![Page 1: Secure development environment @ Meet Magento Croatia 2017](https://reader034.vdocuments.net/reader034/viewer/2022052606/58d0f48d1a28abc00b8b4cff/html5/thumbnails/1.jpg)
Secure development workflowBest practises and tools to improve the overall security of your Magento shopsAnna Völkl / @rescueAnn
Meet Magento Croatia 2017, Anna Völkl / @rescueAnn
![Page 2: Secure development environment @ Meet Magento Croatia 2017](https://reader034.vdocuments.net/reader034/viewer/2022052606/58d0f48d1a28abc00b8b4cff/html5/thumbnails/2.jpg)
Anna Völkl! Lead Magento Developer! E-CONOMIX! Wels, Linz / Austria@rescueAnn
Meet Magento Croatia 2017, Anna Völkl / @rescueAnn
![Page 3: Secure development environment @ Meet Magento Croatia 2017](https://reader034.vdocuments.net/reader034/viewer/2022052606/58d0f48d1a28abc00b8b4cff/html5/thumbnails/3.jpg)
http://bouk.co/blog/hacking-developers/http://extractdata.club
Meet Magento Croatia 2017, Anna Völkl / @rescueAnn
![Page 4: Secure development environment @ Meet Magento Croatia 2017](https://reader034.vdocuments.net/reader034/viewer/2022052606/58d0f48d1a28abc00b8b4cff/html5/thumbnails/4.jpg)
Who is responsible for security?"I didn't know it had to be secure..."
Meet Magento Croatia 2017, Anna Völkl / @rescueAnn
![Page 5: Secure development environment @ Meet Magento Croatia 2017](https://reader034.vdocuments.net/reader034/viewer/2022052606/58d0f48d1a28abc00b8b4cff/html5/thumbnails/5.jpg)
Source: Zend - The State of PHP in 2017Meet Magento Croatia 2017, Anna Völkl / @rescueAnn
![Page 6: Secure development environment @ Meet Magento Croatia 2017](https://reader034.vdocuments.net/reader034/viewer/2022052606/58d0f48d1a28abc00b8b4cff/html5/thumbnails/6.jpg)
Magento Security Best Practises! https://magento.com/security! Sign up for Magento security alerts
• Be prepared
Meet Magento Croatia 2017, Anna Völkl / @rescueAnn
![Page 7: Secure development environment @ Meet Magento Croatia 2017](https://reader034.vdocuments.net/reader034/viewer/2022052606/58d0f48d1a28abc00b8b4cff/html5/thumbnails/7.jpg)
Magento Security Best Practises! https://magento.com/security! Sign up for Magento security alerts
• Be prepared• Patch early &• Use magereport.com
Meet Magento Croatia 2017, Anna Völkl / @rescueAnn
![Page 8: Secure development environment @ Meet Magento Croatia 2017](https://reader034.vdocuments.net/reader034/viewer/2022052606/58d0f48d1a28abc00b8b4cff/html5/thumbnails/8.jpg)
Magento Security Best Practises! https://magento.com/security! Sign up for Magento security alerts
• Be prepared• Patch early• Use magereport.com• Monitor for Signs of Attack
Meet Magento Croatia 2017, Anna Völkl / @rescueAnn
![Page 9: Secure development environment @ Meet Magento Croatia 2017](https://reader034.vdocuments.net/reader034/viewer/2022052606/58d0f48d1a28abc00b8b4cff/html5/thumbnails/9.jpg)
Recommended Extensions IPasswords & Login!
