Software development can sometimes be a mess: live database dumps needed for testing lying around, development files being forgotten or accidentally transferred to the live environment, untested code being written and deployed in a hurry. It’s easy to mess up and fail, often without noticing for a long time. In this talk we’ll have a look at how to bullet-proof your development workflow. It covers best practices and tools which you should use in your daily work that will improve the overall security and also speed up software development.
Presentation given on 18th September 2017 at Meet Magento Poland #mm17pl
2. Magento Security Best
Practices
Best practises and tools to improve the overall
security of your Magento shops
Anna Völkl / @rescueAnn
#mm17pl, Anna Völkl
3. Anna Völkl
! Lead Magento Developer
! E-CONOMIX
! Wels & Linz / Austria
@rescueAnn
#mm17pl, Anna Völkl
5. Who is responsible for
security?
"I didn't know it had to be secure..."
#mm17pl, Anna Völkl
6. Source: Zend - The State of PHP in 2017
#mm17pl, Anna Völkl
7. Magento Security Best Practises
! https://magento.com/security
! Sign up for Magento security alerts
• Be prepared
#mm17pl, Anna Völkl
8. Magento Security Best Practises
! https://magento.com/security
! Sign up for Magento security alerts
• Be prepared
• Patch early &
• Use magereport.com & Magento Security Scan
#mm17pl, Anna Völkl
9. Magento Security Best Practises
! https://magento.com/security
! Sign up for Magento security alerts
• Be prepared
• Patch early
• Use magereport.com & Magento Security Scan
• Monitor for Signs of Attack
#mm17pl, Anna Völkl
10. Magento Security Scan
• very detailed report about security of a Magento shop
• currently by invite only, partners
• ,,Magento’s official security monitoring service'' (John Steer, Head of
Product Security at Magento)
• more official news soon :)
Infos:
! securityinfo@magento.com
#mm17pl, Anna Völkl
26. Recommended Extensions
for M2
• creaminternet/module-secure-passwords
• Git Status Security Report
• MageSpecialist SecuritySuite
• Two Factor Auth, User lockout, reCaptcha, Admin IP restriction,
Digest Auth
#mm17pl, Anna Völkl
27. Who has access to your
code?
You.
Your colleague.
Your company.
Your GitLab Server Server.
An external developer.
GitHub/Bitbucket
Your CodeClimate Integration.
Your build/deployment tools.
#mm17pl, Anna Völkl
41. GrumPHP
A PHP code-quality
tool
• Tests running via git hooks
• improve codebase
• write better code following best
practises
• Extra packages like sensiolabs/
security-checker
! https://github.com/phpro/grumphp
#mm17pl, Anna Völkl
47. Warnings on HTTP websites
in Google Chrome 62
As part of Google's quest to compel all websites to use the more
secure HTTPS protocol, Chrome 62 will flash more warnings when you
visit HTTP sites. A few months ago, Chrome 56 (rightly) started
labeling unencrypted sites as "not secure" right next to their URLs in
the address line if they're asking for passwords and credit card details.
— engadget.com
! More Info
#mm17pl, Anna Völkl
48. To do
! Read & apply Magento Security Best Practises
! Sign up for Magento security alerts
! Test & check your code and settings
! Full HTTPS
! Follow @piotrekkaminski, @gwillem, @_Talesh,
@pete_cags, @PeterJaap, @Fabian_ikono, @RicTempesta
#mm17pl, Anna Völkl