+ All Categories
Home > Documents > Magento Application Security - de.meet- · PDF fileSecurity Testing I • PHPSniffer •...

Magento Application Security - de.meet- · PDF fileSecurity Testing I • PHPSniffer •...

Date post: 06-Feb-2018
Category:
Upload: trinhcong
View: 224 times
Download: 4 times
Share this document with a friend
37
Magento Application Security Anna Völkl / @rescueAnn
Transcript
Page 1: Magento Application Security - de.meet- · PDF fileSecurity Testing I • PHPSniffer • Magento ECG Coding Standard • Dependencies: –Sensio Labs: check composer.lock. Security

Magento Application Security

Anna Völkl / @rescueAnn

Page 2: Magento Application Security - de.meet- · PDF fileSecurity Testing I • PHPSniffer • Magento ECG Coding Standard • Dependencies: –Sensio Labs: check composer.lock. Security

Anna Völkl

• @rescueAnn

• Magento Certified Developer

• PHP seit 2004

• Magento seit 2011

• IT & Telekommunikation (BSc),IT-Security (MSc)

• LimeSoda (Wien, AT)

Page 3: Magento Application Security - de.meet- · PDF fileSecurity Testing I • PHPSniffer • Magento ECG Coding Standard • Dependencies: –Sensio Labs: check composer.lock. Security

Security-TechnologieDepartment of Defense Computer Security InitiativeQuelle: http://csrc.nist.gov/publications/history/nissc/1980-2nd-seminar-proceedings.pdf (Seite 40)

Page 4: Magento Application Security - de.meet- · PDF fileSecurity Testing I • PHPSniffer • Magento ECG Coding Standard • Dependencies: –Sensio Labs: check composer.lock. Security
Page 5: Magento Application Security - de.meet- · PDF fileSecurity Testing I • PHPSniffer • Magento ECG Coding Standard • Dependencies: –Sensio Labs: check composer.lock. Security

Security-TechnologieDepartment of Defense Computer Security InitiativeQuelle: http://csrc.nist.gov/publications/history/nissc/1980-2nd-seminar-proceedings.pdf (Seite 40)

Page 6: Magento Application Security - de.meet- · PDF fileSecurity Testing I • PHPSniffer • Magento ECG Coding Standard • Dependencies: –Sensio Labs: check composer.lock. Security

Magento Anwendungsicherheit

Logins & Passwörter

Admin Backend geschützt

SSL installiert

Page 7: Magento Application Security - de.meet- · PDF fileSecurity Testing I • PHPSniffer • Magento ECG Coding Standard • Dependencies: –Sensio Labs: check composer.lock. Security

Magento Anwendungsicherheit

Logins & Passwörter

Admin Backend geschützt

SSL installiert

...und noch viel mehr!

Page 8: Magento Application Security - de.meet- · PDF fileSecurity Testing I • PHPSniffer • Magento ECG Coding Standard • Dependencies: –Sensio Labs: check composer.lock. Security

MagentoAnwendungssicherheit

Software-Lebenszyklus

Webserver

Datenbank

BenutzerVersionierung &

Deployment

FirewallDateirechte

Web-ApplicationFirewall

Anforderungen

Updates &Patches

LoginPasswörter

ProgrammierungSoftware-Design

Außerbetriebnahme

Konfigurations-dateien

Extensions/3rd Party

Page 9: Magento Application Security - de.meet- · PDF fileSecurity Testing I • PHPSniffer • Magento ECG Coding Standard • Dependencies: –Sensio Labs: check composer.lock. Security

Quelle: http://blogs.technet.com/b/rhalbheer/archive/2011/01/14/real-physical-security.aspx

Page 10: Magento Application Security - de.meet- · PDF fileSecurity Testing I • PHPSniffer • Magento ECG Coding Standard • Dependencies: –Sensio Labs: check composer.lock. Security

● VertraulichkeitVertraulichkeit● IntegritätIntegrität● VerfügbarkeitVerfügbarkeit

Sicherheit

Page 11: Magento Application Security - de.meet- · PDF fileSecurity Testing I • PHPSniffer • Magento ECG Coding Standard • Dependencies: –Sensio Labs: check composer.lock. Security

Unsichere Software

• Keine Zeit

• Kein Wissen

• Keine Prioritäten– Performance– SEO– Neue Funktionen

Page 12: Magento Application Security - de.meet- · PDF fileSecurity Testing I • PHPSniffer • Magento ECG Coding Standard • Dependencies: –Sensio Labs: check composer.lock. Security

Potentielle Angreifer

• (Organisierte) Kriminalität

• Defacer

• Script-Kiddies

• Verärgerte Mitarbeiter, Entwickler

• Konkurrenz

• Der Kunde/Shopbetreiber selbst

Page 13: Magento Application Security - de.meet- · PDF fileSecurity Testing I • PHPSniffer • Magento ECG Coding Standard • Dependencies: –Sensio Labs: check composer.lock. Security

Interesse?!