Meet Magento Croatia 2017, Anna Völkl / @rescueAnn
![Page 10: Secure development environment @ Meet Magento Croatia 2017](https://reader034.vdocuments.net/reader034/viewer/2022052606/58d0f48d1a28abc00b8b4cff/html5/thumbnails/10.jpg)
Recommended Extensions IPasswords & Login• EW_NativePasswords
Meet Magento Croatia 2017, Anna Völkl / @rescueAnn
![Page 11: Secure development environment @ Meet Magento Croatia 2017](https://reader034.vdocuments.net/reader034/viewer/2022052606/58d0f48d1a28abc00b8b4cff/html5/thumbnails/11.jpg)
Recommended Extensions IPasswords & Login• EW_NativePasswords• MageHackDay_TwoFactorAuth
Meet Magento Croatia 2017, Anna Völkl / @rescueAnn
![Page 12: Secure development environment @ Meet Magento Croatia 2017](https://reader034.vdocuments.net/reader034/viewer/2022052606/58d0f48d1a28abc00b8b4cff/html5/thumbnails/12.jpg)
Recommended Extensions IPasswords & Login• EW_NativePasswords• MageHackDay_TwoFactorAuth• BranchLabs_AdminPasswordStrength
Meet Magento Croatia 2017, Anna Völkl / @rescueAnn
![Page 13: Secure development environment @ Meet Magento Croatia 2017](https://reader034.vdocuments.net/reader034/viewer/2022052606/58d0f48d1a28abc00b8b4cff/html5/thumbnails/13.jpg)
Recommended Extensions IPasswords & Login• EW_NativePasswords• MageHackDay_TwoFactorAuth• BranchLabs_AdminPasswordStrength• Shopliebe_PasswordStrength
Meet Magento Croatia 2017, Anna Völkl / @rescueAnn
![Page 14: Secure development environment @ Meet Magento Croatia 2017](https://reader034.vdocuments.net/reader034/viewer/2022052606/58d0f48d1a28abc00b8b4cff/html5/thumbnails/14.jpg)
Recommended Extensions IPasswords & Login• EW_NativePasswords• MageHackDay_TwoFactorAuth• BranchLabs_AdminPasswordStrength• Shopliebe_PasswordStrength• Ikonoshirt_Pbkdf2
Meet Magento Croatia 2017, Anna Völkl / @rescueAnn
![Page 15: Secure development environment @ Meet Magento Croatia 2017](https://reader034.vdocuments.net/reader034/viewer/2022052606/58d0f48d1a28abc00b8b4cff/html5/thumbnails/15.jpg)
Recommended Extensions IIConfiguration & Monitoring!
Meet Magento Croatia 2017, Anna Völkl / @rescueAnn
![Page 16: Secure development environment @ Meet Magento Croatia 2017](https://reader034.vdocuments.net/reader034/viewer/2022052606/58d0f48d1a28abc00b8b4cff/html5/thumbnails/16.jpg)
Recommended Extensions IIConfiguration & Monitoring• Ikonoshirt_StrictTransportSecurity
Meet Magento Croatia 2017, Anna Völkl / @rescueAnn
![Page 17: Secure development environment @ Meet Magento Croatia 2017](https://reader034.vdocuments.net/reader034/viewer/2022052606/58d0f48d1a28abc00b8b4cff/html5/thumbnails/17.jpg)
Recommended Extensions IIConfiguration & Monitoring• Ikonoshirt_StrictTransportSecurity• ET_IpSecurity
Meet Magento Croatia 2017, Anna Völkl / @rescueAnn
![Page 18: Secure development environment @ Meet Magento Croatia 2017](https://reader034.vdocuments.net/reader034/viewer/2022052606/58d0f48d1a28abc00b8b4cff/html5/thumbnails/18.jpg)
Recommended Extensions IIConfiguration & Monitoring• Ikonoshirt_StrictTransportSecurity• ET_IpSecurity• FireGento_AdminMonitoring
Meet Magento Croatia 2017, Anna Völkl / @rescueAnn
![Page 19: Secure development environment @ Meet Magento Croatia 2017](https://reader034.vdocuments.net/reader034/viewer/2022052606/58d0f48d1a28abc00b8b4cff/html5/thumbnails/19.jpg)
Recommended Extensions IIConfiguration & Monitoring• Ikonoshirt_StrictTransportSecurity• ET_IpSecurity• FireGento_AdminMonitoring• Nexcessnet_Alarmbell
Meet Magento Croatia 2017, Anna Völkl / @rescueAnn
![Page 20: Secure development environment @ Meet Magento Croatia 2017](https://reader034.vdocuments.net/reader034/viewer/2022052606/58d0f48d1a28abc00b8b4cff/html5/thumbnails/20.jpg)
Recommended Extensions IIConfiguration & Monitoring• Ikonoshirt_StrictTransportSecurity• ET_IpSecurity• FireGento_AdminMonitoring• Nexcessnet_Alarmbell• Mhauri_Slack / Moogento_SlackCommerce
Meet Magento Croatia 2017, Anna Völkl / @rescueAnn
![Page 21: Secure development environment @ Meet Magento Croatia 2017](https://reader034.vdocuments.net/reader034/viewer/2022052606/58d0f48d1a28abc00b8b4cff/html5/thumbnails/21.jpg)
Recommended Extensions for M2!
