Anna Völkl - MM15NL
Transcript of Anna Völkl - MM15NL
Magento Application
SecurityAnna Völkl / @rescueAnn
Anna Völkl / @rescueAnn• Magento Certified Developer• IT & Telecommunicatios, IT-Security• PHP (2004), Magento (2011)• LimeSoda (Vienna, AT)
Anna Völkl / @rescueAnn• 200 Magento Installations*• 68 good passwords**• 10 endless loops***• 3 forgotten phpinfo.php• 1 Stroopwafel purchase
* roughly estimated, including test-setups
** thanks to KeePass
*** last one 12/2012
Security-TechnologyDepartment of Defense Computer Security Initiative1980
Magento Application Security Logins & Passwords Admin Backend protected SSL installed
Magento Application Security Logins & Passwords Admin Backend protected SSL installed
…there‘s more!
Magento Application Security
Magento Application Security
Software Development Life Cycle
Software Development Life Cycle
UserUser
DatabaseDatabaseWebserverWebserver
Version control & delivery
Version control & delivery
RequirementsRequirements
Software-DesignSoftware-Design DevelopmentDevelopment Extensions /3rd Party
Extensions /3rd Party
Out of serviceOut of service
Updates & PatchesUpdates & Patches
LoginsLogins
PasswordsPasswords
Web-Application Firewall
Web-Application Firewall
FirewallFirewallFile owner & permissionsFile owner & permissions
Config filesConfig files
IDS, IPSIDS, IPS
http://blogs.technet.com/b/rhalbheer/archive/2011/01/14/real-physical-security.aspx
Security
ConfidentialityConfidentiality
IntegrityIntegrity
AvailabilityAvailability
Unsecure Software?•No time•No knowledge•No priorities
• Performance• SEO• New features
Potential attackers✗ (organized) criminals✗ Defacer✗ Script-Kiddies✗ Former developers, agencies✗ Competitors✗ The merchant theirselves
Interest?➢Payment data➢Customer data➢Personal gain➢Damage competitors
Most critical web application security flawsA1 Injection
A2 Broken Authentication and Session Management
A3 Cross-Site Scripting (XSS)
A4 Insecure Direct Object References
A5 Security Misconfiguration
More: https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
web application security flaws
OWASP Top 10 2013,
https://www.owasp.org/images/4/42/OWASP_Top_10_2013_DE_Version_1_0.pdf, modified version
Secure Coding Principles
Minimize attack surface area
Every feature adds a risk.
Secure defaults
Secure configuration „out of the box“
Least Privilege
Least amount of privilege required to perform actions
Fail secure
Fail secure vs. Fail safe
Don't trust services
...they can be wrong.
Don't trust user input
Validate the expectedExpect the unexpected
Longest place name (1 word)
Taumatawhakatangihangakoauauotamateaturipukakapikimaungahoronukupokaiwhenuakitanatahu
(New Zealand, 85 letters)
Security by obscurity
Security by lack of knowledge?!
KISS
Keep security simpleSimplicity vs. complexity
Fix security issues correctly
Understand the problemFind related code
Write tests
...now what?!
Functional & non functional
Requirements
Be curious!Read, learn, try to understand.
Secure Coding Guidelines:OWASP Secure Coding Practices
Secure Coding
Validate your inputExpected input: Whitelist vs. Blacklist
Secure Coding
https://quadhead.de/cola-hack-sicherheitsluecke-auf-meinecoke-de/
User:allowed to access a resource?
Admins:ACLsMage::getSingleton('admin/session')
->isAllowed('admin/sales/order/actions/create');
Secure Coding
● PHPSniffer● Magento ECG Coding Standard● Dependencies:
Sensio Labs composer.lock check
Security Testing
Scrutinizer CICode Climate
SensioLabsInsight
Security Testing
Scrutinizer CICode Climate
SensioLabsInsight
Security Testing
● .git, .git/config● composer.lock● Standard /admin path● /downloader● app/etc/local.xml● Logfiles● phpinfo.php● Database-Dumps: livedb.sql.gz
Block access to
SUPEE-5344SUPEE-5994
Latest security patches
●Magento Community Edition 1.9.1.1 & Enterprise Edition 1.14.2 contain SUPEE-5344
●Magento Shoplift Bug Tester: https://shoplift.byte.nl
●Coming soon: Magento Alert Registry●@magesecurity
PATCH!
Leave your code more secure (better) than you
found it.