magento security best practises - mm17de
Post on 17-Mar-2018
1.072 Views
Preview:
TRANSCRIPT
Magento Security Best PracticesBest practises and tools to improve the overall security of your Magento shopsAnna Völkl / @rescueAnn
#mm17de, Anna Völkl / @rescueAnn
Anna Völkl! Lead Magento Developer! E-CONOMIX! Wels & Linz / Austria@rescueAnn
#mm17de, Anna Völkl / @rescueAnn
http://bouk.co/blog/hacking-developers/http://extractdata.club
#mm17de, Anna Völkl / @rescueAnn
Who is responsible for security?"I didn't know it had to be secure..."
#mm17de, Anna Völkl / @rescueAnn
Source: Zend - The State of PHP in 2017#mm17de, Anna Völkl / @rescueAnn
Magento Security Best Practises! https://magento.com/security! Sign up for Magento security alerts
• Be prepared
#mm17de, Anna Völkl / @rescueAnn
Magento Security Best Practises! https://magento.com/security! Sign up for Magento security alerts
• Be prepared• Patch early &• Use magereport.com
#mm17de, Anna Völkl / @rescueAnn
Magento Security Best Practises! https://magento.com/security! Sign up for Magento security alerts
• Be prepared• Patch early• Use magereport.com• Monitor for Signs of Attack
#mm17de, Anna Völkl / @rescueAnn
Magento Security Scan• very detailed report about security of a Magento shop• not public• Beta will begin in early June• multiple testing cycles throughout the summer• possible release in Q3-Q4 2017
Infos: ! securityinfo@magento.com#mm17de, Anna Völkl / @rescueAnn
Recommended Extensions IPasswords & Login!
#mm17de, Anna Völkl / @rescueAnn
Recommended Extensions IPasswords & Login• EW_NativePasswords
#mm17de, Anna Völkl / @rescueAnn
Recommended Extensions IPasswords & Login• EW_NativePasswords• MageHackDay_TwoFactorAuth
#mm17de, Anna Völkl / @rescueAnn
Recommended Extensions IPasswords & Login• EW_NativePasswords• MageHackDay_TwoFactorAuth• BranchLabs_AdminPasswordStrength
#mm17de, Anna Völkl / @rescueAnn
Recommended Extensions IPasswords & Login• EW_NativePasswords• MageHackDay_TwoFactorAuth• BranchLabs_AdminPasswordStrength• Shopliebe_PasswordStrength
#mm17de, Anna Völkl / @rescueAnn
Recommended Extensions IPasswords & Login• EW_NativePasswords• MageHackDay_TwoFactorAuth• BranchLabs_AdminPasswordStrength• Shopliebe_PasswordStrength• Ikonoshirt_Pbkdf2
#mm17de, Anna Völkl / @rescueAnn
Recommended Extensions IIConfiguration & Monitoring!
#mm17de, Anna Völkl / @rescueAnn
Recommended Extensions IIConfiguration & Monitoring• Ikonoshirt_StrictTransportSecurity
#mm17de, Anna Völkl / @rescueAnn
Recommended Extensions IIConfiguration & Monitoring• Ikonoshirt_StrictTransportSecurity• ET_IpSecurity
#mm17de, Anna Völkl / @rescueAnn
Recommended Extensions IIConfiguration & Monitoring• Ikonoshirt_StrictTransportSecurity• ET_IpSecurity• FireGento_AdminMonitoring
#mm17de, Anna Völkl / @rescueAnn
Recommended Extensions IIConfiguration & Monitoring• Ikonoshirt_StrictTransportSecurity• ET_IpSecurity• FireGento_AdminMonitoring• Nexcessnet_Alarmbell
#mm17de, Anna Völkl / @rescueAnn
Recommended Extensions IIConfiguration & Monitoring• Ikonoshirt_StrictTransportSecurity• ET_IpSecurity• FireGento_AdminMonitoring• Nexcessnet_Alarmbell• Mhauri_Slack / Moogento_SlackCommerce
#mm17de, Anna Völkl / @rescueAnn
Recommended Extensions for M2!