• Zahlungsdaten

• Kundendaten

• Eigener Vorteil

• Mitbewerb schädigen

Page 14: Magento Application Security - de.meet- · PDF fileSecurity Testing I • PHPSniffer • Magento ECG Coding Standard • Dependencies: –Sensio Labs: check composer.lock. Security

Die häufigsten Risiken von Web-Anwendungen

• A1: Injection

• A2: Fehler in Authentifizierung und Session Management

• A3: Cross-Site Scripting (XSS)

• A4: Unsichere direkte Objektreferenzen

• A5: Sicherheitsrelevante Fehlkonfiguration

OWASP Top 10, 2013

Page 15: Magento Application Security - de.meet- · PDF fileSecurity Testing I • PHPSniffer • Magento ECG Coding Standard • Dependencies: –Sensio Labs: check composer.lock. Security

Sicherheitsrisiken für Web-AnwendungenOWASP Top 10 2013,

Quelle: https://www.owasp.org/images/4/42/OWASP_Top_10_2013_DE_Version_1_0.pdf, angepasste Version

Page 17: Magento Application Security - de.meet- · PDF fileSecurity Testing I • PHPSniffer • Magento ECG Coding Standard • Dependencies: –Sensio Labs: check composer.lock. Security

Secure Coding PrinciplesAngriffsfläche verkleinern

Jedes hinzugefügte Feature erhöht das Sicherheitsrisiko

Page 18: Magento Application Security - de.meet- · PDF fileSecurity Testing I • PHPSniffer • Magento ECG Coding Standard • Dependencies: –Sensio Labs: check composer.lock. Security

Secure Coding PrinciplesSichere Grundkonfiguration

Sichere Konfiguration „Out of the box“

Reduktion (wenn erlaubt) durch User/Kunde

Page 19: Magento Application Security - de.meet- · PDF fileSecurity Testing I • PHPSniffer • Magento ECG Coding Standard • Dependencies: –Sensio Labs: check composer.lock. Security

Secure Coding PrinciplesLeast Privilege

Aktionen werden mit den geringsten erforderlichen Rechten durchgeführt

(User-Rechte, Dateiberechtigungen,...)

Page 20: Magento Application Security - de.meet- · PDF fileSecurity Testing I • PHPSniffer • Magento ECG Coding Standard • Dependencies: –Sensio Labs: check composer.lock. Security

Secure Coding PrinciplesFail securely

Fail secure vs. Fail safe

Die Kunst des Fails

Page 21: Magento Application Security - de.meet- · PDF fileSecurity Testing I • PHPSniffer • Magento ECG Coding Standard • Dependencies: –Sensio Labs: check composer.lock. Security

Secure Coding PrinciplesVertraue keinen Services

3rd Party

Page 22: Magento Application Security - de.meet- · PDF fileSecurity Testing I • PHPSniffer • Magento ECG Coding Standard • Dependencies: –Sensio Labs: check composer.lock. Security

Secure Coding PrinciplesVertraue keinen Eingaben

Überprüfe das Erwartete

Erwarte das Unerwartete

Page 23: Magento Application Security - de.meet- · PDF fileSecurity Testing I • PHPSniffer • Magento ECG Coding Standard • Dependencies: –Sensio Labs: check composer.lock. Security

Secure Coding PrinciplesVertraue keinen Eingaben

Längster Ortsname (einzelnes Wort)

Taumatawhakatangihangakoauauotamateaturipukakapikimaungahoronukupokaiwhenuakit

anatahu (Neuseeland, 85 letters)

Page 24: Magento Application Security - de.meet- · PDF fileSecurity Testing I • PHPSniffer • Magento ECG Coding Standard • Dependencies: –Sensio Labs: check composer.lock. Security

Secure Coding PrinciplesVertraue keinen Eingaben

Längster Ortsname (mehrere Wörter)

Krung Thep Mahanakhon Amon Rattanakosin Mahinthara Yuthaya Mahadilok

Phop Noppharat Ratchathani Burirom Udomratchaniwet Mahasathan Amon Piman

Awatan Sathit Sakkathattiya Witsanukam Prasit (Bangkok, 176 letters)

Page 25: Magento Application Security - de.meet- · PDF fileSecurity Testing I • PHPSniffer • Magento ECG Coding Standard • Dependencies: –Sensio Labs: check composer.lock. Security

Secure Coding PrinciplesSecurity by Obscurity

Sicherheit durch Unwissenheit?

