SlideShare uma empresa Scribd logo

Andrea Zwirner - Magento security and hardening strategies

Meet Magento Italy
Meet Magento Italy

Starting from a fresh installation of Magento on Linux, we have conducted the common steps of a cyber-attack, through both ways of running automatic tools and performing manual penetration tests, in order to analyze the security features of the platform on it’s default configuration in a standard environment. Addressing the security features of the platform with the simulation of both automated and targeted attacks, the study has the goal of discover it’s average level of security, in order to better understand which are the security patterns offered “by design” and where to intervene with specific hardening configuration and strategies when comes the time of customizing, deploying and maintain a Magento production environment.

Apresentações e oratória
1 de 45
Baixar para ler offline
Mar 2, 2017 Meet Magento 2017, Milan Andrea Zwirner – Linkspirit Magento security and hardening strategies 2 Magento security and hardening strategies Andrea Zwirner andrea@linkspirit.it @AndreaZwirner Sicurezza informatica
Mar 2, 2017 Meet Magento 2017, Milan Andrea Zwirner – Linkspirit Magento security and hardening strategies 3 ● Linux, Apache, MariaDB, PHP ● Magento 1.9.x.y – We will be as platform independent as possible Environment
Mar 2, 2017 Meet Magento 2017, Milan Andrea Zwirner – Linkspirit Magento security and hardening strategies 4 ● Magento is a good product, security is never underestimated – Fast security patches for both 1.9.x and 2.x versions – URL protection (via secret keys addition) – Sessions validation (session poisoning, hijacking, fixation attacks) – CSRF protection – CAPCHA for admin login (brute force) Magento average security
Mar 2, 2017 Meet Magento 2017, Milan Andrea Zwirner – Linkspirit Magento security and hardening strategies 5 ● Sensitive data are encrypted via additional encryption key (cards, integration passwords) ● There also is a lot of documentation on security and hardening Magento average security
Mar 2, 2017 Meet Magento 2017, Milan Andrea Zwirner – Linkspirit Magento security and hardening strategies 6 ● Anyway, the team is doing a great job! ● But it might all be useless if… Magento average security
Mar 2, 2017 Meet Magento 2017, Milan Andrea Zwirner – Linkspirit Magento security and hardening strategies 7 A secure platform in an insecure world Hardware Operating System LibrariesApplication Services
Mar 2, 2017 Meet Magento 2017, Milan Andrea Zwirner – Linkspirit Magento security and hardening strategies 8 Full of unprepared users... Hardware Operating System LibrariesApplication User Services
Mar 2, 2017 Meet Magento 2017, Milan Andrea Zwirner – Linkspirit Magento security and hardening strategies 9 ● Workstations that work with the backend need to be hardened ● The same applies to the environment in which workstations work – And the environments it is connected to, including suppliers, clients, etc ● Users need to be made aware of the risks they might expose the application to Backend security
Mar 2, 2017 Meet Magento 2017, Milan Andrea Zwirner – Linkspirit Magento security and hardening strategies 10 What’s the strategy?
Mar 2, 2017 Meet Magento 2017, Milan Andrea Zwirner – Linkspirit Magento security and hardening strategies 11 “Ensuring cybersecurity is a common responsibility. End users play a crucial role in ensuring the security of networks and information systems: they need to be made aware of the risks they face online and be empowered to take simple steps to guard against them.” Cybersecurity Strategy of the European Union European Commision, Feb 2013 Never understimate end users importance
Ok, let’s start!
