magento security best practises - mm17pl
TRANSCRIPT
![Page 1: Magento Security Best Practises - MM17PL](https://reader033.vdocuments.mx/reader033/viewer/2022052305/5aacf7907f8b9a003b8b4639/html5/thumbnails/1.jpg)
#mm17pl, Anna Völkl
![Page 2: Magento Security Best Practises - MM17PL](https://reader033.vdocuments.mx/reader033/viewer/2022052305/5aacf7907f8b9a003b8b4639/html5/thumbnails/2.jpg)
Magento Security Best PracticesBest practises and tools to improve the overall security of your Magento shopsAnna Völkl / @rescueAnn
#mm17pl, Anna Völkl
![Page 3: Magento Security Best Practises - MM17PL](https://reader033.vdocuments.mx/reader033/viewer/2022052305/5aacf7907f8b9a003b8b4639/html5/thumbnails/3.jpg)
Anna Völkl! Lead Magento Developer! E-CONOMIX! Wels & Linz / Austria@rescueAnn
#mm17pl, Anna Völkl
![Page 4: Magento Security Best Practises - MM17PL](https://reader033.vdocuments.mx/reader033/viewer/2022052305/5aacf7907f8b9a003b8b4639/html5/thumbnails/4.jpg)
http://bouk.co/blog/hacking-developers/http://extractdata.club
#mm17pl, Anna Völkl
![Page 5: Magento Security Best Practises - MM17PL](https://reader033.vdocuments.mx/reader033/viewer/2022052305/5aacf7907f8b9a003b8b4639/html5/thumbnails/5.jpg)
Who is responsible for security?"I didn't know it had to be secure..."
#mm17pl, Anna Völkl
![Page 6: Magento Security Best Practises - MM17PL](https://reader033.vdocuments.mx/reader033/viewer/2022052305/5aacf7907f8b9a003b8b4639/html5/thumbnails/6.jpg)
Source: Zend - The State of PHP in 2017#mm17pl, Anna Völkl
![Page 7: Magento Security Best Practises - MM17PL](https://reader033.vdocuments.mx/reader033/viewer/2022052305/5aacf7907f8b9a003b8b4639/html5/thumbnails/7.jpg)
Magento Security Best Practises! https://magento.com/security! Sign up for Magento security alerts
• Be prepared
#mm17pl, Anna Völkl
![Page 8: Magento Security Best Practises - MM17PL](https://reader033.vdocuments.mx/reader033/viewer/2022052305/5aacf7907f8b9a003b8b4639/html5/thumbnails/8.jpg)
Magento Security Best Practises! https://magento.com/security! Sign up for Magento security alerts
• Be prepared• Patch early &• Use magereport.com & Magento Security Scan
#mm17pl, Anna Völkl
![Page 9: Magento Security Best Practises - MM17PL](https://reader033.vdocuments.mx/reader033/viewer/2022052305/5aacf7907f8b9a003b8b4639/html5/thumbnails/9.jpg)
Magento Security Best Practises! https://magento.com/security! Sign up for Magento security alerts
• Be prepared• Patch early• Use magereport.com & Magento Security Scan• Monitor for Signs of Attack
#mm17pl, Anna Völkl
![Page 10: Magento Security Best Practises - MM17PL](https://reader033.vdocuments.mx/reader033/viewer/2022052305/5aacf7907f8b9a003b8b4639/html5/thumbnails/10.jpg)
Magento Security Scan• very detailed report about security of a Magento shop• currently by invite only, partners• ,,Magento’s official security monitoring service'' (John Steer, Head of
Product Security at Magento)• more official news soon :)
Infos: ! [email protected]
#mm17pl, Anna Völkl
![Page 11: Magento Security Best Practises - MM17PL](https://reader033.vdocuments.mx/reader033/viewer/2022052305/5aacf7907f8b9a003b8b4639/html5/thumbnails/11.jpg)
Recommended Extensions IPasswords & Login!
