magento security and us
DESCRIPTION
Light presentation on Magento security, how it affects you, and what things you should consider.TRANSCRIPT
Magento Security and Us
Lee Saferite
Introduction• Started programming in the 80s (Yikes!)• I have been:
• Unix Admin• DB Admin• Network Engineer
• Ecommerce developer since 2004• Magento developer since 2008• Senior Developer at AOE since July 2013
Historic Exploits on Magento• Failed access control restriction• Remote code execution• File disclosure• Flawed cryptography• Session hijacking• Trojans• Bastian Ike (@b_ike) – AOE’s resident expert
Base Server Security• Limit the attack surface
– Do NOT run other software on ecommerce server– Only open ports needed for server operation– Use a bastion host to restrict SSH access
• External log file storage• Chroot and privilege dropping• Backup security
Server users and permissions• Web server should run as a user with very limited permissions
• Web server user should not have a login shell• Deployments should run under a different user• Site code should be read-only• /var and /media
– only writable by web server user– should not allow running scripts
Users and Roles• Defined granular permissions for modules• Principle of Least Privilege (POLP)• No shared accounts• Strong passwords and password rotation rules• Admin action audit logs• Employee exit procedures
Code Security Audits• Never trust a third party module without a security review• Be very wary of encrypted and obfuscated code• Never allow a module to include a remote self-update• Watch out for information leakage via phone-home features• Module installation from Magento Connect via admin downloader
is evil• Code repositories and commit hashes (or signed revisions) are
your friends
Very Bad Things™• Magento Connect via Admin• Remote update capabilities• Composer without commit hashes• Encoded files• Obfuscated files
Incident Response Plan• You will be compromised.• Advance persistent threat
– You are a high value target as a financial transaction processor– They want in and will keep trying until they finally find a flaw
• Written action plans for major compromise situations– Code modifications– Stolen data– Site lockout
Demonstration• Simple remote file dump on 1.7.0.0
Recap• Website security is multi-layer• Secure your server• Review all code you run on your site• Don’t share a server with other services that could provide an
entry point• Plan and document your incident response
QuestionsNo meme for you!
AOE Inc.
700 Airport Blvd, Suite 280
Burlingame, CA 94010
USA
Phone: +1 415-230-0697
E-Mail: [email protected]
Twitter: @LeeSaferite
I in the USA