Post on 21-Mar-2017
transcript
Secure development workflowBest practises and tools to improve the overall security of your Magento shopsAnna Völkl / @rescueAnn
Meet Magento Croatia 2017, Anna Völkl / @rescueAnn
Anna Völkl! Lead Magento Developer! E-CONOMIX! Wels, Linz / Austria@rescueAnn
Meet Magento Croatia 2017, Anna Völkl / @rescueAnn
http://bouk.co/blog/hacking-developers/http://extractdata.club
Meet Magento Croatia 2017, Anna Völkl / @rescueAnn
Who is responsible for security?"I didn't know it had to be secure..."
Meet Magento Croatia 2017, Anna Völkl / @rescueAnn
Source: Zend - The State of PHP in 2017Meet Magento Croatia 2017, Anna Völkl / @rescueAnn
Magento Security Best Practises! https://magento.com/security! Sign up for Magento security alerts
• Be prepared
Meet Magento Croatia 2017, Anna Völkl / @rescueAnn
Magento Security Best Practises! https://magento.com/security! Sign up for Magento security alerts
• Be prepared• Patch early &• Use magereport.com
Meet Magento Croatia 2017, Anna Völkl / @rescueAnn
Magento Security Best Practises! https://magento.com/security! Sign up for Magento security alerts
• Be prepared• Patch early• Use magereport.com• Monitor for Signs of Attack
Meet Magento Croatia 2017, Anna Völkl / @rescueAnn
Recommended Extensions IPasswords & Login!
Meet Magento Croatia 2017, Anna Völkl / @rescueAnn
Recommended Extensions IPasswords & Login• EW_NativePasswords
Meet Magento Croatia 2017, Anna Völkl / @rescueAnn
Recommended Extensions IPasswords & Login• EW_NativePasswords• MageHackDay_TwoFactorAuth
Meet Magento Croatia 2017, Anna Völkl / @rescueAnn
Recommended Extensions IPasswords & Login• EW_NativePasswords• MageHackDay_TwoFactorAuth• BranchLabs_AdminPasswordStrength
Meet Magento Croatia 2017, Anna Völkl / @rescueAnn
Recommended Extensions IPasswords & Login• EW_NativePasswords• MageHackDay_TwoFactorAuth• BranchLabs_AdminPasswordStrength• Shopliebe_PasswordStrength
Meet Magento Croatia 2017, Anna Völkl / @rescueAnn
Recommended Extensions IPasswords & Login• EW_NativePasswords• MageHackDay_TwoFactorAuth• BranchLabs_AdminPasswordStrength• Shopliebe_PasswordStrength• Ikonoshirt_Pbkdf2
Meet Magento Croatia 2017, Anna Völkl / @rescueAnn
Recommended Extensions IIConfiguration & Monitoring!
Meet Magento Croatia 2017, Anna Völkl / @rescueAnn
Recommended Extensions IIConfiguration & Monitoring• Ikonoshirt_StrictTransportSecurity
Meet Magento Croatia 2017, Anna Völkl / @rescueAnn
Recommended Extensions IIConfiguration & Monitoring• Ikonoshirt_StrictTransportSecurity• ET_IpSecurity
Meet Magento Croatia 2017, Anna Völkl / @rescueAnn
Recommended Extensions IIConfiguration & Monitoring• Ikonoshirt_StrictTransportSecurity• ET_IpSecurity• FireGento_AdminMonitoring
Meet Magento Croatia 2017, Anna Völkl / @rescueAnn
Recommended Extensions IIConfiguration & Monitoring• Ikonoshirt_StrictTransportSecurity• ET_IpSecurity• FireGento_AdminMonitoring• Nexcessnet_Alarmbell
Meet Magento Croatia 2017, Anna Völkl / @rescueAnn
Recommended Extensions IIConfiguration & Monitoring• Ikonoshirt_StrictTransportSecurity• ET_IpSecurity• FireGento_AdminMonitoring• Nexcessnet_Alarmbell• Mhauri_Slack / Moogento_SlackCommerce
Meet Magento Croatia 2017, Anna Völkl / @rescueAnn
Recommended Extensions for M2!