Meet Magento Croatia 2017, Anna Völkl / @rescueAnn
![Page 22: Secure development environment @ Meet Magento Croatia 2017](https://reader034.vdocuments.net/reader034/viewer/2022052606/58d0f48d1a28abc00b8b4cff/html5/thumbnails/22.jpg)
Recommended Extensions for M2• creaminternet/module-secure-passwords
Meet Magento Croatia 2017, Anna Völkl / @rescueAnn
![Page 23: Secure development environment @ Meet Magento Croatia 2017](https://reader034.vdocuments.net/reader034/viewer/2022052606/58d0f48d1a28abc00b8b4cff/html5/thumbnails/23.jpg)
Recommended Extensions for M2• creaminternet/module-secure-passwords• Git Status Security Report
Meet Magento Croatia 2017, Anna Völkl / @rescueAnn
![Page 24: Secure development environment @ Meet Magento Croatia 2017](https://reader034.vdocuments.net/reader034/viewer/2022052606/58d0f48d1a28abc00b8b4cff/html5/thumbnails/24.jpg)
Recommended Extensions for M2• creaminternet/module-secure-passwords• Git Status Security Report• Xtento Two-Factor Authentication [paid]
Meet Magento Croatia 2017, Anna Völkl / @rescueAnn
![Page 25: Secure development environment @ Meet Magento Croatia 2017](https://reader034.vdocuments.net/reader034/viewer/2022052606/58d0f48d1a28abc00b8b4cff/html5/thumbnails/25.jpg)
Recommended Extensions for M2• creaminternet/module-secure-passwords• Git Status Security Report• Xtento Two-Factor Authentication [paid]• Admin Actions Log [paid]
Meet Magento Croatia 2017, Anna Völkl / @rescueAnn
![Page 26: Secure development environment @ Meet Magento Croatia 2017](https://reader034.vdocuments.net/reader034/viewer/2022052606/58d0f48d1a28abc00b8b4cff/html5/thumbnails/26.jpg)
Who has access to your code?You.Your colleague.Your company.Your GitLab Server Server.An external developer.GitHub/BitbucketYour CodeClimate Integration.Your build/deployment tools.Meet Magento Croatia 2017, Anna Völkl / @rescueAnn
![Page 27: Secure development environment @ Meet Magento Croatia 2017](https://reader034.vdocuments.net/reader034/viewer/2022052606/58d0f48d1a28abc00b8b4cff/html5/thumbnails/27.jpg)
Meet Magento Croatia 2017, Anna Völkl / @rescueAnn
![Page 28: Secure development environment @ Meet Magento Croatia 2017](https://reader034.vdocuments.net/reader034/viewer/2022052606/58d0f48d1a28abc00b8b4cff/html5/thumbnails/28.jpg)
Isolate Development from Productionreduce unwanted errors,improve security
Meet Magento Croatia 2017, Anna Völkl / @rescueAnn
![Page 29: Secure development environment @ Meet Magento Croatia 2017](https://reader034.vdocuments.net/reader034/viewer/2022052606/58d0f48d1a28abc00b8b4cff/html5/thumbnails/29.jpg)
Dev vs. Testing/Staging vs. Production
Meet Magento Croatia 2017, Anna Völkl / @rescueAnn
![Page 30: Secure development environment @ Meet Magento Croatia 2017](https://reader034.vdocuments.net/reader034/viewer/2022052606/58d0f48d1a28abc00b8b4cff/html5/thumbnails/30.jpg)
No keys in your code, put them in settings files.Don't add the settings files (esp. production) into your repo.