Mar 2, 2017 Meet Magento 2017, Milan Andrea Zwirner – Linkspirit Magento security and hardening strategies 13 ● If you want to crack it, you need to know it ● The quieter you become, the more you’re able to hear ● You can’t just try every single weapon you have in your armory ● This would alarm any kind of IPS at any level Enumeration is the key
Mar 2, 2017 Meet Magento 2017, Milan Andrea Zwirner – Linkspirit Magento security and hardening strategies 14 Enumeration – /magento_version
Mar 2, 2017 Meet Magento 2017, Milan Andrea Zwirner – Linkspirit Magento security and hardening strategies 15 Enumeration - /downloader
Mar 2, 2017 Meet Magento 2017, Milan Andrea Zwirner – Linkspirit Magento security and hardening strategies 16 ● /skin/frontend/default/default/css/styles.css Enumeration – static files 1
Mar 2, 2017 Meet Magento 2017, Milan Andrea Zwirner – Linkspirit Magento security and hardening strategies 17 Enumeration – static files 2
Mar 2, 2017 Meet Magento 2017, Milan Andrea Zwirner – Linkspirit Magento security and hardening strategies 18 Enumeration in web application scanners
Mar 2, 2017 Meet Magento 2017, Milan Andrea Zwirner – Linkspirit Magento security and hardening strategies 19 It’s attack time! ● We have to do a couple of assumptions – Magento vulnerable version (1.9.1.0 CE or 1.14.1.0 EE) – Not patched with SUPEE-5344 – It means RCE… Uh ohhh…
Mar 2, 2017 Meet Magento 2017, Milan Andrea Zwirner – Linkspirit Magento security and hardening strategies 20 It’s attack time!
Mar 2, 2017 Meet Magento 2017, Milan Andrea Zwirner – Linkspirit Magento security and hardening strategies 21 It’s attack time!
Mar 2, 2017 Meet Magento 2017, Milan Andrea Zwirner – Linkspirit Magento security and hardening strategies 22 It’s attack time!
Mar 2, 2017 Meet Magento 2017, Milan Andrea Zwirner – Linkspirit Magento security and hardening strategies 23 It’s attack time! ● backdoor.tgz adds backdoor.php (a meterpreter reverse shell) in /errors
Mar 2, 2017 Meet Magento 2017, Milan Andrea Zwirner – Linkspirit Magento security and hardening strategies 24 It’s attack time! ● Misconfigurations – Downloader is exposed and unprotected – File system permissions has not been reset (maybe after last extension install)
Mar 2, 2017 Meet Magento 2017, Milan Andrea Zwirner – Linkspirit Magento security and hardening strategies 25 TCP reverse shell
Mar 2, 2017 Meet Magento 2017, Milan Andrea Zwirner – Linkspirit Magento security and hardening strategies 26 Getting DB credentials
Mar 2, 2017 Meet Magento 2017, Milan Andrea Zwirner – Linkspirit Magento security and hardening strategies 27 It’s attack time!
Mar 2, 2017 Meet Magento 2017, Milan Andrea Zwirner – Linkspirit Magento security and hardening strategies 28 DB dump!
Mar 2, 2017 Meet Magento 2017, Milan Andrea Zwirner – Linkspirit Magento security and hardening strategies 29 Passwords ● md5/sha-256(salt+password):salt no bcrypt, scrypt, pbkdf2 :-(
Mar 2, 2017 Meet Magento 2017, Milan Andrea Zwirner – Linkspirit Magento security and hardening strategies 30 Let’s crack them, with hashcat!
Mar 2, 2017 Meet Magento 2017, Milan Andrea Zwirner – Linkspirit Magento security and hardening strategies 31 Option two: frontend malware (common!)
Mar 2, 2017 Meet Magento 2017, Milan Andrea Zwirner – Linkspirit Magento security and hardening strategies 32 And your card number is?
Mar 2, 2017 Meet Magento 2017, Milan Andrea Zwirner – Linkspirit Magento security and hardening strategies 33 ● Using vulnerable components (at any level of the stack) – It doesn’t matter the Magento version you use, it has to be (quickly) patched! Why all this stuff works?
Mar 2, 2017 Meet Magento 2017, Milan Andrea Zwirner – Linkspirit Magento security and hardening strategies 34 ● Using vulnerable components (at any level of the stack) – It doesn’t matter the Magento version you use, it has to be (quickly) patched! ● Misconfigurations – Who works inside the environment has to (well) know what he is doing! Why all this stuff works?
