Software development can sometimes be a mess: live database dumps needed for testing lying around, development files being forgotten or accidentally transferred to the live environment, untested code being written and deployed in a hurry. It’s easy to mess up and fail, often without noticing for a long time. In this talk we’ll have a look at how to bullet-proof your development workflow. It covers best practices and tools which you should use in your daily work that will improve the overall security and also speed up software development.

1. Magento Security Best
Practices
Best practises and tools to improve the overall
security of your Magento shops
Anna Völkl / @rescueAnn
#mm17de, Anna Völkl / @rescueAnn

2. Anna Völkl
! Lead Magento Developer
! E-CONOMIX
! Wels & Linz / Austria
@rescueAnn
#mm17de, Anna Völkl / @rescueAnn

3. http://bouk.co/blog/hacking-developers/
http://extractdata.club
#mm17de, Anna Völkl / @rescueAnn

4. Who is responsible for
security?
"I didn't know it had to be secure..."
#mm17de, Anna Völkl / @rescueAnn

5. Source: Zend - The State of PHP in 2017
#mm17de, Anna Völkl / @rescueAnn

6. Magento Security Best Practises
! https://magento.com/security
! Sign up for Magento security alerts
• Be prepared
#mm17de, Anna Völkl / @rescueAnn

7. Magento Security Best Practises
! https://magento.com/security
! Sign up for Magento security alerts
• Be prepared
• Patch early &
• Use magereport.com
#mm17de, Anna Völkl / @rescueAnn

8. Magento Security Best Practises
! https://magento.com/security
! Sign up for Magento security alerts
• Be prepared
• Patch early
• Use magereport.com
• Monitor for Signs of Attack
#mm17de, Anna Völkl / @rescueAnn

9. Magento Security Scan
• very detailed report about security of a Magento shop
• not public
• Beta will begin in early June
• multiple testing cycles throughout the summer
• possible release in Q3-Q4 2017
Infos:
! securityinfo@magento.com
#mm17de, Anna Völkl / @rescueAnn

10. Recommended Extensions I
Passwords & Login
!
#mm17de, Anna Völkl / @rescueAnn

11. Recommended Extensions I
Passwords & Login
• EW_NativePasswords
#mm17de, Anna Völkl / @rescueAnn

12. Recommended Extensions I
Passwords & Login
• EW_NativePasswords
• MageHackDay_TwoFactorAuth
#mm17de, Anna Völkl / @rescueAnn

13. Recommended Extensions I
Passwords & Login
• EW_NativePasswords
• MageHackDay_TwoFactorAuth
• BranchLabs_AdminPasswordStrength
#mm17de, Anna Völkl / @rescueAnn

14. Recommended Extensions I
Passwords & Login
• EW_NativePasswords
• MageHackDay_TwoFactorAuth
• BranchLabs_AdminPasswordStrength
• Shopliebe_PasswordStrength
#mm17de, Anna Völkl / @rescueAnn

15. Recommended Extensions I
Passwords & Login
• EW_NativePasswords
• MageHackDay_TwoFactorAuth
• BranchLabs_AdminPasswordStrength
• Shopliebe_PasswordStrength
• Ikonoshirt_Pbkdf2
#mm17de, Anna Völkl / @rescueAnn

16. Recommended Extensions II
Configuration & Monitoring
!
#mm17de, Anna Völkl / @rescueAnn

17. Recommended Extensions II
Configuration & Monitoring
• Ikonoshirt_StrictTransportSecurity
#mm17de, Anna Völkl / @rescueAnn

18. Recommended Extensions II
Configuration & Monitoring
• Ikonoshirt_StrictTransportSecurity
• ET_IpSecurity
#mm17de, Anna Völkl / @rescueAnn

19. Recommended Extensions II
Configuration & Monitoring
• Ikonoshirt_StrictTransportSecurity
• ET_IpSecurity
• FireGento_AdminMonitoring
#mm17de, Anna Völkl / @rescueAnn

20. Recommended Extensions II
Configuration & Monitoring
• Ikonoshirt_StrictTransportSecurity
• ET_IpSecurity
• FireGento_AdminMonitoring
• Nexcessnet_Alarmbell
#mm17de, Anna Völkl / @rescueAnn

21. Recommended Extensions II
Configuration & Monitoring
• Ikonoshirt_StrictTransportSecurity
• ET_IpSecurity
• FireGento_AdminMonitoring
• Nexcessnet_Alarmbell
• Mhauri_Slack / Moogento_SlackCommerce
#mm17de, Anna Völkl / @rescueAnn

