magento security best practises - mm17pl

#mm17pl, Anna Völkl

Magento Security Best PracticesBest practises and tools to improve the overall security of your Magento shopsAnna Völkl / @rescueAnn

Anna Völkl! Lead Magento Developer! E-CONOMIX! Wels & Linz / Austria@rescueAnn

http://bouk.co/blog/hacking-developers/http://extractdata.club

Who is responsible for security?"I didn't know it had to be secure..."

Source: Zend - The State of PHP in 2017#mm17pl, Anna Völkl

Magento Security Best Practises! https://magento.com/security! Sign up for Magento security alerts

• Be prepared

• Be prepared• Patch early &• Use magereport.com & Magento Security Scan

• Be prepared• Patch early• Use magereport.com & Magento Security Scan• Monitor for Signs of Attack

Magento Security Scan• very detailed report about security of a Magento shop• currently by invite only, partners• ,,Magento’s official security monitoring service'' (John Steer, Head of

Product Security at Magento)• more official news soon :)

Infos: ! securityinfo@magento.com

Recommended Extensions IPasswords & Login!

Recommended Extensions IPasswords & Login• EW_NativePasswords

Recommended Extensions IPasswords & Login• EW_NativePasswords• MageHackDay_TwoFactorAuth

Recommended Extensions IPasswords & Login• EW_NativePasswords• MageHackDay_TwoFactorAuth• BranchLabs_AdminPasswordStrength

Recommended Extensions IPasswords & Login• EW_NativePasswords• MageHackDay_TwoFactorAuth• BranchLabs_AdminPasswordStrength• Shopliebe_PasswordStrength

Recommended Extensions IPasswords & Login• EW_NativePasswords• MageHackDay_TwoFactorAuth• BranchLabs_AdminPasswordStrength• Shopliebe_PasswordStrength• Ikonoshirt_Pbkdf2

Recommended Extensions IIConfiguration & Monitoring!

Recommended Extensions IIConfiguration & Monitoring• Ikonoshirt_StrictTransportSecurity

Recommended Extensions IIConfiguration & Monitoring• Ikonoshirt_StrictTransportSecurity• ET_IpSecurity

Recommended Extensions IIConfiguration & Monitoring• Ikonoshirt_StrictTransportSecurity• ET_IpSecurity• FireGento_AdminMonitoring

Recommended Extensions IIConfiguration & Monitoring• Ikonoshirt_StrictTransportSecurity• ET_IpSecurity• FireGento_AdminMonitoring• Nexcessnet_Alarmbell

Recommended Extensions IIConfiguration & Monitoring• Ikonoshirt_StrictTransportSecurity• ET_IpSecurity• FireGento_AdminMonitoring• Nexcessnet_Alarmbell• Mhauri_Slack / Moogento_SlackCommerce

Recommended Extensions for M2!

Recommended Extensions for M2• creaminternet/module-secure-passwords

Recommended Extensions for M2• creaminternet/module-secure-passwords• Git Status Security Report

Recommended Extensions for M2• creaminternet/module-secure-passwords• Git Status Security Report• MageSpecialist SecuritySuite

• Two Factor Auth, User lockout, reCaptcha, Admin IP restriction, Digest Auth

Who has access to your code?You.Your colleague.Your company.Your GitLab Server Server.An external developer.GitHub/BitbucketYour CodeClimate Integration.Your build/deployment tools.#mm17pl, Anna Völkl

Isolate Development from Productionreduce unwanted errors,improve security

Dev vs. Testing/Staging vs. Production

No keys in your code, put them in settings files.Don't add the settings files (esp. production) into your repo.

Database dumps IBecause dumping big databases is boring

Remove log data$ n98-magerun.phar db:dump --strip="@stripped"

Available:@log, @dataflowtemp, @stripped

See: n98-magerun Stripped Database Dumps

Database dumps IIBecause you don't need thousands of orders, customers and logs in your dev-environment

Remove sales and customer data$ n98-magerun.phar db:dump --strip="@development"

Available:@log, @dataflowtemp, @stripped, @sales, @customers, @trade, @development

See: n98-magerun Stripped Database Dumps

Use an environment configuration toolBecause accidentally using the wrong environment is embarrassing

Environment Configuration• LimeSoda_EnvironmentConfiguration• n98-magerun Script• Cti_MagentoConfigurator• HarrisStreet ImpEx

Code analysis• CodeClimate• SensioLabs Insight• Scrutinizer

GrumPHPA PHP code-quality tool• Tests running via git hooks• improve codebase• write better code following best

practises

• Extra packages like sensiolabs/security-checker

! https://github.com/phpro/grumphp

Security advisorieshttps://github.com/FriendsOfPHP/security-advisories

Checking for Vulnerabilities• Upload composer.lock to https://security.sensiolabs.org• Use web service (curl)

• Use CLI tool php checker security:check composer.lock

Magento Malware Scannerwget git.io/mwscan.txtgrep -Erlf mwscan.txt /path/to/magento

https://github.com/gwillem/magento-malware-scanner

Magento Project Mess Detector

https://github.com/AOEpeople/mpmd#mm17pl, Anna Völkl

Admin password cracking

Warnings on HTTP websites in Google Chrome 62As part of Google's quest to compel all websites to use the more secure HTTPS protocol, Chrome 62 will flash more warnings when you visit HTTP sites. A few months ago, Chrome 56 (rightly) started labeling unencrypted sites as "not secure" right next to their URLs in the address line if they're asking for passwords and credit card details.— engadget.com

! More Info#mm17pl, Anna Völkl

To do! Read & apply Magento Security Best Practises! Sign up for Magento security alerts! Test & check your code and settings! Full HTTPS! Follow @piotrekkaminski, @gwillem, @_Talesh, @pete_cags, @PeterJaap, @Fabian_ikono, @RicTempesta

Thanks!Questions?@rescueAnngithub.com/avoelkl

magento security best practises - mm17pl

Software

global hr practises

mysql security best practises

environmental practises in helsinki,

5 smart tips to enhance security of your magento 2 store

malnutrition. knowlegde attitude and practises regarding...

best practises - germanwatch

best practises ria

xcelsius best practises[1]

netapp snapmirror best practises

andrea zwirner - magento security and hardening strategies

081007- requirement practises - agile

construction practises

ufone hrm practises

applying rspec best practises

magento website security report

hacked? what now? · • apply magento security patches •...

magento application security [en]

best practises in dfpcl

magento security best practises - mm17de

vmware - best practises