Mar 2, 2017 Meet Magento 2017, Milan Andrea Zwirner – Linkspirit Magento security and hardening strategies 35 ● Monitor issues for every single component of the stack, and patch accordingly ● Restrict access to administrative functions from specific IP addesses ● Hide sensitive URLs (admin / downloader / extensions) with custom URLs ● Block access to development / staging / test environments So, let’s harden it – basic
Mar 2, 2017 Meet Magento 2017, Milan Andrea Zwirner – Linkspirit Magento security and hardening strategies 36 ● Run Magento inside a dedicated environment ● Always apply the principle of the least privilege ● Automate the deployment process – Extensions should not be installed in production – Implement automated checks (unit test, static code analisys, etc) ● Audit user list and enable 2 factor authentication (Nexcess, miniOrange, etc) So, let’s harden it – mid
Mar 2, 2017 Meet Magento 2017, Milan Andrea Zwirner – Linkspirit Magento security and hardening strategies 37 ● Check Admin Action Logs and compare with policies / timing / etc ● Check file integrity (compare production with clean version) / mtimes, etc ● Monitor all system logins and compare with policies / timing / etc ● Choose extensions accordingly (e.g. ASVS compliance / code review / pen-test) – If possible, avoid using extensions with upload functions So, let’s harden it - advanced
Mar 2, 2017 Meet Magento 2017, Milan Andrea Zwirner – Linkspirit Magento security and hardening strategies 38 ● Monitor for common malicious functions or code – curl(, FILE_APPEND, file_put_, fwrite, , http.open, http.send, mail, <script, etc ● Monitor for files bigger than 2-3 Mb – They can contain stolen data to be sent to the attacker ● Monitor for common backdoor code – A lot: base64, exec, wget, system, move_uploaded_file, encodeURI, etc So, let’s harden it - advanced
Mar 2, 2017 Meet Magento 2017, Milan Andrea Zwirner – Linkspirit Magento security and hardening strategies 39 ● Do anything you can to make enumeration harder – Remove service banners – Metadata – Remove/change static files ● *_version, README, etc ● *css, *js So, let’s harden it - advanced
Mar 2, 2017 Meet Magento 2017, Milan Andrea Zwirner – Linkspirit Magento security and hardening strategies 40 A common attack: brute force
Mar 2, 2017 Meet Magento 2017, Milan Andrea Zwirner – Linkspirit Magento security and hardening strategies 41 ● Should we just wait for the attacker to guess the password? ● Intrusion Prevention Systems – Policy verification trough log analysis ● Web application firewalls – Configuration (platform dependent) – Review (at least on application changes) Intrusion Prevention
Mar 2, 2017 Meet Magento 2017, Milan Andrea Zwirner – Linkspirit Magento security and hardening strategies 42 ● Should we just wait for the attacker to find the right path? ● Attacks informations must be collected and analyzed ● You have to understand who is the attacker and what’s his goal Know your enemy
Mar 2, 2017 Meet Magento 2017, Milan Andrea Zwirner – Linkspirit Magento security and hardening strategies 43 ● Make sure your governance level is granular enough to understand what’s happening ● You have to know what the system is doing and not just that it is “working” ● And if everything has been fucked up, the keywords are – Backup – Restore – Disaster recovery plan And then… Shit happens!
Mar 2, 2017 Meet Magento 2017, Milan Andrea Zwirner – Linkspirit Magento security and hardening strategies 44 Magento security and hardening strategies Andrea Zwirner andrea@linkspirit.it @AndreaZwirner Sicurezza informatica
Andrea Zwirner - Magento security and hardening strategies

