Secure development environment @ Meet Magento Croatia 2017

Secure development
workflow
Best practises and tools to improve the overall
security of your Magento shops
Anna Völkl / @rescueAnn
Meet Magento Croatia 2017, Anna Völkl / @rescueAnn

Anna Völkl
! Lead Magento Developer
! E-CONOMIX
! Wels, Linz / Austria
@rescueAnn

http://bouk.co/blog/hacking-developers/
http://extractdata.club

Who is responsible for
security?
"I didn't know it had to be secure..."

Source: Zend - The State of PHP in 2017

Magento Security Best Practises
! https://magento.com/security
! Sign up for Magento security alerts
• Be prepared

• Be prepared
• Patch early &
• Use magereport.com

• Be prepared
• Patch early
• Use magereport.com
• Monitor for Signs of Attack

Recommended Extensions I
Passwords & Login
!

Passwords & Login
• EW_NativePasswords

Passwords & Login
• MageHackDay_TwoFactorAuth

Passwords & Login
• BranchLabs_AdminPasswordStrength

Passwords & Login
• Shopliebe_PasswordStrength

Passwords & Login
• Shopliebe_PasswordStrength
• Ikonoshirt_Pbkdf2

Recommended Extensions II
Configuration & Monitoring
!

• Ikonoshirt_StrictTransportSecurity

• ET_IpSecurity

• ET_IpSecurity
• FireGento_AdminMonitoring

• ET_IpSecurity
• Nexcessnet_Alarmbell

• ET_IpSecurity
• Nexcessnet_Alarmbell
• Mhauri_Slack / Moogento_SlackCommerce

Recommended Extensions
for M2
!

for M2
• creaminternet/module-secure-passwords

for M2
• Git Status Security Report

for M2
• Xtento Two-Factor Authentication [paid]

for M2
• Xtento Two-Factor Authentication [paid]
• Admin Actions Log [paid]

Who has access to your
code?
You.
Your colleague.
Your company.
Your GitLab Server Server.
An external developer.
GitHub/Bitbucket
Your CodeClimate Integration.
Your build/deployment tools.

Isolate Development
from Production
reduce unwanted errors,
improve security

Dev vs. Testing/
Staging vs. Production

No keys in your code, put them in
settings files.
Don't add the settings files (esp. production) into your repo.

Database dumps I
Because dumping big databases is boring

Remove log data$ n98-magerun.phar db:dump --strip="@stripped"
Available:
@log, @dataflowtemp, @stripped
See: n98-magerun Stripped Database Dumps

Database dumps II
Because you don't need thousands of
orders, customers and logs in your
dev-environment

Remove sales and customer data
$ n98-magerun.phar db:dump --strip="@development"
Available:
@log, @dataflowtemp, @stripped, @sales, @customers, @trade,
@development
See: n98-magerun Stripped Database Dumps

Use an environment
configuration tool
Because accidentally using the
wrong environment is embarrassing

Environment Configuration
• LimeSoda_EnvironmentConfiguration
• n98-magerun Script
• Cti_MagentoConfigurator
• HarrisStreet ImpEx

Code analysis
• CodeClimate
• SensioLabs Insight
• Scrutinizer

GrumPHP
A PHP code-quality
tool
• Tests running via git hooks
• improve codebase
• write better code following best
practises
• Extra packages like sensiolabs/
security-checker
! https://github.com/phpro/grumphp

Security advisories
https://github.com/FriendsOfPHP/security-advisories
Checking for Vulnerabilities
• Upload composer.lock to https://security.sensiolabs.org
• Use web service (curl)
• Use CLI tool php checker security:check composer.lock

Magento Malware Scanner
wget git.io/mwscan.txt
grep -Erlf mwscan.txt /path/to/magento
https://github.com/gwillem/magento-malware-scanner

Magento Project Mess Detector
https://github.com/AOEpeople/mpmd

Admin password cracking

To do
! Read & apply Magento Security Best Practises
! Test & check your code and settings
! Follow @piotrekkaminski, @gwillem, @_Talesh,
@pete_cags, @PeterJaap, @Fabian_ikono

Hvala!
Questions?
@rescueAnn
github.com/avoelkl

Secure development environment @ Meet Magento Croatia 2017

Related slideshows

More Related Content

Secure development environment @ Meet Magento Croatia 2017