#mm17de, Anna Völkl / @rescueAnn
Recommended Extensions for M2• creaminternet/module-secure-passwords
#mm17de, Anna Völkl / @rescueAnn
Recommended Extensions for M2• creaminternet/module-secure-passwords• Git Status Security Report
#mm17de, Anna Völkl / @rescueAnn
Recommended Extensions for M2• creaminternet/module-secure-passwords• Git Status Security Report• MageSpecialist SecuritySuite
• Two Factor Auth, User lockout, reCaptcha, Admin IP restriction, Digest Auth
#mm17de, Anna Völkl / @rescueAnn
Who has access to your code?You.Your colleague.Your company.Your GitLab Server Server.An external developer.GitHub/BitbucketYour CodeClimate Integration.Your build/deployment tools.#mm17de, Anna Völkl / @rescueAnn
#mm17de, Anna Völkl / @rescueAnn
Isolate Development from Productionreduce unwanted errors,improve security
#mm17de, Anna Völkl / @rescueAnn
Dev vs. Testing/Staging vs. Production
#mm17de, Anna Völkl / @rescueAnn
No keys in your code, put them in settings files.Don't add the settings files (esp. production) into your repo.
#mm17de, Anna Völkl / @rescueAnn
#mm17de, Anna Völkl / @rescueAnn
#mm17de, Anna Völkl / @rescueAnn
Database dumps IBecause dumping big databases is boring
#mm17de, Anna Völkl / @rescueAnn
Remove log data$ n98-magerun.phar db:dump --strip="@stripped"
Available:@log, @dataflowtemp, @stripped
See: n98-magerun Stripped Database Dumps
#mm17de, Anna Völkl / @rescueAnn
Database dumps IIBecause you don't need thousands of orders, customers and logs in your dev-environment
#mm17de, Anna Völkl / @rescueAnn
Remove sales and customer data$ n98-magerun.phar db:dump --strip="@development"
Available:@log, @dataflowtemp, @stripped, @sales, @customers, @trade, @development
See: n98-magerun Stripped Database Dumps
#mm17de, Anna Völkl / @rescueAnn
Use an environment configuration toolBecause accidentally using the wrong environment is embarrassing
#mm17de, Anna Völkl / @rescueAnn
Environment Configuration• LimeSoda_EnvironmentConfiguration• n98-magerun Script• Cti_MagentoConfigurator• HarrisStreet ImpEx
#mm17de, Anna Völkl / @rescueAnn
Code analysis• CodeClimate• SensioLabs Insight• Scrutinizer
#mm17de, Anna Völkl / @rescueAnn
GrumPHPA PHP code-quality tool• Tests running via git hooks• improve codebase• write better code following best
practises
• Extra packages like sensiolabs/security-checker
! https://github.com/phpro/grumphp
#mm17de, Anna Völkl / @rescueAnn
#mm17de, Anna Völkl / @rescueAnn
Security advisorieshttps://github.com/FriendsOfPHP/security-advisories
Checking for Vulnerabilities• Upload composer.lock to https://security.sensiolabs.org• Use web service (curl)
• Use CLI tool php checker security:check composer.lock
#mm17de, Anna Völkl / @rescueAnn
Magento Malware Scannerwget git.io/mwscan.txtgrep -Erlf mwscan.txt /path/to/magento
https://github.com/gwillem/magento-malware-scanner
#mm17de, Anna Völkl / @rescueAnn
Magento Project Mess Detector
https://github.com/AOEpeople/mpmd#mm17de, Anna Völkl / @rescueAnn
Admin password cracking
#mm17de, Anna Völkl / @rescueAnn
Warnings on HTTP websites in Google Chrome 62As part of Google's quest to compel all websites to use the more secure HTTPS protocol, Chrome 62 will flash more warnings when you visit HTTP sites. A few months ago, Chrome 56 (rightly) started labeling unencrypted sites as "not secure" right next to their URLs in the address line if they're asking for passwords and credit card details.— engadget.com
! More Info#mm17de, Anna Völkl / @rescueAnn
To do! Read & apply Magento Security Best Practises! Sign up for Magento security alerts! Test & check your code and settings! Full HTTPS! Follow @piotrekkaminski, @gwillem, @_Talesh, @pete_cags, @PeterJaap, @Fabian_ikono, @RicTempesta
#mm17de, Anna Völkl / @rescueAnn
Thanks!Questions?@rescueAnngithub.com/avoelkl
#mm17de, Anna Völkl / @rescueAnn
#mm17de, Anna Völkl / @rescueAnn
top related