Meet Magento Croatia 2017, Anna Völkl / @rescueAnn
Recommended Extensions for M2• creaminternet/module-secure-passwords
Meet Magento Croatia 2017, Anna Völkl / @rescueAnn
Recommended Extensions for M2• creaminternet/module-secure-passwords• Git Status Security Report
Meet Magento Croatia 2017, Anna Völkl / @rescueAnn
Recommended Extensions for M2• creaminternet/module-secure-passwords• Git Status Security Report• Xtento Two-Factor Authentication [paid]
Meet Magento Croatia 2017, Anna Völkl / @rescueAnn
Recommended Extensions for M2• creaminternet/module-secure-passwords• Git Status Security Report• Xtento Two-Factor Authentication [paid]• Admin Actions Log [paid]
Meet Magento Croatia 2017, Anna Völkl / @rescueAnn
Who has access to your code?You.Your colleague.Your company.Your GitLab Server Server.An external developer.GitHub/BitbucketYour CodeClimate Integration.Your build/deployment tools.Meet Magento Croatia 2017, Anna Völkl / @rescueAnn
Meet Magento Croatia 2017, Anna Völkl / @rescueAnn
Isolate Development from Productionreduce unwanted errors,improve security
Meet Magento Croatia 2017, Anna Völkl / @rescueAnn
Dev vs. Testing/Staging vs. Production
Meet Magento Croatia 2017, Anna Völkl / @rescueAnn
No keys in your code, put them in settings files.Don't add the settings files (esp. production) into your repo.
Meet Magento Croatia 2017, Anna Völkl / @rescueAnn
Meet Magento Croatia 2017, Anna Völkl / @rescueAnn
Meet Magento Croatia 2017, Anna Völkl / @rescueAnn
Database dumps IBecause dumping big databases is boring
Meet Magento Croatia 2017, Anna Völkl / @rescueAnn
Remove log data$ n98-magerun.phar db:dump --strip="@stripped"
Available:@log, @dataflowtemp, @stripped
See: n98-magerun Stripped Database Dumps
Meet Magento Croatia 2017, Anna Völkl / @rescueAnn
Database dumps IIBecause you don't need thousands of orders, customers and logs in your dev-environment
Meet Magento Croatia 2017, Anna Völkl / @rescueAnn
Remove sales and customer data$ n98-magerun.phar db:dump --strip="@development"
Available:@log, @dataflowtemp, @stripped, @sales, @customers, @trade, @development
See: n98-magerun Stripped Database Dumps
Meet Magento Croatia 2017, Anna Völkl / @rescueAnn
Use an environment configuration toolBecause accidentally using the wrong environment is embarrassing
Meet Magento Croatia 2017, Anna Völkl / @rescueAnn
Environment Configuration• LimeSoda_EnvironmentConfiguration• n98-magerun Script• Cti_MagentoConfigurator• HarrisStreet ImpEx
Meet Magento Croatia 2017, Anna Völkl / @rescueAnn
Code analysis• CodeClimate• SensioLabs Insight• Scrutinizer
Meet Magento Croatia 2017, Anna Völkl / @rescueAnn
GrumPHPA PHP code-quality tool• Tests running via git hooks• improve codebase• write better code following best
practises
• Extra packages like sensiolabs/security-checker
! https://github.com/phpro/grumphp
Meet Magento Croatia 2017, Anna Völkl / @rescueAnn
Meet Magento Croatia 2017, Anna Völkl / @rescueAnn
Security advisorieshttps://github.com/FriendsOfPHP/security-advisories
Checking for Vulnerabilities• Upload composer.lock to https://security.sensiolabs.org• Use web service (curl)
• Use CLI tool php checker security:check composer.lock
Meet Magento Croatia 2017, Anna Völkl / @rescueAnn
Magento Malware Scannerwget git.io/mwscan.txtgrep -Erlf mwscan.txt /path/to/magento
https://github.com/gwillem/magento-malware-scanner
Meet Magento Croatia 2017, Anna Völkl / @rescueAnn
Magento Project Mess Detector
https://github.com/AOEpeople/mpmdMeet Magento Croatia 2017, Anna Völkl / @rescueAnn
Admin password cracking
Meet Magento Croatia 2017, Anna Völkl / @rescueAnn
To do! Read & apply Magento Security Best Practises! Sign up for Magento security alerts! Test & check your code and settings! Follow @piotrekkaminski, @gwillem, @_Talesh, @pete_cags, @PeterJaap, @Fabian_ikono
Meet Magento Croatia 2017, Anna Völkl / @rescueAnn
Hvala!Questions?@rescueAnngithub.com/avoelkl
Meet Magento Croatia 2017, Anna Völkl / @rescueAnn
Meet Magento Croatia 2017, Anna Völkl / @rescueAnn