Magento Security Best Practises - MM17DE

Magento Security Best PracticesBest practises and tools to improve the overall security of your Magento shopsAnna Völkl / @rescueAnn

#mm17de, Anna Völkl / @rescueAnn

Anna Völkl! Lead Magento Developer! E-CONOMIX! Wels & Linz / Austria@rescueAnn


http://bouk.co/blog/hacking-developers/http://extractdata.club


Who is responsible for security?"I didn't know it had to be secure..."


Source: Zend - The State of PHP in 2017#mm17de, Anna Völkl / @rescueAnn

https://www.zend.com/2017/devpulse-state-of-php/rw_the_state_of_php_in_2017.pdf

Magento Security Best Practises! https://magento.com/security! Sign up for Magento security alerts

• Be prepared


https://magento.com/security


• Be prepared• Patch early &• Use magereport.com



http://www.magereport.com


• Be prepared• Patch early• Use magereport.com• Monitor for Signs of Attack



http://www.magereport.com

Magento Security Scan• very detailed report about security of a Magento shop• not public• Beta will begin in early June• multiple testing cycles throughout the summer• possible release in Q3-Q4 2017

Infos: ! [email protected]#mm17de, Anna Völkl / @rescueAnn

Recommended Extensions IPasswords & Login!


Recommended Extensions IPasswords & Login• EW_NativePasswords


https://github.com/ericthehacker/magento-phpnativepasswords

Recommended Extensions IPasswords & Login• EW_NativePasswords• MageHackDay_TwoFactorAuth



https://github.com/magento-hackathon/Magento-Two-factor-Authentication

Recommended Extensions IPasswords & Login• EW_NativePasswords• MageHackDay_TwoFactorAuth• BranchLabs_AdminPasswordStrength




https://github.com/BranchLabs/magento-admin-password-strength-enforcer

Recommended Extensions IPasswords & Login• EW_NativePasswords• MageHackDay_TwoFactorAuth• BranchLabs_AdminPasswordStrength• Shopliebe_PasswordStrength





https://www.magentocommerce.com/magento-connect/configurable-password-strength.html

Recommended Extensions IPasswords & Login• EW_NativePasswords• MageHackDay_TwoFactorAuth• BranchLabs_AdminPasswordStrength• Shopliebe_PasswordStrength• Ikonoshirt_Pbkdf2





https://www.magentocommerce.com/magento-connect/configurable-password-strength.html

https://github.com/ikonoshirt/pbkdf2

Recommended Extensions IIConfiguration & Monitoring!


Recommended Extensions IIConfiguration & Monitoring• Ikonoshirt_StrictTransportSecurity


https://github.com/ikonoshirt/StrictTransportSecurity

Recommended Extensions IIConfiguration & Monitoring• Ikonoshirt_StrictTransportSecurity• ET_IpSecurity



https://shop.etwebsolutions.com/eng/magento-extensions/et-ip-security.html

Recommended Extensions IIConfiguration & Monitoring• Ikonoshirt_StrictTransportSecurity• ET_IpSecurity• FireGento_AdminMonitoring




https://github.com/firegento/firegento-adminmonitoring

Recommended Extensions IIConfiguration & Monitoring• Ikonoshirt_StrictTransportSecurity• ET_IpSecurity• FireGento_AdminMonitoring• Nexcessnet_Alarmbell





https://github.com/nexcess/magento-alarmbell

Recommended Extensions IIConfiguration & Monitoring• Ikonoshirt_StrictTransportSecurity• ET_IpSecurity• FireGento_AdminMonitoring• Nexcessnet_Alarmbell• Mhauri_Slack / Moogento_SlackCommerce





https://github.com/nexcess/magento-alarmbell

https://github.com/mhauri/magento-slack

https://moogento.com/slackcommerce

Recommended Extensions for M2!