Recomendados

Riccardo Tempesta - The right tools for the right job (or: surviving Magento ...
Riccardo Tempesta - The right tools for the right job (or: surviving Magento ...Riccardo Tempesta - The right tools for the right job (or: surviving Magento ...
Riccardo Tempesta - The right tools for the right job (or: surviving Magento ...Meet Magento Italy
 
Magento Security Best Practises - MM17DE
Magento Security Best Practises - MM17DEMagento Security Best Practises - MM17DE
Magento Security Best Practises - MM17DEAnna Völkl
 
Modern Module Architecture
Modern Module ArchitectureModern Module Architecture
Modern Module Architecturevinaikopp
 
The beautiful Magento module - MageTitans 2014
The beautiful Magento module - MageTitans 2014The beautiful Magento module - MageTitans 2014
The beautiful Magento module - MageTitans 2014vinaikopp
 
Mauro Lorenzutti - Il passaggio da Magento 1 a Magento 2: le 5W
Mauro Lorenzutti - Il passaggio da Magento 1 a Magento 2: le 5WMauro Lorenzutti - Il passaggio da Magento 1 a Magento 2: le 5W
Mauro Lorenzutti - Il passaggio da Magento 1 a Magento 2: le 5WMeet Magento Italy
 
Vitalyi Golomoziy - Integration tests in Magento 2
Vitalyi Golomoziy - Integration tests in Magento 2Vitalyi Golomoziy - Integration tests in Magento 2
Vitalyi Golomoziy - Integration tests in Magento 2Meet Magento Italy
 
Max Pronko - Best practices for checkout customisation in Magento 2
Max Pronko - Best practices for checkout customisation in Magento 2Max Pronko - Best practices for checkout customisation in Magento 2
Max Pronko - Best practices for checkout customisation in Magento 2Meet Magento Italy
 
Irene Iaccio - Magento2 e RequireJS. The right way
Irene Iaccio - Magento2 e RequireJS. The right wayIrene Iaccio - Magento2 e RequireJS. The right way
Irene Iaccio - Magento2 e RequireJS. The right wayMeet Magento Italy
 

Recomendados

Riccardo Tempesta - The right tools for the right job (or: surviving Magento ...
Riccardo Tempesta - The right tools for the right job (or: surviving Magento ...Riccardo Tempesta - The right tools for the right job (or: surviving Magento ...
Riccardo Tempesta - The right tools for the right job (or: surviving Magento ...Meet Magento Italy
 
Magento Security Best Practises - MM17DE
Magento Security Best Practises - MM17DEMagento Security Best Practises - MM17DE
Magento Security Best Practises - MM17DEAnna Völkl
 
Modern Module Architecture
Modern Module ArchitectureModern Module Architecture
Modern Module Architecturevinaikopp
 
The beautiful Magento module - MageTitans 2014
The beautiful Magento module - MageTitans 2014The beautiful Magento module - MageTitans 2014
The beautiful Magento module - MageTitans 2014vinaikopp
 
Mauro Lorenzutti - Il passaggio da Magento 1 a Magento 2: le 5W
Mauro Lorenzutti - Il passaggio da Magento 1 a Magento 2: le 5WMauro Lorenzutti - Il passaggio da Magento 1 a Magento 2: le 5W
Mauro Lorenzutti - Il passaggio da Magento 1 a Magento 2: le 5WMeet Magento Italy
 
Vitalyi Golomoziy - Integration tests in Magento 2
Vitalyi Golomoziy - Integration tests in Magento 2Vitalyi Golomoziy - Integration tests in Magento 2
Vitalyi Golomoziy - Integration tests in Magento 2Meet Magento Italy
 
Max Pronko - Best practices for checkout customisation in Magento 2
Max Pronko - Best practices for checkout customisation in Magento 2Max Pronko - Best practices for checkout customisation in Magento 2
Max Pronko - Best practices for checkout customisation in Magento 2Meet Magento Italy
 
Irene Iaccio - Magento2 e RequireJS. The right way
Irene Iaccio - Magento2 e RequireJS. The right wayIrene Iaccio - Magento2 e RequireJS. The right way
Irene Iaccio - Magento2 e RequireJS. The right wayMeet Magento Italy
 