Meet Magento Croatia 2017, Anna Völkl / @rescueAnn
![Page 31: Secure development environment @ Meet Magento Croatia 2017](https://reader034.vdocuments.net/reader034/viewer/2022052606/58d0f48d1a28abc00b8b4cff/html5/thumbnails/31.jpg)
Meet Magento Croatia 2017, Anna Völkl / @rescueAnn
![Page 32: Secure development environment @ Meet Magento Croatia 2017](https://reader034.vdocuments.net/reader034/viewer/2022052606/58d0f48d1a28abc00b8b4cff/html5/thumbnails/32.jpg)
Meet Magento Croatia 2017, Anna Völkl / @rescueAnn
![Page 33: Secure development environment @ Meet Magento Croatia 2017](https://reader034.vdocuments.net/reader034/viewer/2022052606/58d0f48d1a28abc00b8b4cff/html5/thumbnails/33.jpg)
Database dumps IBecause dumping big databases is boring
Meet Magento Croatia 2017, Anna Völkl / @rescueAnn
![Page 34: Secure development environment @ Meet Magento Croatia 2017](https://reader034.vdocuments.net/reader034/viewer/2022052606/58d0f48d1a28abc00b8b4cff/html5/thumbnails/34.jpg)
Remove log data$ n98-magerun.phar db:dump --strip="@stripped"
Available:@log, @dataflowtemp, @stripped
See: n98-magerun Stripped Database Dumps
Meet Magento Croatia 2017, Anna Völkl / @rescueAnn
![Page 35: Secure development environment @ Meet Magento Croatia 2017](https://reader034.vdocuments.net/reader034/viewer/2022052606/58d0f48d1a28abc00b8b4cff/html5/thumbnails/35.jpg)
Database dumps IIBecause you don't need thousands of orders, customers and logs in your dev-environment
Meet Magento Croatia 2017, Anna Völkl / @rescueAnn
![Page 36: Secure development environment @ Meet Magento Croatia 2017](https://reader034.vdocuments.net/reader034/viewer/2022052606/58d0f48d1a28abc00b8b4cff/html5/thumbnails/36.jpg)
Remove sales and customer data$ n98-magerun.phar db:dump --strip="@development"
Available:@log, @dataflowtemp, @stripped, @sales, @customers, @trade, @development
See: n98-magerun Stripped Database Dumps
Meet Magento Croatia 2017, Anna Völkl / @rescueAnn
![Page 37: Secure development environment @ Meet Magento Croatia 2017](https://reader034.vdocuments.net/reader034/viewer/2022052606/58d0f48d1a28abc00b8b4cff/html5/thumbnails/37.jpg)
Use an environment configuration toolBecause accidentally using the wrong environment is embarrassing
Meet Magento Croatia 2017, Anna Völkl / @rescueAnn
![Page 38: Secure development environment @ Meet Magento Croatia 2017](https://reader034.vdocuments.net/reader034/viewer/2022052606/58d0f48d1a28abc00b8b4cff/html5/thumbnails/38.jpg)
Environment Configuration• LimeSoda_EnvironmentConfiguration• n98-magerun Script• Cti_MagentoConfigurator• HarrisStreet ImpEx
Meet Magento Croatia 2017, Anna Völkl / @rescueAnn
![Page 39: Secure development environment @ Meet Magento Croatia 2017](https://reader034.vdocuments.net/reader034/viewer/2022052606/58d0f48d1a28abc00b8b4cff/html5/thumbnails/39.jpg)
