Magento Application

SecurityAnna Völkl / @rescueAnn

Anna Völkl / @rescueAnn• Magento Certified Developer• IT & Telecommunication, IT-Security• PHP (2004), Magento (2011)• LimeSoda (Vienna, AT)

Anna Völkl / @rescueAnn• 200 Magento Installations*• 68 good passwords**• 10 endless loops***• 3 forgotten phpinfo.php• 1 Stroopwafel purchase

* roughly estimated, including test-setups

** thanks to KeePass

*** last one 12/2012

Security-TechnologyDepartment of Defense Computer Security Initiative1980

Magento Application Security Logins & Passwords Admin Backend protected SSL installed

Magento Application Security Logins & Passwords Admin Backend protected SSL installed

…there‘s more!

Magento Application Security

Magento Application Security

Software Development Life Cycle

Software Development Life Cycle

UserUser

DatabaseDatabaseWebserverWebserver

Version control & delivery

Version control & delivery

RequirementsRequirements

Software-DesignSoftware-Design DevelopmentDevelopment Extensions /3rd Party

Extensions /3rd Party

Out of serviceOut of service

Updates & PatchesUpdates & Patches

LoginsLogins

PasswordsPasswords

Web-Application Firewall

Web-Application Firewall

FirewallFirewallFile owner & permissionsFile owner & permissions

Config filesConfig files

IDS, IPSIDS, IPS

http://blogs.technet.com/b/rhalbheer/archive/2011/01/14/real-physical-security.aspx

Security

ConfidentialityConfidentiality

IntegrityIntegrity

AvailabilityAvailability

Unsecure Software?•No time•No knowledge•No priorities

• Performance• SEO• New features

Potential attackers✗ (organized) criminals✗ Defacer✗ Script-Kiddies✗ Former developers, agencies✗ Competitors✗ The merchant theirselves

Interest?➢Payment data➢Customer data➢Personal gain➢Damage competitors

Most critical web application security flawsA1 Injection

A2 Broken Authentication and Session Management

A3 Cross-Site Scripting (XSS)

A4 Insecure Direct Object References

A5 Security Misconfiguration

More: https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

web application security flaws

OWASP Top 10 2013,

https://www.owasp.org/images/4/42/OWASP_Top_10_2013_DE_Version_1_0.pdf, modified version

Secure Coding Principles

Minimize attack surface area

Every feature adds a risk.

Secure defaults

Secure configuration „out of the box“

Least Privilege

Least amount of privilege required to perform actions

Fail secure

Fail secure vs. Fail safe

Don't trust services

...they can be wrong.

Don't trust user input

Validate the expectedExpect the unexpected

Longest place name (1 word)

Taumatawhakatangihangakoauauotamateaturipukakapikimaungahoronukupokaiwhenuakitanatahu

(New Zealand, 85 letters)

https://xkcd.com/327/

Security by obscurity

Security by lack of knowledge?!

KISS

Keep security simpleSimplicity vs. complexity

Fix security issues correctly

Understand the problemFind related code

Write tests

...now what?!

Functional & non functional

Requirements

Be curious!Read, learn, try to understand.

Secure Coding Guidelines:OWASP Secure Coding Practices

Secure Coding

Validate your inputExpected input: Whitelist vs. Blacklist

Secure Coding

https://quadhead.de/cola-hack-sicherheitsluecke-auf-meinecoke-de/

User:allowed to access a resource?

Admins:ACLsMage::getSingleton('admin/session')

->isAllowed('admin/sales/order/actions/create');

Secure Coding

● PHPSniffer● Magento ECG Coding Standard● Dependencies:

Sensio Labs composer.lock check

Security Testing

Scrutinizer CICode Climate

SensioLabsInsight

Security Testing

Scrutinizer CICode Climate

SensioLabsInsight

Security Testing

● .git, .git/config● composer.lock● Standard /admin path● /downloader● app/etc/local.xml● Logfiles● phpinfo.php● Database-Dumps: livedb.sql.gz

Block access to

SUPEE-5344SUPEE-5994

Latest security patches

●Magento Community Edition 1.9.1.1 & Enterprise Edition 1.14.2 contain SUPEE-5344

●Magento Shoplift Bug Tester: https://shoplift.byte.nl

●Coming soon: Magento Alert Registry●@magesecurity

Patch!

Leave your code more secure (better) than you

found it.