#mm17pl, Anna Völkl
![Page 12: Magento Security Best Practises - MM17PL](https://reader033.vdocuments.mx/reader033/viewer/2022052305/5aacf7907f8b9a003b8b4639/html5/thumbnails/12.jpg)
Recommended Extensions IPasswords & Login• EW_NativePasswords
#mm17pl, Anna Völkl
![Page 13: Magento Security Best Practises - MM17PL](https://reader033.vdocuments.mx/reader033/viewer/2022052305/5aacf7907f8b9a003b8b4639/html5/thumbnails/13.jpg)
Recommended Extensions IPasswords & Login• EW_NativePasswords• MageHackDay_TwoFactorAuth
#mm17pl, Anna Völkl
![Page 14: Magento Security Best Practises - MM17PL](https://reader033.vdocuments.mx/reader033/viewer/2022052305/5aacf7907f8b9a003b8b4639/html5/thumbnails/14.jpg)
Recommended Extensions IPasswords & Login• EW_NativePasswords• MageHackDay_TwoFactorAuth• BranchLabs_AdminPasswordStrength
#mm17pl, Anna Völkl
![Page 15: Magento Security Best Practises - MM17PL](https://reader033.vdocuments.mx/reader033/viewer/2022052305/5aacf7907f8b9a003b8b4639/html5/thumbnails/15.jpg)
Recommended Extensions IPasswords & Login• EW_NativePasswords• MageHackDay_TwoFactorAuth• BranchLabs_AdminPasswordStrength• Shopliebe_PasswordStrength
#mm17pl, Anna Völkl
![Page 16: Magento Security Best Practises - MM17PL](https://reader033.vdocuments.mx/reader033/viewer/2022052305/5aacf7907f8b9a003b8b4639/html5/thumbnails/16.jpg)
Recommended Extensions IPasswords & Login• EW_NativePasswords• MageHackDay_TwoFactorAuth• BranchLabs_AdminPasswordStrength• Shopliebe_PasswordStrength• Ikonoshirt_Pbkdf2
#mm17pl, Anna Völkl
![Page 17: Magento Security Best Practises - MM17PL](https://reader033.vdocuments.mx/reader033/viewer/2022052305/5aacf7907f8b9a003b8b4639/html5/thumbnails/17.jpg)
Recommended Extensions IIConfiguration & Monitoring!
#mm17pl, Anna Völkl
![Page 18: Magento Security Best Practises - MM17PL](https://reader033.vdocuments.mx/reader033/viewer/2022052305/5aacf7907f8b9a003b8b4639/html5/thumbnails/18.jpg)
Recommended Extensions IIConfiguration & Monitoring• Ikonoshirt_StrictTransportSecurity
#mm17pl, Anna Völkl
![Page 19: Magento Security Best Practises - MM17PL](https://reader033.vdocuments.mx/reader033/viewer/2022052305/5aacf7907f8b9a003b8b4639/html5/thumbnails/19.jpg)
Recommended Extensions IIConfiguration & Monitoring• Ikonoshirt_StrictTransportSecurity• ET_IpSecurity
#mm17pl, Anna Völkl
![Page 20: Magento Security Best Practises - MM17PL](https://reader033.vdocuments.mx/reader033/viewer/2022052305/5aacf7907f8b9a003b8b4639/html5/thumbnails/20.jpg)
Recommended Extensions IIConfiguration & Monitoring• Ikonoshirt_StrictTransportSecurity• ET_IpSecurity• FireGento_AdminMonitoring
#mm17pl, Anna Völkl
![Page 21: Magento Security Best Practises - MM17PL](https://reader033.vdocuments.mx/reader033/viewer/2022052305/5aacf7907f8b9a003b8b4639/html5/thumbnails/21.jpg)
Recommended Extensions IIConfiguration & Monitoring• Ikonoshirt_StrictTransportSecurity• ET_IpSecurity• FireGento_AdminMonitoring• Nexcessnet_Alarmbell
#mm17pl, Anna Völkl
![Page 22: Magento Security Best Practises - MM17PL](https://reader033.vdocuments.mx/reader033/viewer/2022052305/5aacf7907f8b9a003b8b4639/html5/thumbnails/22.jpg)
Recommended Extensions IIConfiguration & Monitoring• Ikonoshirt_StrictTransportSecurity• ET_IpSecurity• FireGento_AdminMonitoring• Nexcessnet_Alarmbell• Mhauri_Slack / Moogento_SlackCommerce
#mm17pl, Anna Völkl
![Page 23: Magento Security Best Practises - MM17PL](https://reader033.vdocuments.mx/reader033/viewer/2022052305/5aacf7907f8b9a003b8b4639/html5/thumbnails/23.jpg)
Recommended Extensions for M2!