22. Recommended Extensions
for M2
!
#mm17de, Anna Völkl / @rescueAnn

23. Recommended Extensions
for M2
• creaminternet/module-secure-passwords
#mm17de, Anna Völkl / @rescueAnn

24. Recommended Extensions
for M2
• creaminternet/module-secure-passwords
• Git Status Security Report
#mm17de, Anna Völkl / @rescueAnn

25. Recommended Extensions
for M2
• creaminternet/module-secure-passwords
• Git Status Security Report
• MageSpecialist SecuritySuite
• Two Factor Auth, User lockout, reCaptcha, Admin IP restriction,
Digest Auth
#mm17de, Anna Völkl / @rescueAnn

26. Who has access to your
code?
You.
Your colleague.
Your company.
Your GitLab Server Server.
An external developer.
GitHub/Bitbucket
Your CodeClimate Integration.
Your build/deployment tools.
#mm17de, Anna Völkl / @rescueAnn

27. #mm17de, Anna Völkl / @rescueAnn

28. Isolate Development
from Production
reduce unwanted errors,
improve security
#mm17de, Anna Völkl / @rescueAnn

29. Dev vs. Testing/
Staging vs. Production
#mm17de, Anna Völkl / @rescueAnn

30. No keys in your code, put them in
settings files.
Don't add the settings files (esp. production) into your repo.
#mm17de, Anna Völkl / @rescueAnn

31. #mm17de, Anna Völkl / @rescueAnn

32. #mm17de, Anna Völkl / @rescueAnn

33. Database dumps I
Because dumping big databases is boring
#mm17de, Anna Völkl / @rescueAnn

34. Remove log data$ n98-magerun.phar db:dump --strip="@stripped"
Available:
@log, @dataflowtemp, @stripped
See: n98-magerun Stripped Database Dumps
#mm17de, Anna Völkl / @rescueAnn

35. Database dumps II
Because you don't need thousands of
orders, customers and logs in your
dev-environment
#mm17de, Anna Völkl / @rescueAnn

36. Remove sales and customer data
$ n98-magerun.phar db:dump --strip="@development"
Available:
@log, @dataflowtemp, @stripped, @sales, @customers, @trade,
@development
See: n98-magerun Stripped Database Dumps
#mm17de, Anna Völkl / @rescueAnn

37. Use an environment
configuration tool
Because accidentally using the
wrong environment is embarrassing
#mm17de, Anna Völkl / @rescueAnn

38. Environment Configuration
• LimeSoda_EnvironmentConfiguration
• n98-magerun Script
• Cti_MagentoConfigurator
• HarrisStreet ImpEx
#mm17de, Anna Völkl / @rescueAnn

39. Code analysis
• CodeClimate
• SensioLabs Insight
• Scrutinizer
#mm17de, Anna Völkl / @rescueAnn

40. GrumPHP
A PHP code-quality
tool
• Tests running via git hooks
• improve codebase
• write better code following best
practises
• Extra packages like sensiolabs/
security-checker
! https://github.com/phpro/grumphp
#mm17de, Anna Völkl / @rescueAnn

41. #mm17de, Anna Völkl / @rescueAnn

42. Security advisories
https://github.com/FriendsOfPHP/security-advisories
Checking for Vulnerabilities
• Upload composer.lock to https://security.sensiolabs.org
• Use web service (curl)
• Use CLI tool php checker security:check composer.lock
#mm17de, Anna Völkl / @rescueAnn

43. Magento Malware Scanner
wget git.io/mwscan.txt
grep -Erlf mwscan.txt /path/to/magento
https://github.com/gwillem/magento-malware-scanner
#mm17de, Anna Völkl / @rescueAnn

44. Magento Project Mess Detector
https://github.com/AOEpeople/mpmd
#mm17de, Anna Völkl / @rescueAnn

45. Admin password cracking
#mm17de, Anna Völkl / @rescueAnn

46. Warnings on HTTP websites
in Google Chrome 62
As part of Google's quest to compel all websites to use the more
secure HTTPS protocol, Chrome 62 will flash more warnings when you
visit HTTP sites. A few months ago, Chrome 56 (rightly) started
labeling unencrypted sites as "not secure" right next to their URLs in
the address line if they're asking for passwords and credit card details.
— engadget.com
! More Info
#mm17de, Anna Völkl / @rescueAnn

47. To do
! Read & apply Magento Security Best Practises
! Sign up for Magento security alerts
! Test & check your code and settings
! Full HTTPS
! Follow @piotrekkaminski, @gwillem, @_Talesh,
@pete_cags, @PeterJaap, @Fabian_ikono, @RicTempesta
#mm17de, Anna Völkl / @rescueAnn

48. Thanks!
Questions?
@rescueAnn
github.com/avoelkl
#mm17de, Anna Völkl / @rescueAnn

49. #mm17de, Anna Völkl / @rescueAnn