Oleksii Korshenko - Magento 2 Backwards Compatible Policy
Oleksii Korshenko - Magento 2 Backwards Compatible PolicyOleksii Korshenko - Magento 2 Backwards Compatible Policy
Oleksii Korshenko - Magento 2 Backwards Compatible PolicyMeet Magento Italy
 
Giovanni Cappellotto - Come gestire le recommendation e le personalizzazioni ...
Giovanni Cappellotto - Come gestire le recommendation e le personalizzazioni ...Giovanni Cappellotto - Come gestire le recommendation e le personalizzazioni ...
Giovanni Cappellotto - Come gestire le recommendation e le personalizzazioni ...Meet Magento Italy
 
Alejandro Cordero - Secure Electronic Commerce New Business and Repeat Busine...
Alejandro Cordero - Secure Electronic Commerce New Business and Repeat Busine...Alejandro Cordero - Secure Electronic Commerce New Business and Repeat Busine...
Alejandro Cordero - Secure Electronic Commerce New Business and Repeat Busine...Meet Magento Italy
 
Dirk Pinamonti - User Experience, Mobile, Cross Border: grow your business wi...
Dirk Pinamonti - User Experience, Mobile, Cross Border: grow your business wi...Dirk Pinamonti - User Experience, Mobile, Cross Border: grow your business wi...
Dirk Pinamonti - User Experience, Mobile, Cross Border: grow your business wi...Meet Magento Italy
 
Eugene Shakhsuvarov - Improving enterprise store scalability using AMQP and A...
Eugene Shakhsuvarov - Improving enterprise store scalability using AMQP and A...Eugene Shakhsuvarov - Improving enterprise store scalability using AMQP and A...
Eugene Shakhsuvarov - Improving enterprise store scalability using AMQP and A...Meet Magento Italy
 
Alan Rhode: Ecommerce export: IVA, dazi doganali, accise e altri importanti t...
Alan Rhode: Ecommerce export: IVA, dazi doganali, accise e altri importanti t...Alan Rhode: Ecommerce export: IVA, dazi doganali, accise e altri importanti t...
Alan Rhode: Ecommerce export: IVA, dazi doganali, accise e altri importanti t...Meet Magento Italy
 
Alessandro La Ciura - Live Chat ed Ecommerce: (ma) la chat vende veramente di...
Alessandro La Ciura - Live Chat ed Ecommerce: (ma) la chat vende veramente di...Alessandro La Ciura - Live Chat ed Ecommerce: (ma) la chat vende veramente di...
Alessandro La Ciura - Live Chat ed Ecommerce: (ma) la chat vende veramente di...Meet Magento Italy
 
Roberto Fumarola - Il marketing nel post spedizione, tante opportunità da cog...
Roberto Fumarola - Il marketing nel post spedizione, tante opportunità da cog...Roberto Fumarola - Il marketing nel post spedizione, tante opportunità da cog...
Roberto Fumarola - Il marketing nel post spedizione, tante opportunità da cog...Meet Magento Italy
 
Giulio Drei - Studio di fattibilità di un progetto eCommerce
Giulio Drei - Studio di fattibilità di un progetto eCommerceGiulio Drei - Studio di fattibilità di un progetto eCommerce
Giulio Drei - Studio di fattibilità di un progetto eCommerceMeet Magento Italy
 
Igor Bondarenko - Magento2 Performance Bottlenecks: How to avoid it
Igor Bondarenko - Magento2 Performance Bottlenecks: How to avoid itIgor Bondarenko - Magento2 Performance Bottlenecks: How to avoid it
Igor Bondarenko - Magento2 Performance Bottlenecks: How to avoid itMeet Magento Italy
 
William Sbarzaglia - Le buyer personas nell'e-commerce
William Sbarzaglia - Le buyer personas nell'e-commerceWilliam Sbarzaglia - Le buyer personas nell'e-commerce
William Sbarzaglia - Le buyer personas nell'e-commerceMeet Magento Italy
 
