Secure development environment @ Meet Magento Croatia 2017
- 2. Anna Völkl
! Lead Magento Developer
! E-CONOMIX
! Wels, Linz / Austria
@rescueAnn
Meet Magento Croatia 2017, Anna Völkl / @rescueAnn
- 4. Who is responsible for
security?
"I didn't know it had to be secure..."
Meet Magento Croatia 2017, Anna Völkl / @rescueAnn
- 5. Source: Zend - The State of PHP in 2017
Meet Magento Croatia 2017, Anna Völkl / @rescueAnn
- 6. Magento Security Best Practises
! https://magento.com/security
! Sign up for Magento security alerts
• Be prepared
Meet Magento Croatia 2017, Anna Völkl / @rescueAnn
- 7. Magento Security Best Practises
! https://magento.com/security
! Sign up for Magento security alerts
• Be prepared
• Patch early &
• Use magereport.com
Meet Magento Croatia 2017, Anna Völkl / @rescueAnn
- 8. Magento Security Best Practises
! https://magento.com/security
! Sign up for Magento security alerts
• Be prepared
• Patch early
• Use magereport.com
• Monitor for Signs of Attack
Meet Magento Croatia 2017, Anna Völkl / @rescueAnn
- 12. Recommended Extensions I
Passwords & Login
• EW_NativePasswords
• MageHackDay_TwoFactorAuth
• BranchLabs_AdminPasswordStrength
Meet Magento Croatia 2017, Anna Völkl / @rescueAnn
- 13. Recommended Extensions I
Passwords & Login
• EW_NativePasswords
• MageHackDay_TwoFactorAuth
• BranchLabs_AdminPasswordStrength
• Shopliebe_PasswordStrength
Meet Magento Croatia 2017, Anna Völkl / @rescueAnn
- 14. Recommended Extensions I
Passwords & Login
• EW_NativePasswords
• MageHackDay_TwoFactorAuth
• BranchLabs_AdminPasswordStrength
• Shopliebe_PasswordStrength
• Ikonoshirt_Pbkdf2
Meet Magento Croatia 2017, Anna Völkl / @rescueAnn
- 18. Recommended Extensions II
Configuration & Monitoring
• Ikonoshirt_StrictTransportSecurity
• ET_IpSecurity
• FireGento_AdminMonitoring
Meet Magento Croatia 2017, Anna Völkl / @rescueAnn
- 19. Recommended Extensions II
Configuration & Monitoring
• Ikonoshirt_StrictTransportSecurity
• ET_IpSecurity
• FireGento_AdminMonitoring
• Nexcessnet_Alarmbell
Meet Magento Croatia 2017, Anna Völkl / @rescueAnn
- 20. Recommended Extensions II
Configuration & Monitoring
• Ikonoshirt_StrictTransportSecurity
• ET_IpSecurity
• FireGento_AdminMonitoring
• Nexcessnet_Alarmbell
• Mhauri_Slack / Moogento_SlackCommerce
Meet Magento Croatia 2017, Anna Völkl / @rescueAnn
- 24. Recommended Extensions
for M2
• creaminternet/module-secure-passwords
• Git Status Security Report
• Xtento Two-Factor Authentication [paid]
Meet Magento Croatia 2017, Anna Völkl / @rescueAnn
- 25. Recommended Extensions
for M2
• creaminternet/module-secure-passwords
• Git Status Security Report
• Xtento Two-Factor Authentication [paid]
• Admin Actions Log [paid]
Meet Magento Croatia 2017, Anna Völkl / @rescueAnn
- 26. Who has access to your
code?
You.
Your colleague.
Your company.
Your GitLab Server Server.
An external developer.
GitHub/Bitbucket
Your CodeClimate Integration.
Your build/deployment tools.
Meet Magento Croatia 2017, Anna Völkl / @rescueAnn
- 30. No keys in your code, put them in
settings files.
Don't add the settings files (esp. production) into your repo.
Meet Magento Croatia 2017, Anna Völkl / @rescueAnn
- 34. Remove log data$ n98-magerun.phar db:dump --strip="@stripped"
Available:
@log, @dataflowtemp, @stripped
See: n98-magerun Stripped Database Dumps
Meet Magento Croatia 2017, Anna Völkl / @rescueAnn
- 35. Database dumps II
Because you don't need thousands of
orders, customers and logs in your
dev-environment
Meet Magento Croatia 2017, Anna Völkl / @rescueAnn
- 36. Remove sales and customer data
$ n98-magerun.phar db:dump --strip="@development"
Available:
@log, @dataflowtemp, @stripped, @sales, @customers, @trade,
@development
See: n98-magerun Stripped Database Dumps
Meet Magento Croatia 2017, Anna Völkl / @rescueAnn
- 40. GrumPHP
A PHP code-quality
tool
• Tests running via git hooks
• improve codebase
• write better code following best
practises
• Extra packages like sensiolabs/
security-checker
! https://github.com/phpro/grumphp
Meet Magento Croatia 2017, Anna Völkl / @rescueAnn
- 43. Magento Malware Scanner
wget git.io/mwscan.txt
grep -Erlf mwscan.txt /path/to/magento
https://github.com/gwillem/magento-malware-scanner
Meet Magento Croatia 2017, Anna Völkl / @rescueAnn
- 44. Magento Project Mess Detector
https://github.com/AOEpeople/mpmd
Meet Magento Croatia 2017, Anna Völkl / @rescueAnn
- 46. To do
! Read & apply Magento Security Best Practises
! Sign up for Magento security alerts
! Test & check your code and settings
! Follow @piotrekkaminski, @gwillem, @_Talesh,
@pete_cags, @PeterJaap, @Fabian_ikono
Meet Magento Croatia 2017, Anna Völkl / @rescueAnn