#mm17pl, Anna Völkl
![Page 24: Magento Security Best Practises - MM17PL](https://reader033.vdocuments.mx/reader033/viewer/2022052305/5aacf7907f8b9a003b8b4639/html5/thumbnails/24.jpg)
Recommended Extensions for M2• creaminternet/module-secure-passwords
#mm17pl, Anna Völkl
![Page 25: Magento Security Best Practises - MM17PL](https://reader033.vdocuments.mx/reader033/viewer/2022052305/5aacf7907f8b9a003b8b4639/html5/thumbnails/25.jpg)
Recommended Extensions for M2• creaminternet/module-secure-passwords• Git Status Security Report
#mm17pl, Anna Völkl
![Page 26: Magento Security Best Practises - MM17PL](https://reader033.vdocuments.mx/reader033/viewer/2022052305/5aacf7907f8b9a003b8b4639/html5/thumbnails/26.jpg)
Recommended Extensions for M2• creaminternet/module-secure-passwords• Git Status Security Report• MageSpecialist SecuritySuite
• Two Factor Auth, User lockout, reCaptcha, Admin IP restriction, Digest Auth
#mm17pl, Anna Völkl
![Page 27: Magento Security Best Practises - MM17PL](https://reader033.vdocuments.mx/reader033/viewer/2022052305/5aacf7907f8b9a003b8b4639/html5/thumbnails/27.jpg)
Who has access to your code?You.Your colleague.Your company.Your GitLab Server Server.An external developer.GitHub/BitbucketYour CodeClimate Integration.Your build/deployment tools.#mm17pl, Anna Völkl
![Page 28: Magento Security Best Practises - MM17PL](https://reader033.vdocuments.mx/reader033/viewer/2022052305/5aacf7907f8b9a003b8b4639/html5/thumbnails/28.jpg)
#mm17pl, Anna Völkl
![Page 29: Magento Security Best Practises - MM17PL](https://reader033.vdocuments.mx/reader033/viewer/2022052305/5aacf7907f8b9a003b8b4639/html5/thumbnails/29.jpg)
Isolate Development from Productionreduce unwanted errors,improve security
#mm17pl, Anna Völkl
![Page 30: Magento Security Best Practises - MM17PL](https://reader033.vdocuments.mx/reader033/viewer/2022052305/5aacf7907f8b9a003b8b4639/html5/thumbnails/30.jpg)
Dev vs. Testing/Staging vs. Production
#mm17pl, Anna Völkl
![Page 31: Magento Security Best Practises - MM17PL](https://reader033.vdocuments.mx/reader033/viewer/2022052305/5aacf7907f8b9a003b8b4639/html5/thumbnails/31.jpg)
No keys in your code, put them in settings files.Don't add the settings files (esp. production) into your repo.
#mm17pl, Anna Völkl
![Page 32: Magento Security Best Practises - MM17PL](https://reader033.vdocuments.mx/reader033/viewer/2022052305/5aacf7907f8b9a003b8b4639/html5/thumbnails/32.jpg)
#mm17pl, Anna Völkl
![Page 33: Magento Security Best Practises - MM17PL](https://reader033.vdocuments.mx/reader033/viewer/2022052305/5aacf7907f8b9a003b8b4639/html5/thumbnails/33.jpg)
#mm17pl, Anna Völkl
![Page 34: Magento Security Best Practises - MM17PL](https://reader033.vdocuments.mx/reader033/viewer/2022052305/5aacf7907f8b9a003b8b4639/html5/thumbnails/34.jpg)
Database dumps IBecause dumping big databases is boring
#mm17pl, Anna Völkl
![Page 35: Magento Security Best Practises - MM17PL](https://reader033.vdocuments.mx/reader033/viewer/2022052305/5aacf7907f8b9a003b8b4639/html5/thumbnails/35.jpg)
Remove log data$ n98-magerun.phar db:dump --strip="@stripped"
Available:@log, @dataflowtemp, @stripped
See: n98-magerun Stripped Database Dumps
#mm17pl, Anna Völkl
![Page 36: Magento Security Best Practises - MM17PL](https://reader033.vdocuments.mx/reader033/viewer/2022052305/5aacf7907f8b9a003b8b4639/html5/thumbnails/36.jpg)
Database dumps IIBecause you don't need thousands of orders, customers and logs in your dev-environment
#mm17pl, Anna Völkl
![Page 37: Magento Security Best Practises - MM17PL](https://reader033.vdocuments.mx/reader033/viewer/2022052305/5aacf7907f8b9a003b8b4639/html5/thumbnails/37.jpg)
Remove sales and customer data$ n98-magerun.phar db:dump --strip="@development"
Available:@log, @dataflowtemp, @stripped, @sales, @customers, @trade, @development
See: n98-magerun Stripped Database Dumps