Gian Mario Infelici - Marketing automation e omnicanalità: come unire i canal...
Gian Mario Infelici - Marketing automation e omnicanalità: come unire i canal...Gian Mario Infelici - Marketing automation e omnicanalità: come unire i canal...
Gian Mario Infelici - Marketing automation e omnicanalità: come unire i canal...Meet Magento Italy
 
Iacopo Pecchi - Aprire un E-commerce in CINA dalla A alla Z
Iacopo Pecchi - Aprire un E-commerce in CINA dalla A alla ZIacopo Pecchi - Aprire un E-commerce in CINA dalla A alla Z
Iacopo Pecchi - Aprire un E-commerce in CINA dalla A alla ZMeet Magento Italy
 
Francesca Bazzi - Lo scenario e-commerce in Italia e nel mondo: dati, trend e...
Francesca Bazzi - Lo scenario e-commerce in Italia e nel mondo: dati, trend e...Francesca Bazzi - Lo scenario e-commerce in Italia e nel mondo: dati, trend e...
Francesca Bazzi - Lo scenario e-commerce in Italia e nel mondo: dati, trend e...Meet Magento Italy
 
Angelo Coletta - Dalla Mass production alla mass customization
Angelo Coletta - Dalla Mass production alla mass customizationAngelo Coletta - Dalla Mass production alla mass customization
Angelo Coletta - Dalla Mass production alla mass customizationMeet Magento Italy
 
Simone Giomi - User experience per gli e-commerce: dall’analisi alla progetta...
Simone Giomi - User experience per gli e-commerce: dall’analisi alla progetta...Simone Giomi - User experience per gli e-commerce: dall’analisi alla progetta...
Simone Giomi - User experience per gli e-commerce: dall’analisi alla progetta...Meet Magento Italy
 
Federico Minzoni - Software as a Service
Federico Minzoni - Software as a ServiceFederico Minzoni - Software as a Service
Federico Minzoni - Software as a ServiceMeet Magento Italy
 
Giuliana Benedetti - Can Magento handle 1M products?
Giuliana Benedetti - Can Magento handle 1M products?Giuliana Benedetti - Can Magento handle 1M products?
Giuliana Benedetti - Can Magento handle 1M products?Meet Magento Italy
 
Giorgio Bignozzi - How to develop a Sticker plug-in for Magento 2: best practice
Giorgio Bignozzi - How to develop a Sticker plug-in for Magento 2: best practiceGiorgio Bignozzi - How to develop a Sticker plug-in for Magento 2: best practice
Giorgio Bignozzi - How to develop a Sticker plug-in for Magento 2: best practiceMeet Magento Italy
 
R.Grassi - P.Sardo - One integration: every wat to pay
R.Grassi - P.Sardo - One integration: every wat to payR.Grassi - P.Sardo - One integration: every wat to pay
R.Grassi - P.Sardo - One integration: every wat to payMeet Magento Italy
 
Mli 2017 technical first steps to building secure Magento extensions
Mli 2017 technical first steps to building secure Magento extensionsMli 2017 technical first steps to building secure Magento extensions
Mli 2017 technical first steps to building secure Magento extensionsHanoi MagentoMeetup
 
Patch Tuesday Analysis - January 2017
Patch Tuesday Analysis - January 2017 Patch Tuesday Analysis - January 2017
Patch Tuesday Analysis - January 2017 Ivanti
 

Mais conteúdo relacionado

Destaque

Oleksii Korshenko - Magento 2 Backwards Compatible Policy
Oleksii Korshenko - Magento 2 Backwards Compatible PolicyOleksii Korshenko - Magento 2 Backwards Compatible Policy
Oleksii Korshenko - Magento 2 Backwards Compatible PolicyMeet Magento Italy
 
