Magento Security Best practices 2015

Size: px

Start display at page:

Download "Magento Security Best practices 2015"

Esmond Little
10 years ago
Views:

1 Grow your business safely Magento Security Best practices 2015 Q

2 e-commerce: the 60% rules >60% of web traffic is non-human >60% of attempts to steal databases target e-commerce sites >60% of growth for identity theft over three years A 2012 study showed Retailer websites are at risk 328 days/year An IP address is scanned around 40 times per day 22

3 The triple loot 33

4 A different time scale Time between attack launch and compromising Seconds Minutes Hours Days Weeks Months Years Time between compromising and discovery of it Statistics made based on large corporations in 2012 (Verizon Databreach report) 55

5 A *very* bad year 66

6 A *very* bad year 7

7 It all started with a big #fail (Shoplift) 8

8 It all started with a big #fail (RSS orders) 9

9 It all started with a big #fail (Magmi) 10

10 Other SUrPrEEses 11

11 Magento cache leak 12

12 But there were other before 13

13 Did you took care of the previous ones? 14

14 Did you took care of the previous ones? 15

15 Did you took care of the previous ones? The PayPal / Magento integration flaw (by NBS) 16

16 NBS System will release a new vulnerability soon 17

17 Or even the one that were not Magento specific? 18

18 PHP: two versions behind, really? PHP versions in use, in our parc: 88% are outdated and not supported anymore No security fixes. (and +12% to +40% performances to gain) 19

19 Easily exploitable things beyond classical vulnerabilities 20

20 When Magento support is being creative Magento Support giving dangerous advices Chmod 777 your document root *REALLY*? Magento is not compatible with Reverse proxies. *Woot*? Give me your root password so we can look *NO KIDDING*? Etc Don t go to a car dealer to fix a bad tooth 21

21 Classical mistakes that cost Leaving your logs accessible, especially Debug one Leaving payment gateway logs accessible to all Not hiding Magento, PHP, Apache versions Use a minimum of unaudited extensions, a lot are BAD Weak passwords, along with no locking policies are a plague 22

22 Applicative level D.o.S attacks Leaving import/export scripts, reindexers, crontabs accessible Try calling pages that load very slowly Access directly the API to import / export Etc. 23

23 Securing Magento Flaws 24

Securing Magento flaws Update to versions CE > 1.9 or EE > 1.14.1 Use PHP 5.

24 Securing Magento flaws Update to versions CE > 1.9 or EE > Use PHP 5.6 Shoplift, Magmi, XML-RPC-XEE : filter the access with a.htaccess file (or an nginx rule) 25

$Securing recent flaws Example with Magmi (using Apache) RewriteCond %{REQUEST_URI} ^/(index.php/)?magmi/ [NC] RewriteCond %{REMOTE_ADDR}!^192.168.0.1 RewriteRule ^(.$

25 Securing recent flaws Example with Magmi (using Apache) RewriteCond %{REQUEST_URI} ^/(index.php/)?magmi/ [NC] RewriteCond %{REMOTE_ADDR}!^ RewriteRule ^(.*)$ [R=302,L] Example with Magmi (using Nginx) location ~* ^/(index.php/)?magmi { allow ; deny all; location ~*.(php) { include fastcgi_params; } } 26

26 Protect your backoffice & updater Example using Apache <Location /wp-admin> AuthType Basic AuthName "Restricted Area" AuthUserFile /etc/apache2/access/htpasswd Require valid-user Order deny,allow Allow from [MY_IP] Satisfy any </Location> Then, just add a user: htpasswd c /etc/apache2/access/htpasswd [user] 27

27 Leveraging native Magento security Use HTTPS in Backoffice & order tunnels access Change your backoffice default URL Do *NOT* use a weak password (no «tommy4242» is not safe) Put some limits to number of failed login attempts Put a password expiration time and change it every 3 months Enforce use of case sensitive password Disable password recovery 28

28 Securing Web application 29

Organizational security Get a security review Keep track of vulnerabilities on Magento ecosystem Have serious passwords, change them every 3 months

29 Organizational security Get a security review Keep track of vulnerabilities on Magento ecosystem Have serious passwords, change them every 3 months Do not keep informations unless they are needed Pick a PCI/DSS certified hosting company Use 3D secure Keep up to date versions of Magento & PHP 30

30 Infrastructure security Keep a daily backup Use a WAF, NAXSI is opensource, free and stable Put rate limits on your Reverse Proxies Filter your outgoing trafic It s the job of your managed services provider. 31

31 Host level security Change default backoffice URL Disable directory indexing Have correct permissions : file=644, directory=755 No follow, no index on preprod Use the best practices mentioned before It s the job of your managed services provider. 32

32 High end security 33

33 CerberHost Humans Website Database Applicative stack Network Operating system Hardware Motivating wages Equipe SOC Security trainings Background checks N.A.X.S.I (web application firewall) ReqLimit (Anti applicative DoS) ExecVE killer File Upload checker PHP Suhosin V2 App scan Threadfix virtual patching MySQL Interceptor PHP Suhosin V2 Daemon hardening Anti DDoS Isolated Vlans Firewalling PAX GrSec Watch Folder PHP Malware finder Redundant hardware Redundant datacenters Redundant data storage Redundant telecom uplinks Log central Security Event Manager Ban Commander Flex Dynamic Firewall 34 9

34 Grow your business safely Contact Twitter 35

Wordpress Security. A guide on how to not get hacked when using wordpress. David Kennedy (ReL1K) http://www.secmaniac.com Twitter: Dave_ReL1K

Wordpress Security. A guide on how to not get hacked when using wordpress. David Kennedy (ReL1K) http://www.secmaniac.com Twitter: Dave_ReL1K Wordpress Security A guide on how to not get hacked when using wordpress. David Kennedy (ReL1K) http://www.secmaniac.com Twitter: Dave_ReL1K So about wordpress. The number one website and blogging software