#mm17pl, Anna Völkl
![Page 38: Magento Security Best Practises - MM17PL](https://reader033.vdocuments.mx/reader033/viewer/2022052305/5aacf7907f8b9a003b8b4639/html5/thumbnails/38.jpg)
Use an environment configuration toolBecause accidentally using the wrong environment is embarrassing
#mm17pl, Anna Völkl
![Page 39: Magento Security Best Practises - MM17PL](https://reader033.vdocuments.mx/reader033/viewer/2022052305/5aacf7907f8b9a003b8b4639/html5/thumbnails/39.jpg)
Environment Configuration• LimeSoda_EnvironmentConfiguration• n98-magerun Script• Cti_MagentoConfigurator• HarrisStreet ImpEx
#mm17pl, Anna Völkl
![Page 40: Magento Security Best Practises - MM17PL](https://reader033.vdocuments.mx/reader033/viewer/2022052305/5aacf7907f8b9a003b8b4639/html5/thumbnails/40.jpg)
Code analysis• CodeClimate• SensioLabs Insight• Scrutinizer
#mm17pl, Anna Völkl
![Page 41: Magento Security Best Practises - MM17PL](https://reader033.vdocuments.mx/reader033/viewer/2022052305/5aacf7907f8b9a003b8b4639/html5/thumbnails/41.jpg)
GrumPHPA PHP code-quality tool• Tests running via git hooks• improve codebase• write better code following best
practises
• Extra packages like sensiolabs/security-checker
! https://github.com/phpro/grumphp
#mm17pl, Anna Völkl
![Page 42: Magento Security Best Practises - MM17PL](https://reader033.vdocuments.mx/reader033/viewer/2022052305/5aacf7907f8b9a003b8b4639/html5/thumbnails/42.jpg)
#mm17pl, Anna Völkl
![Page 43: Magento Security Best Practises - MM17PL](https://reader033.vdocuments.mx/reader033/viewer/2022052305/5aacf7907f8b9a003b8b4639/html5/thumbnails/43.jpg)
Security advisorieshttps://github.com/FriendsOfPHP/security-advisories
Checking for Vulnerabilities• Upload composer.lock to https://security.sensiolabs.org• Use web service (curl)
• Use CLI tool php checker security:check composer.lock
#mm17pl, Anna Völkl
![Page 44: Magento Security Best Practises - MM17PL](https://reader033.vdocuments.mx/reader033/viewer/2022052305/5aacf7907f8b9a003b8b4639/html5/thumbnails/44.jpg)
Magento Malware Scannerwget git.io/mwscan.txtgrep -Erlf mwscan.txt /path/to/magento
https://github.com/gwillem/magento-malware-scanner
#mm17pl, Anna Völkl
![Page 45: Magento Security Best Practises - MM17PL](https://reader033.vdocuments.mx/reader033/viewer/2022052305/5aacf7907f8b9a003b8b4639/html5/thumbnails/45.jpg)
Magento Project Mess Detector
https://github.com/AOEpeople/mpmd#mm17pl, Anna Völkl
![Page 46: Magento Security Best Practises - MM17PL](https://reader033.vdocuments.mx/reader033/viewer/2022052305/5aacf7907f8b9a003b8b4639/html5/thumbnails/46.jpg)
Admin password cracking
#mm17pl, Anna Völkl
![Page 47: Magento Security Best Practises - MM17PL](https://reader033.vdocuments.mx/reader033/viewer/2022052305/5aacf7907f8b9a003b8b4639/html5/thumbnails/47.jpg)
Warnings on HTTP websites in Google Chrome 62As part of Google's quest to compel all websites to use the more secure HTTPS protocol, Chrome 62 will flash more warnings when you visit HTTP sites. A few months ago, Chrome 56 (rightly) started labeling unencrypted sites as "not secure" right next to their URLs in the address line if they're asking for passwords and credit card details.— engadget.com
! More Info#mm17pl, Anna Völkl
![Page 48: Magento Security Best Practises - MM17PL](https://reader033.vdocuments.mx/reader033/viewer/2022052305/5aacf7907f8b9a003b8b4639/html5/thumbnails/48.jpg)
To do! Read & apply Magento Security Best Practises! Sign up for Magento security alerts! Test & check your code and settings! Full HTTPS! Follow @piotrekkaminski, @gwillem, @_Talesh, @pete_cags, @PeterJaap, @Fabian_ikono, @RicTempesta
#mm17pl, Anna Völkl
![Page 50: Magento Security Best Practises - MM17PL](https://reader033.vdocuments.mx/reader033/viewer/2022052305/5aacf7907f8b9a003b8b4639/html5/thumbnails/50.jpg)
#mm17pl, Anna Völkl