Software development can sometimes be a mess: live database dumps needed for testing lying around, development files being forgotten or accidentally transferred to the live environment, untested code being written and deployed in a hurry. It's easy to mess up and fail, often without noticing for a long time. In this talk we'll have a look at how to bullet-proof your development workflow. It covers best practices and tools which you should use in your daily work that will improve the overall security and also speed up software development.
http://hr.meet-magento.com/en/speaker/anna-volkl/
Exploring iOS App Development: Simplifying the Process
Secure development environment @ Meet Magento Croatia 2017
1. Secure development
workflow
Best practises and tools to improve the overall
security of your Magento shops
Anna Völkl / @rescueAnn
Meet Magento Croatia 2017, Anna Völkl / @rescueAnn
2. Anna Völkl
! Lead Magento Developer
! E-CONOMIX
! Wels, Linz / Austria
@rescueAnn
Meet Magento Croatia 2017, Anna Völkl / @rescueAnn
4. Who is responsible for
security?
"I didn't know it had to be secure..."
Meet Magento Croatia 2017, Anna Völkl / @rescueAnn
5. Source: Zend - The State of PHP in 2017
Meet Magento Croatia 2017, Anna Völkl / @rescueAnn
6. Magento Security Best Practises
! https://magento.com/security
! Sign up for Magento security alerts
• Be prepared
Meet Magento Croatia 2017, Anna Völkl / @rescueAnn
7. Magento Security Best Practises
! https://magento.com/security
! Sign up for Magento security alerts
• Be prepared
• Patch early &
• Use magereport.com
Meet Magento Croatia 2017, Anna Völkl / @rescueAnn
8. Magento Security Best Practises
! https://magento.com/security
! Sign up for Magento security alerts
• Be prepared
• Patch early
• Use magereport.com
• Monitor for Signs of Attack
Meet Magento Croatia 2017, Anna Völkl / @rescueAnn
23. Recommended Extensions
for M2
• creaminternet/module-secure-passwords
• Git Status Security Report
Meet Magento Croatia 2017, Anna Völkl / @rescueAnn
24. Recommended Extensions
for M2
• creaminternet/module-secure-passwords
• Git Status Security Report
• Xtento Two-Factor Authentication [paid]
Meet Magento Croatia 2017, Anna Völkl / @rescueAnn
25. Recommended Extensions
for M2
• creaminternet/module-secure-passwords
• Git Status Security Report
• Xtento Two-Factor Authentication [paid]
• Admin Actions Log [paid]
Meet Magento Croatia 2017, Anna Völkl / @rescueAnn
26. Who has access to your
code?
You.
Your colleague.
Your company.
Your GitLab Server Server.
An external developer.
GitHub/Bitbucket
Your CodeClimate Integration.
Your build/deployment tools.
Meet Magento Croatia 2017, Anna Völkl / @rescueAnn
30. No keys in your code, put them in
settings files.
Don't add the settings files (esp. production) into your repo.
Meet Magento Croatia 2017, Anna Völkl / @rescueAnn
35. Database dumps II
Because you don't need thousands of
orders, customers and logs in your
dev-environment
Meet Magento Croatia 2017, Anna Völkl / @rescueAnn
37. Use an environment
configuration tool
Because accidentally using the
wrong environment is embarrassing
Meet Magento Croatia 2017, Anna Völkl / @rescueAnn
46. To do
! Read & apply Magento Security Best Practises
! Sign up for Magento security alerts
! Test & check your code and settings
! Follow @piotrekkaminski, @gwillem, @_Talesh,
@pete_cags, @PeterJaap, @Fabian_ikono
Meet Magento Croatia 2017, Anna Völkl / @rescueAnn