Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Secure development environment @ Meet Magento Croatia 2017

951 views

Published on

Software development can sometimes be a mess: live database dumps needed for testing lying around, development files being forgotten or accidentally transferred to the live environment, untested code being written and deployed in a hurry. It's easy to mess up and fail, often without noticing for a long time. In this talk we'll have a look at how to bullet-proof your development workflow. It covers best practices and tools which you should use in your daily work that will improve the overall security and also speed up software development.

http://hr.meet-magento.com/en/speaker/anna-volkl/

Published in: Software
  • Hello! Get Your Professional Job-Winning Resume Here - Check our website! https://vk.cc/818RFv
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

Secure development environment @ Meet Magento Croatia 2017

  1. 1. Secure development workflow Best practises and tools to improve the overall security of your Magento shops Anna Völkl / @rescueAnn Meet Magento Croatia 2017, Anna Völkl / @rescueAnn
  2. 2. Anna Völkl ! Lead Magento Developer ! E-CONOMIX ! Wels, Linz / Austria @rescueAnn Meet Magento Croatia 2017, Anna Völkl / @rescueAnn
  3. 3. http://bouk.co/blog/hacking-developers/ http://extractdata.club Meet Magento Croatia 2017, Anna Völkl / @rescueAnn
  4. 4. Who is responsible for security? "I didn't know it had to be secure..." Meet Magento Croatia 2017, Anna Völkl / @rescueAnn
  5. 5. Source: Zend - The State of PHP in 2017 Meet Magento Croatia 2017, Anna Völkl / @rescueAnn
  6. 6. Magento Security Best Practises ! https://magento.com/security ! Sign up for Magento security alerts • Be prepared Meet Magento Croatia 2017, Anna Völkl / @rescueAnn
  7. 7. Magento Security Best Practises ! https://magento.com/security ! Sign up for Magento security alerts • Be prepared • Patch early & • Use magereport.com Meet Magento Croatia 2017, Anna Völkl / @rescueAnn
  8. 8. Magento Security Best Practises ! https://magento.com/security ! Sign up for Magento security alerts • Be prepared • Patch early • Use magereport.com • Monitor for Signs of Attack Meet Magento Croatia 2017, Anna Völkl / @rescueAnn
  9. 9. Recommended Extensions I Passwords & Login ! Meet Magento Croatia 2017, Anna Völkl / @rescueAnn
  10. 10. Recommended Extensions I Passwords & Login • EW_NativePasswords Meet Magento Croatia 2017, Anna Völkl / @rescueAnn
  11. 11. Recommended Extensions I Passwords & Login • EW_NativePasswords • MageHackDay_TwoFactorAuth Meet Magento Croatia 2017, Anna Völkl / @rescueAnn
  12. 12. Recommended Extensions I Passwords & Login • EW_NativePasswords • MageHackDay_TwoFactorAuth • BranchLabs_AdminPasswordStrength Meet Magento Croatia 2017, Anna Völkl / @rescueAnn
  13. 13. Recommended Extensions I Passwords & Login • EW_NativePasswords • MageHackDay_TwoFactorAuth • BranchLabs_AdminPasswordStrength • Shopliebe_PasswordStrength Meet Magento Croatia 2017, Anna Völkl / @rescueAnn
  14. 14. Recommended Extensions I Passwords & Login • EW_NativePasswords • MageHackDay_TwoFactorAuth • BranchLabs_AdminPasswordStrength • Shopliebe_PasswordStrength • Ikonoshirt_Pbkdf2 Meet Magento Croatia 2017, Anna Völkl / @rescueAnn
  15. 15. Recommended Extensions II Configuration & Monitoring ! Meet Magento Croatia 2017, Anna Völkl / @rescueAnn
  16. 16. Recommended Extensions II Configuration & Monitoring • Ikonoshirt_StrictTransportSecurity Meet Magento Croatia 2017, Anna Völkl / @rescueAnn
  17. 17. Recommended Extensions II Configuration & Monitoring • Ikonoshirt_StrictTransportSecurity • ET_IpSecurity Meet Magento Croatia 2017, Anna Völkl / @rescueAnn
  18. 18. Recommended Extensions II Configuration & Monitoring • Ikonoshirt_StrictTransportSecurity • ET_IpSecurity • FireGento_AdminMonitoring Meet Magento Croatia 2017, Anna Völkl / @rescueAnn
  19. 19. Recommended Extensions II Configuration & Monitoring • Ikonoshirt_StrictTransportSecurity • ET_IpSecurity • FireGento_AdminMonitoring • Nexcessnet_Alarmbell Meet Magento Croatia 2017, Anna Völkl / @rescueAnn
  20. 20. Recommended Extensions II Configuration & Monitoring • Ikonoshirt_StrictTransportSecurity • ET_IpSecurity • FireGento_AdminMonitoring • Nexcessnet_Alarmbell • Mhauri_Slack / Moogento_SlackCommerce Meet Magento Croatia 2017, Anna Völkl / @rescueAnn