Page 26: Magento Application Security - de.meet- · PDF fileSecurity Testing I • PHPSniffer • Magento ECG Coding Standard • Dependencies: –Sensio Labs: check composer.lock. Security

Secure Coding PrinciplesKISS

Keep Security simple

Einfachheit vs. Komplexität

Page 27: Magento Application Security - de.meet- · PDF fileSecurity Testing I • PHPSniffer • Magento ECG Coding Standard • Dependencies: –Sensio Labs: check composer.lock. Security

Secure Coding PrinciplesSecurity-Fehler richtig beheben

Die Wurzel des Problems verstehen

Weitere Problemstellen identifzieren

Tests entwickeln

Page 28: Magento Application Security - de.meet- · PDF fileSecurity Testing I • PHPSniffer • Magento ECG Coding Standard • Dependencies: –Sensio Labs: check composer.lock. Security

...und jetzt?

Page 29: Magento Application Security - de.meet- · PDF fileSecurity Testing I • PHPSniffer • Magento ECG Coding Standard • Dependencies: –Sensio Labs: check composer.lock. Security

Anforderungen

Funktionale & nicht funktionale Anforderungen

Page 30: Magento Application Security - de.meet- · PDF fileSecurity Testing I • PHPSniffer • Magento ECG Coding Standard • Dependencies: –Sensio Labs: check composer.lock. Security

Secure Coding I

• Neugierig sein - alles hinterfragen

• Secure Coding Guidelines– OWASP Secure Coding Practices

Quelle: https://www.owasp.org/images/0/08/OWASP_SCP_Quick_Reference_Guide_v2.pdf

Page 31: Magento Application Security - de.meet- · PDF fileSecurity Testing I • PHPSniffer • Magento ECG Coding Standard • Dependencies: –Sensio Labs: check composer.lock. Security

Secure Coding II

• Validatoren für Inputs– Client

– Server

• Erwarteter Input: Whitelist vs. Blacklist Filter

• Aktion erlaubt?– User: Zugriff auf Ressource?– Admin: Mage::getSingleton('admin/session')->isAllowed('admin/sales/order/actions/create');

Page 32: Magento Application Security - de.meet- · PDF fileSecurity Testing I • PHPSniffer • Magento ECG Coding Standard • Dependencies: –Sensio Labs: check composer.lock. Security

Security Testing I

• PHPSniffer

• Magento ECG Coding Standard

• Dependencies:– Sensio Labs: check composer.lock

Page 33: Magento Application Security - de.meet- · PDF fileSecurity Testing I • PHPSniffer • Magento ECG Coding Standard • Dependencies: –Sensio Labs: check composer.lock. Security

Security Testing II

• Scrutinizer CI

• Code Climate

• SensioLabsInsight

Screenshot: https://codeclimate.com/github/magento/magento2/issues/categories/security

Scr

eens

hot:

http

s://

insi

ght

.se

nsio

lab

s.co

m/p

roje

cts/

8e8

f25b

a-d

5d0-

4a51

-852

7-7

b0a

911a

88e

2/a

naly

ses/

4

Page 34: Magento Application Security - de.meet- · PDF fileSecurity Testing I • PHPSniffer • Magento ECG Coding Standard • Dependencies: –Sensio Labs: check composer.lock. Security

Kein Zugriff auf

• .git, .git/config

• composer.lock

• Standard /admin Pfad

• /downloader

• app/etc/local.xml

• Logfiles

• phpinfo.php• Datenbank-Dumps: livedb.sql.gz

Page 35: Magento Application Security - de.meet- · PDF fileSecurity Testing I • PHPSniffer • Magento ECG Coding Standard • Dependencies: –Sensio Labs: check composer.lock. Security

Laufender Betrieb

• Magento– Updates– Security Patches

• Webserver, PHP,...– Aktuelle Versionen

Page 36: Magento Application Security - de.meet- · PDF fileSecurity Testing I • PHPSniffer • Magento ECG Coding Standard • Dependencies: –Sensio Labs: check composer.lock. Security

Aus aktuellem Anlass

• SUPEE-5344

• Magento Community Edition 1.9.1.1 & Enterprise Edition 1.14.2 beinhalten SUPEE-5344

• Magento Shoplift Bug Tester: https://shoplift.byte.nl

• Ankündigung: Magento Alert Registry

Bild: https://shoplift.byte.nl/

Page 37: Magento Application Security - de.meet- · PDF fileSecurity Testing I • PHPSniffer • Magento ECG Coding Standard • Dependencies: –Sensio Labs: check composer.lock. Security

Hinterlasst euren Code jedesmal ein bisschen sicherer (besser), als ihr ihn

vorgefunden habt.


Recommended