Recommended Extensions for M2• creaminternet/module-secure-passwords


https://bitbucket.org/creaminternet/module-securepasswords

Recommended Extensions for M2• creaminternet/module-secure-passwords• Git Status Security Report



https://marketplace.magento.com/customerparadigm-gitstatus.html

Recommended Extensions for M2• creaminternet/module-secure-passwords• Git Status Security Report• MageSpecialist SecuritySuite

• Two Factor Auth, User lockout, reCaptcha, Admin IP restriction, Digest Auth



https://marketplace.magento.com/customerparadigm-gitstatus.html

https://github.com/magespecialist/m2-MSP_SecuritySuiteFull

Who has access to your code?You.Your colleague.Your company.Your GitLab Server Server.An external developer.GitHub/BitbucketYour CodeClimate Integration.Your build/deployment tools.#mm17de, Anna Völkl / @rescueAnn


Isolate Development from Productionreduce unwanted errors,improve security


Dev vs. Testing/Staging vs. Production


No keys in your code, put them in settings files.Don't add the settings files (esp. production) into your repo.




Database dumps IBecause dumping big databases is boring


Remove log data$ n98-magerun.phar db:dump --strip="@stripped"

Available:@log, @dataflowtemp, @stripped

See: n98-magerun Stripped Database Dumps


https://github.com/netz98/n98-magerun/wiki/Stripped-Database-Dumps

Database dumps IIBecause you don't need thousands of orders, customers and logs in your dev-environment


Remove sales and customer data$ n98-magerun.phar db:dump --strip="@development"

Available:@log, @dataflowtemp, @stripped, @sales, @customers, @trade, @development

See: n98-magerun Stripped Database Dumps


https://github.com/netz98/n98-magerun/wiki/Stripped-Database-Dumps

Use an environment configuration toolBecause accidentally using the wrong environment is embarrassing


Environment Configuration• LimeSoda_EnvironmentConfiguration• n98-magerun Script• Cti_MagentoConfigurator• HarrisStreet ImpEx


https://github.com/LimeSoda/LimeSoda_EnvironmentConfiguration

https://github.com/netz98/n98-magerun#n98-magerun-script

https://github.com/ctidigital/magento-configurator

https://github.com/Zookal/HarrisStreet-ImpEx

Code analysis• CodeClimate• SensioLabs Insight• Scrutinizer


https://codeclimate.com/

https://insight.sensiolabs.com/

https://scrutinizer-ci.com/

GrumPHPA PHP code-quality tool• Tests running via git hooks• improve codebase• write better code following best

practises

• Extra packages like sensiolabs/security-checker

! https://github.com/phpro/grumphp


https://github.com/phpro/grumphp


Security advisorieshttps://github.com/FriendsOfPHP/security-advisories

Checking for Vulnerabilities• Upload composer.lock to https://security.sensiolabs.org• Use web service (curl)

• Use CLI tool php checker security:check composer.lock


https://github.com/FriendsOfPHP/security-advisories

Magento Malware Scannerwget git.io/mwscan.txtgrep -Erlf mwscan.txt /path/to/magento

https://github.com/gwillem/magento-malware-scanner


Magento Project Mess Detector

https://github.com/AOEpeople/mpmd#mm17de, Anna Völkl / @rescueAnn

https://github.com/AOEpeople/mpmd

Admin password cracking


Warnings on HTTP websites in Google Chrome 62As part of Google's quest to compel all websites to use the more secure HTTPS protocol, Chrome 62 will flash more warnings when you visit HTTP sites. A few months ago, Chrome 56 (rightly) started labeling unencrypted sites as "not secure" right next to their URLs in the address line if they're asking for passwords and credit card details.— engadget.com

! More Info#mm17de, Anna Völkl / @rescueAnn

https://www.engadget.com/2017/04/28/chrome-http-not-secure-warning/

To do! Read & apply Magento Security Best Practises! Sign up for Magento security alerts! Test & check your code and settings! Full HTTPS! Follow @piotrekkaminski, @gwillem, @_Talesh, @pete_cags, @PeterJaap, @Fabian_ikono, @RicTempesta


https://magento.com/security/best-practices

[email protected]/avoelkl



Software

Magento Security Best Practises - MM17DE