  21. 21. Recommended Extensions for M2 ! Meet Magento Croatia 2017, Anna Völkl / @rescueAnn
  22. 22. Recommended Extensions for M2 • creaminternet/module-secure-passwords Meet Magento Croatia 2017, Anna Völkl / @rescueAnn
  23. 23. Recommended Extensions for M2 • creaminternet/module-secure-passwords • Git Status Security Report Meet Magento Croatia 2017, Anna Völkl / @rescueAnn
  24. 24. Recommended Extensions for M2 • creaminternet/module-secure-passwords • Git Status Security Report • Xtento Two-Factor Authentication [paid] Meet Magento Croatia 2017, Anna Völkl / @rescueAnn
  25. 25. Recommended Extensions for M2 • creaminternet/module-secure-passwords • Git Status Security Report • Xtento Two-Factor Authentication [paid] • Admin Actions Log [paid] Meet Magento Croatia 2017, Anna Völkl / @rescueAnn
  26. 26. Who has access to your code? You. Your colleague. Your company. Your GitLab Server Server. An external developer. GitHub/Bitbucket Your CodeClimate Integration. Your build/deployment tools. Meet Magento Croatia 2017, Anna Völkl / @rescueAnn
  27. 27. Meet Magento Croatia 2017, Anna Völkl / @rescueAnn
  28. 28. Isolate Development from Production reduce unwanted errors, improve security Meet Magento Croatia 2017, Anna Völkl / @rescueAnn
  29. 29. Dev vs. Testing/ Staging vs. Production Meet Magento Croatia 2017, Anna Völkl / @rescueAnn
  30. 30. No keys in your code, put them in settings files. Don't add the settings files (esp. production) into your repo. Meet Magento Croatia 2017, Anna Völkl / @rescueAnn
  31. 31. Meet Magento Croatia 2017, Anna Völkl / @rescueAnn
  32. 32. Meet Magento Croatia 2017, Anna Völkl / @rescueAnn
  33. 33. Database dumps I Because dumping big databases is boring Meet Magento Croatia 2017, Anna Völkl / @rescueAnn
  34. 34. Remove log data$ n98-magerun.phar db:dump --strip="@stripped" Available: @log, @dataflowtemp, @stripped See: n98-magerun Stripped Database Dumps Meet Magento Croatia 2017, Anna Völkl / @rescueAnn
  35. 35. Database dumps II Because you don't need thousands of orders, customers and logs in your dev-environment Meet Magento Croatia 2017, Anna Völkl / @rescueAnn
  36. 36. Remove sales and customer data $ n98-magerun.phar db:dump --strip="@development" Available: @log, @dataflowtemp, @stripped, @sales, @customers, @trade, @development See: n98-magerun Stripped Database Dumps Meet Magento Croatia 2017, Anna Völkl / @rescueAnn
  37. 37. Use an environment configuration tool Because accidentally using the wrong environment is embarrassing Meet Magento Croatia 2017, Anna Völkl / @rescueAnn
  38. 38. Environment Configuration • LimeSoda_EnvironmentConfiguration • n98-magerun Script • Cti_MagentoConfigurator • HarrisStreet ImpEx Meet Magento Croatia 2017, Anna Völkl / @rescueAnn
  39. 39. Code analysis • CodeClimate • SensioLabs Insight • Scrutinizer Meet Magento Croatia 2017, Anna Völkl / @rescueAnn
  40. 40. GrumPHP A PHP code-quality tool • Tests running via git hooks • improve codebase • write better code following best practises • Extra packages like sensiolabs/ security-checker ! https://github.com/phpro/grumphp Meet Magento Croatia 2017, Anna Völkl / @rescueAnn
  41. 41. Meet Magento Croatia 2017, Anna Völkl / @rescueAnn
  42. 42. Security advisories https://github.com/FriendsOfPHP/security-advisories Checking for Vulnerabilities • Upload composer.lock to https://security.sensiolabs.org • Use web service (curl) • Use CLI tool php checker security:check composer.lock Meet Magento Croatia 2017, Anna Völkl / @rescueAnn
  43. 43. Magento Malware Scanner wget git.io/mwscan.txt grep -Erlf mwscan.txt /path/to/magento https://github.com/gwillem/magento-malware-scanner Meet Magento Croatia 2017, Anna Völkl / @rescueAnn
  44. 44. Magento Project Mess Detector https://github.com/AOEpeople/mpmd Meet Magento Croatia 2017, Anna Völkl / @rescueAnn
  45. 45. Admin password cracking Meet Magento Croatia 2017, Anna Völkl / @rescueAnn
  46. 46. To do ! Read & apply Magento Security Best Practises ! Sign up for Magento security alerts ! Test & check your code and settings ! Follow @piotrekkaminski, @gwillem, @_Talesh, @pete_cags, @PeterJaap, @Fabian_ikono Meet Magento Croatia 2017, Anna Völkl / @rescueAnn
  47. 47. Hvala! Questions? @rescueAnn github.com/avoelkl Meet Magento Croatia 2017, Anna Völkl / @rescueAnn
  48. 48. Meet Magento Croatia 2017, Anna Völkl / @rescueAnn

×