Date post: | 17-Mar-2018 |
Category: |
Software |
Upload: | anna-voelkl |
View: | 1,005 times |
Download: | 4 times |
#mm17pl, Anna Völkl
Magento Security Best PracticesBest practises and tools to improve the overall security of your Magento shopsAnna Völkl / @rescueAnn
#mm17pl, Anna Völkl
Anna Völkl! Lead Magento Developer! E-CONOMIX! Wels & Linz / Austria@rescueAnn
#mm17pl, Anna Völkl
http://bouk.co/blog/hacking-developers/http://extractdata.club
#mm17pl, Anna Völkl
Who is responsible for security?"I didn't know it had to be secure..."
#mm17pl, Anna Völkl
Source: Zend - The State of PHP in 2017#mm17pl, Anna Völkl
Magento Security Best Practises! https://magento.com/security! Sign up for Magento security alerts
• Be prepared
#mm17pl, Anna Völkl
Magento Security Best Practises! https://magento.com/security! Sign up for Magento security alerts
• Be prepared• Patch early &• Use magereport.com & Magento Security Scan
#mm17pl, Anna Völkl
Magento Security Best Practises! https://magento.com/security! Sign up for Magento security alerts
• Be prepared• Patch early• Use magereport.com & Magento Security Scan• Monitor for Signs of Attack
#mm17pl, Anna Völkl
Magento Security Scan• very detailed report about security of a Magento shop• currently by invite only, partners• ,,Magento’s official security monitoring service'' (John Steer, Head of
Product Security at Magento)• more official news soon :)
Infos: ! [email protected]
#mm17pl, Anna Völkl
Recommended Extensions IPasswords & Login!
#mm17pl, Anna Völkl
Recommended Extensions IPasswords & Login• EW_NativePasswords
#mm17pl, Anna Völkl
Recommended Extensions IPasswords & Login• EW_NativePasswords• MageHackDay_TwoFactorAuth
#mm17pl, Anna Völkl
Recommended Extensions IPasswords & Login• EW_NativePasswords• MageHackDay_TwoFactorAuth• BranchLabs_AdminPasswordStrength
#mm17pl, Anna Völkl
Recommended Extensions IPasswords & Login• EW_NativePasswords• MageHackDay_TwoFactorAuth• BranchLabs_AdminPasswordStrength• Shopliebe_PasswordStrength
#mm17pl, Anna Völkl
Recommended Extensions IPasswords & Login• EW_NativePasswords• MageHackDay_TwoFactorAuth• BranchLabs_AdminPasswordStrength• Shopliebe_PasswordStrength• Ikonoshirt_Pbkdf2
#mm17pl, Anna Völkl
Recommended Extensions IIConfiguration & Monitoring!
#mm17pl, Anna Völkl
Recommended Extensions IIConfiguration & Monitoring• Ikonoshirt_StrictTransportSecurity
#mm17pl, Anna Völkl
Recommended Extensions IIConfiguration & Monitoring• Ikonoshirt_StrictTransportSecurity• ET_IpSecurity
#mm17pl, Anna Völkl
Recommended Extensions IIConfiguration & Monitoring• Ikonoshirt_StrictTransportSecurity• ET_IpSecurity• FireGento_AdminMonitoring
#mm17pl, Anna Völkl
Recommended Extensions IIConfiguration & Monitoring• Ikonoshirt_StrictTransportSecurity• ET_IpSecurity• FireGento_AdminMonitoring• Nexcessnet_Alarmbell
#mm17pl, Anna Völkl
Recommended Extensions IIConfiguration & Monitoring• Ikonoshirt_StrictTransportSecurity• ET_IpSecurity• FireGento_AdminMonitoring• Nexcessnet_Alarmbell• Mhauri_Slack / Moogento_SlackCommerce
#mm17pl, Anna Völkl
Recommended Extensions for M2!
