Magento Application Security [EN]
4 likes5,683 views
This document discusses Magento application security. It covers securing logins and passwords, protecting the admin backend, installing SSL, following the software development life cycle, addressing common web application security flaws like injection and broken authentication, implementing secure coding principles such as input validation and access control, and applying security patches. The importance of ongoing security testing, monitoring, and updating is emphasized.
![Magento Application Security [EN]](https://image.slidesharecdn.com/magentoapplicationsecurityenmm15nl-150529123031-lva1-app6891/85/Magento-Application-Security-EN-2-320.jpg)
![Magento Application Security [EN]](https://image.slidesharecdn.com/magentoapplicationsecurityenmm15nl-150529123031-lva1-app6891/85/Magento-Application-Security-EN-5-320.jpg)
![Magento Application Security [EN]](https://image.slidesharecdn.com/magentoapplicationsecurityenmm15nl-150529123031-lva1-app6891/85/Magento-Application-Security-EN-6-320.jpg)
Magento Application Security [EN]
- 1. Magento Application Security Anna Völkl / @rescueAnn
- 3. Anna Völkl / @rescueAnn • Magento Certified Developer • IT & Telecommunication, IT-Security • PHP (2004), Magento (2011) • LimeSoda (Vienna, AT)
- 4. Anna Völkl / @rescueAnn • 200 Magento Installations* • 68 good passwords** • 10 endless loops*** • 3 forgotten phpinfo.php • 1 Stroopwafel purchase * roughly estimated, including test-setups ** thanks to KeePass *** last one 12/2012
- 7. Security-Technology Department of Defense Computer Security Initiative 1980
- 8. Magento Application Security Logins & Passwords Admin Backend protected SSL installed
- 9. Magento Application Security Logins & Passwords Admin Backend protected SSL installed …there‘s more!
- 10. Magento Application Security Magento Application Security Software Development Life Cycle Software Development Life Cycle UserUser DatabaseDatabase WebserverWebserver Version control & delivery Version control & delivery RequirementsRequirements Software-DesignSoftware-Design DevelopmentDevelopment Extensions / 3rd Party Extensions / 3rd Party Out of serviceOut of service Updates & PatchesUpdates & Patches LoginsLogins PasswordsPasswords Web-Application Firewall Web-Application Firewall FirewallFirewall File owner & permissions File owner & permissions Config filesConfig files IDS, IPSIDS, IPS
- 11. http://blogs.technet.com/b/rhalbheer/archive/2011/01/14/real-physical-security.aspx
- 13. Unsecure Software? •No time •No knowledge •No priorities •Performance •SEO •New features
- 14. Potential attackers ✗ (organized) criminals ✗ Defacer ✗ Script-Kiddies ✗ Former developers, agencies ✗ Competitors ✗ The merchant theirselves
- 15. Interest? ➢Payment data ➢Customer data ➢Personal gain ➢Damage competitors
- 16. Most critical web application security flaws A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure Direct Object References A5 Security Misconfiguration More: https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
- 17. web application security flaws OWASP Top 10 2013, https://www.owasp.org/images/4/42/OWASP_Top_10_2013_DE_Version_1_0.pdf, modified version
- 19. Minimize attack surface area Every feature adds a risk.
- 20. Secure defaults Secure configuration „out of the box“
- 21. Least Privilege Least amount of privilege required to perform actions
- 22. Fail secure Fail secure vs. Fail safe
- 23. Don't trust services ...they can be wrong.
- 24. Don't trust user input Validate the expected Expect the unexpected
- 25. Longest place name (1 word) Taumatawhakatangihangakoauauotamateaturipuk akapikimaungahoronukupokaiwhenuakitanatahu (New Zealand, 85 letters)
- 27. Security by obscurity Security by lack of knowledge?!
- 28. KISS Keep security simple Simplicity vs. complexity
- 29. Fix security issues correctly Understand the problem Find related code Write tests
- 30. ...now what?!
- 31. Functional & non functional Requirements
- 32. Be curious! Read, learn, try to understand. Secure Coding Guidelines: OWASP Secure Coding Practices Secure Coding
- 33. Validate your input Expected input: Whitelist vs. Blacklist Secure Coding
- 35. User: allowed to access a resource? Admins: ACLs Mage::getSingleton('admin/session') ->isAllowed('admin/sales/order/actions/create'); Secure Coding
- 36. ● PHPSniffer ● Magento ECG Coding Standard ● Dependencies: Sensio Labs composer.lock check Security Testing
- 39. ● .git, .git/config ● composer.lock ● Standard /admin path ● /downloader ● app/etc/local.xml ● Logfiles ● phpinfo.php ● Database-Dumps: livedb.sql.gz Block access to
- 41. ● Magento Community Edition 1.9.1.1 & Enterprise Edition 1.14.2 contain SUPEE-5344 ● Magento Shoplift Bug Tester: https://shoplift.byte.nl ● Coming soon: Magento Alert Registry ● @magesecurity Patch!
- 42. Leave your code more secure (better) than you found it.