alarmbell • Mhauri_Slack / Moogento_SlackCommerce #mm17pl, Anna Völkl
  23. 23. Recommended Extensions for M2 ! #mm17pl, Anna Völkl
  24. 24. Recommended Extensions for M2 • creaminternet/module-secure-passwords #mm17pl, Anna Völkl
  25. 25. Recommended Extensions for M2 • creaminternet/module-secure-passwords • Git Status Security Report #mm17pl, Anna Völkl
  26. 26. Recommended Extensions for M2 • creaminternet/module-secure-passwords • Git Status Security Report • MageSpecialist SecuritySuite • Two Factor Auth, User lockout, reCaptcha, Admin IP restriction, Digest Auth #mm17pl, Anna Völkl
  27. 27. Who has access to your code? You. Your colleague. Your company. Your GitLab Server Server. An external developer. GitHub/Bitbucket Your CodeClimate Integration. Your build/deployment tools. #mm17pl, Anna Völkl
  28. 28. #mm17pl, Anna Völkl
  29. 29. Isolate Development from Production reduce unwanted errors, improve security #mm17pl, Anna Völkl
  30. 30. Dev vs. Testing/ Staging vs. Production #mm17pl, Anna Völkl
  31. 31. No keys in your code, put them in settings files. Don't add the settings files (esp. production) into your repo. #mm17pl, Anna Völkl
  32. 32. #mm17pl, Anna Völkl
  33. 33. #mm17pl, Anna Völkl
  34. 34. Database dumps I Because dumping big databases is boring #mm17pl, Anna Völkl
  35. 35. Remove log data$ n98-magerun.phar db:dump --strip="@stripped" Available: @log, @dataflowtemp, @stripped See: n98-magerun Stripped Database Dumps #mm17pl, Anna Völkl
  36. 36. Database dumps II Because you don't need thousands of orders, customers and logs in your dev-environment #mm17pl, Anna Völkl
  37. 37. Remove sales and customer data $ n98-magerun.phar db:dump --strip="@development" Available: @log, @dataflowtemp, @stripped, @sales, @customers, @trade, @development See: n98-magerun Stripped Database Dumps #mm17pl, Anna Völkl
  38. 38. Use an environment configuration tool Because accidentally using the wrong environment is embarrassing #mm17pl, Anna Völkl
  39. 39. Environment Configuration • LimeSoda_EnvironmentConfiguration • n98-magerun Script • Cti_MagentoConfigurator • HarrisStreet ImpEx #mm17pl, Anna Völkl
  40. 40. Code analysis • CodeClimate • SensioLabs Insight • Scrutinizer #mm17pl, Anna Völkl
  41. 41. GrumPHP A PHP code-quality tool • Tests running via git hooks • improve codebase • write better code following best practises • Extra packages like sensiolabs/ security-checker ! https://github.com/phpro/grumphp #mm17pl, Anna Völkl
  42. 42. #mm17pl, Anna Völkl
  43. 43. Security advisories https://github.com/FriendsOfPHP/security-advisories Checking for Vulnerabilities • Upload composer.lock to https://security.sensiolabs.org • Use web service (curl) • Use CLI tool php checker security:check composer.lock #mm17pl, Anna Völkl
  44. 44. Magento Malware Scanner wget git.io/mwscan.txt grep -Erlf mwscan.txt /path/to/magento https://github.com/gwillem/magento-malware-scanner #mm17pl, Anna Völkl
  45. 45. Magento Project Mess Detector https://github.com/AOEpeople/mpmd #mm17pl, Anna Völkl
  46. 46. Admin password cracking #mm17pl, Anna Völkl
  47. 47. Warnings on HTTP websites in Google Chrome 62 As part of Google's quest to compel all websites to use the more secure HTTPS protocol, Chrome 62 will flash more warnings when you visit HTTP sites. A few months ago, Chrome 56 (rightly) started labeling unencrypted sites as "not secure" right next to their URLs in the address line if they're asking for passwords and credit card details. — engadget.com ! More Info #mm17pl, Anna Völkl
  48. 48. To do ! Read & apply Magento Security Best Practises ! Sign up for Magento security alerts ! Test & check your code and settings ! Full HTTPS ! Follow @piotrekkaminski, @gwillem, @_Talesh, @pete_cags, @PeterJaap, @Fabian_ikono, @RicTempesta #mm17pl, Anna Völkl
  49. 49. Thanks! Questions? @rescueAnn github.com/avoelkl #mm17pl, Anna Völkl
  50. 50. #mm17pl, Anna Völkl

×