#mm17pl, Anna Völkl
Recommended Extensions for M2• creaminternet/module-secure-passwords
#mm17pl, Anna Völkl
Recommended Extensions for M2• creaminternet/module-secure-passwords• Git Status Security Report
#mm17pl, Anna Völkl
Recommended Extensions for M2• creaminternet/module-secure-passwords• Git Status Security Report• MageSpecialist SecuritySuite
• Two Factor Auth, User lockout, reCaptcha, Admin IP restriction, Digest Auth
#mm17pl, Anna Völkl
Who has access to your code?You.Your colleague.Your company.Your GitLab Server Server.An external developer.GitHub/BitbucketYour CodeClimate Integration.Your build/deployment tools.#mm17pl, Anna Völkl
#mm17pl, Anna Völkl
Isolate Development from Productionreduce unwanted errors,improve security
#mm17pl, Anna Völkl
Dev vs. Testing/Staging vs. Production
#mm17pl, Anna Völkl
No keys in your code, put them in settings files.Don't add the settings files (esp. production) into your repo.
#mm17pl, Anna Völkl
#mm17pl, Anna Völkl
#mm17pl, Anna Völkl
Database dumps IBecause dumping big databases is boring
#mm17pl, Anna Völkl
Remove log data$ n98-magerun.phar db:dump --strip="@stripped"
Available:@log, @dataflowtemp, @stripped
See: n98-magerun Stripped Database Dumps
#mm17pl, Anna Völkl
Database dumps IIBecause you don't need thousands of orders, customers and logs in your dev-environment
#mm17pl, Anna Völkl
Remove sales and customer data$ n98-magerun.phar db:dump --strip="@development"
Available:@log, @dataflowtemp, @stripped, @sales, @customers, @trade, @development
See: n98-magerun Stripped Database Dumps
#mm17pl, Anna Völkl
Use an environment configuration toolBecause accidentally using the wrong environment is embarrassing
#mm17pl, Anna Völkl
Environment Configuration• LimeSoda_EnvironmentConfiguration• n98-magerun Script• Cti_MagentoConfigurator• HarrisStreet ImpEx
#mm17pl, Anna Völkl
Code analysis• CodeClimate• SensioLabs Insight• Scrutinizer
#mm17pl, Anna Völkl
GrumPHPA PHP code-quality tool• Tests running via git hooks• improve codebase• write better code following best
practises
• Extra packages like sensiolabs/security-checker
! https://github.com/phpro/grumphp
#mm17pl, Anna Völkl
#mm17pl, Anna Völkl
Security advisorieshttps://github.com/FriendsOfPHP/security-advisories
Checking for Vulnerabilities• Upload composer.lock to https://security.sensiolabs.org• Use web service (curl)
• Use CLI tool php checker security:check composer.lock
#mm17pl, Anna Völkl
Magento Malware Scannerwget git.io/mwscan.txtgrep -Erlf mwscan.txt /path/to/magento
https://github.com/gwillem/magento-malware-scanner
#mm17pl, Anna Völkl
Magento Project Mess Detector
https://github.com/AOEpeople/mpmd#mm17pl, Anna Völkl
Admin password cracking
#mm17pl, Anna Völkl
Warnings on HTTP websites in Google Chrome 62As part of Google's quest to compel all websites to use the more secure HTTPS protocol, Chrome 62 will flash more warnings when you visit HTTP sites. A few months ago, Chrome 56 (rightly) started labeling unencrypted sites as "not secure" right next to their URLs in the address line if they're asking for passwords and credit card details.— engadget.com
! More Info#mm17pl, Anna Völkl
To do! Read & apply Magento Security Best Practises! Sign up for Magento security alerts! Test & check your code and settings! Full HTTPS! Follow @piotrekkaminski, @gwillem, @_Talesh, @pete_cags, @PeterJaap, @Fabian_ikono, @RicTempesta
#mm17pl, Anna Völkl
#mm17pl, Anna Völkl