Code analysis• CodeClimate• SensioLabs Insight• Scrutinizer
Meet Magento Croatia 2017, Anna Völkl / @rescueAnn
![Page 40: Secure development environment @ Meet Magento Croatia 2017](https://reader034.vdocuments.net/reader034/viewer/2022052606/58d0f48d1a28abc00b8b4cff/html5/thumbnails/40.jpg)
GrumPHPA PHP code-quality tool• Tests running via git hooks• improve codebase• write better code following best
practises
• Extra packages like sensiolabs/security-checker
! https://github.com/phpro/grumphp
Meet Magento Croatia 2017, Anna Völkl / @rescueAnn
![Page 41: Secure development environment @ Meet Magento Croatia 2017](https://reader034.vdocuments.net/reader034/viewer/2022052606/58d0f48d1a28abc00b8b4cff/html5/thumbnails/41.jpg)
Meet Magento Croatia 2017, Anna Völkl / @rescueAnn
![Page 42: Secure development environment @ Meet Magento Croatia 2017](https://reader034.vdocuments.net/reader034/viewer/2022052606/58d0f48d1a28abc00b8b4cff/html5/thumbnails/42.jpg)
Security advisorieshttps://github.com/FriendsOfPHP/security-advisories
Checking for Vulnerabilities• Upload composer.lock to https://security.sensiolabs.org• Use web service (curl)
• Use CLI tool php checker security:check composer.lock
Meet Magento Croatia 2017, Anna Völkl / @rescueAnn
![Page 43: Secure development environment @ Meet Magento Croatia 2017](https://reader034.vdocuments.net/reader034/viewer/2022052606/58d0f48d1a28abc00b8b4cff/html5/thumbnails/43.jpg)
Magento Malware Scannerwget git.io/mwscan.txtgrep -Erlf mwscan.txt /path/to/magento
https://github.com/gwillem/magento-malware-scanner
Meet Magento Croatia 2017, Anna Völkl / @rescueAnn
![Page 44: Secure development environment @ Meet Magento Croatia 2017](https://reader034.vdocuments.net/reader034/viewer/2022052606/58d0f48d1a28abc00b8b4cff/html5/thumbnails/44.jpg)
Magento Project Mess Detector
https://github.com/AOEpeople/mpmdMeet Magento Croatia 2017, Anna Völkl / @rescueAnn
![Page 45: Secure development environment @ Meet Magento Croatia 2017](https://reader034.vdocuments.net/reader034/viewer/2022052606/58d0f48d1a28abc00b8b4cff/html5/thumbnails/45.jpg)
Admin password cracking
Meet Magento Croatia 2017, Anna Völkl / @rescueAnn
![Page 46: Secure development environment @ Meet Magento Croatia 2017](https://reader034.vdocuments.net/reader034/viewer/2022052606/58d0f48d1a28abc00b8b4cff/html5/thumbnails/46.jpg)
To do! Read & apply Magento Security Best Practises! Sign up for Magento security alerts! Test & check your code and settings! Follow @piotrekkaminski, @gwillem, @_Talesh, @pete_cags, @PeterJaap, @Fabian_ikono
Meet Magento Croatia 2017, Anna Völkl / @rescueAnn
![Page 48: Secure development environment @ Meet Magento Croatia 2017](https://reader034.vdocuments.net/reader034/viewer/2022052606/58d0f48d1a28abc00b8b4cff/html5/thumbnails/48.jpg)
Meet Magento Croatia 2017, Anna Völkl / @rescueAnn