Software development can sometimes be a mess: live database dumps needed for testing lying around, development files being forgotten or accidentally transferred to the live environment, untested code being written and deployed in a hurry. It’s easy to mess up and fail, often without noticing for a long time. In this talk we’ll have a look at how to bullet-proof your development workflow. It covers best practices and tools which you should use in your daily work that will improve the overall security and also speed up software development.
1. Magento Security Best
Practices
Best practises and tools to improve the overall
security of your Magento shops
Anna Völkl / @rescueAnn
#mm17de, Anna Völkl / @rescueAnn
2. Anna Völkl
! Lead Magento Developer
! E-CONOMIX
! Wels & Linz / Austria
@rescueAnn
#mm17de, Anna Völkl / @rescueAnn
4. Who is responsible for
security?
"I didn't know it had to be secure..."
#mm17de, Anna Völkl / @rescueAnn
5. Source: Zend - The State of PHP in 2017
#mm17de, Anna Völkl / @rescueAnn
6. Magento Security Best Practises
! https://magento.com/security
! Sign up for Magento security alerts
• Be prepared
#mm17de, Anna Völkl / @rescueAnn
7. Magento Security Best Practises
! https://magento.com/security
! Sign up for Magento security alerts
• Be prepared
• Patch early &
• Use magereport.com
#mm17de, Anna Völkl / @rescueAnn
8. Magento Security Best Practises
! https://magento.com/security
! Sign up for Magento security alerts
• Be prepared
• Patch early
• Use magereport.com
• Monitor for Signs of Attack
#mm17de, Anna Völkl / @rescueAnn
9. Magento Security Scan
• very detailed report about security of a Magento shop
• not public
• Beta will begin in early June
• multiple testing cycles throughout the summer
• possible release in Q3-Q4 2017
Infos:
! securityinfo@magento.com
#mm17de, Anna Völkl / @rescueAnn
24. Recommended Extensions
for M2
• creaminternet/module-secure-passwords
• Git Status Security Report
#mm17de, Anna Völkl / @rescueAnn
25. Recommended Extensions
for M2
• creaminternet/module-secure-passwords
• Git Status Security Report
• MageSpecialist SecuritySuite
• Two Factor Auth, User lockout, reCaptcha, Admin IP restriction,
Digest Auth
#mm17de, Anna Völkl / @rescueAnn
26. Who has access to your
code?
You.
Your colleague.
Your company.
Your GitLab Server Server.
An external developer.
GitHub/Bitbucket
Your CodeClimate Integration.
Your build/deployment tools.
#mm17de, Anna Völkl / @rescueAnn
40. GrumPHP
A PHP code-quality
tool
• Tests running via git hooks
• improve codebase
• write better code following best
practises
• Extra packages like sensiolabs/
security-checker
! https://github.com/phpro/grumphp
#mm17de, Anna Völkl / @rescueAnn
46. Warnings on HTTP websites
in Google Chrome 62
As part of Google's quest to compel all websites to use the more
secure HTTPS protocol, Chrome 62 will flash more warnings when you
visit HTTP sites. A few months ago, Chrome 56 (rightly) started
labeling unencrypted sites as "not secure" right next to their URLs in
the address line if they're asking for passwords and credit card details.
— engadget.com
! More Info
#mm17de, Anna Völkl / @rescueAnn
47. To do
! Read & apply Magento Security Best Practises
! Sign up for Magento security alerts
! Test & check your code and settings
! Full HTTPS
! Follow @piotrekkaminski, @gwillem, @_Talesh,
@pete_cags, @PeterJaap, @Fabian_ikono, @RicTempesta
#mm17de, Anna Völkl / @rescueAnn