Giovanni Cappellotto - Come gestire le recommendation e le personalizzazioni ...
Giovanni Cappellotto - Come gestire le recommendation e le personalizzazioni ...Giovanni Cappellotto - Come gestire le recommendation e le personalizzazioni ...
Giovanni Cappellotto - Come gestire le recommendation e le personalizzazioni ...Meet Magento Italy
 
Alejandro Cordero - Secure Electronic Commerce New Business and Repeat Busine...
Alejandro Cordero - Secure Electronic Commerce New Business and Repeat Busine...Alejandro Cordero - Secure Electronic Commerce New Business and Repeat Busine...
Alejandro Cordero - Secure Electronic Commerce New Business and Repeat Busine...Meet Magento Italy
 
Dirk Pinamonti - User Experience, Mobile, Cross Border: grow your business wi...
Dirk Pinamonti - User Experience, Mobile, Cross Border: grow your business wi...Dirk Pinamonti - User Experience, Mobile, Cross Border: grow your business wi...
Dirk Pinamonti - User Experience, Mobile, Cross Border: grow your business wi...Meet Magento Italy
 
Eugene Shakhsuvarov - Improving enterprise store scalability using AMQP and A...
Eugene Shakhsuvarov - Improving enterprise store scalability using AMQP and A...Eugene Shakhsuvarov - Improving enterprise store scalability using AMQP and A...
Eugene Shakhsuvarov - Improving enterprise store scalability using AMQP and A...Meet Magento Italy
 
Alan Rhode: Ecommerce export: IVA, dazi doganali, accise e altri importanti t...
Alan Rhode: Ecommerce export: IVA, dazi doganali, accise e altri importanti t...Alan Rhode: Ecommerce export: IVA, dazi doganali, accise e altri importanti t...
Alan Rhode: Ecommerce export: IVA, dazi doganali, accise e altri importanti t...Meet Magento Italy
 
Alessandro La Ciura - Live Chat ed Ecommerce: (ma) la chat vende veramente di...
Alessandro La Ciura - Live Chat ed Ecommerce: (ma) la chat vende veramente di...Alessandro La Ciura - Live Chat ed Ecommerce: (ma) la chat vende veramente di...
Alessandro La Ciura - Live Chat ed Ecommerce: (ma) la chat vende veramente di...Meet Magento Italy
 
Roberto Fumarola - Il marketing nel post spedizione, tante opportunità da cog...
Roberto Fumarola - Il marketing nel post spedizione, tante opportunità da cog...Roberto Fumarola - Il marketing nel post spedizione, tante opportunità da cog...
Roberto Fumarola - Il marketing nel post spedizione, tante opportunità da cog...Meet Magento Italy
 
Giulio Drei - Studio di fattibilità di un progetto eCommerce
Giulio Drei - Studio di fattibilità di un progetto eCommerceGiulio Drei - Studio di fattibilità di un progetto eCommerce
Giulio Drei - Studio di fattibilità di un progetto eCommerceMeet Magento Italy
 
Igor Bondarenko - Magento2 Performance Bottlenecks: How to avoid it
Igor Bondarenko - Magento2 Performance Bottlenecks: How to avoid itIgor Bondarenko - Magento2 Performance Bottlenecks: How to avoid it
Igor Bondarenko - Magento2 Performance Bottlenecks: How to avoid itMeet Magento Italy
 
William Sbarzaglia - Le buyer personas nell'e-commerce
William Sbarzaglia - Le buyer personas nell'e-commerceWilliam Sbarzaglia - Le buyer personas nell'e-commerce
William Sbarzaglia - Le buyer personas nell'e-commerceMeet Magento Italy
 
Gian Mario Infelici - Marketing automation e omnicanalità: come unire i canal...
Gian Mario Infelici - Marketing automation e omnicanalità: come unire i canal...Gian Mario Infelici - Marketing automation e omnicanalità: come unire i canal...
Gian Mario Infelici - Marketing automation e omnicanalità: come unire i canal...Meet Magento Italy
 
Iacopo Pecchi - Aprire un E-commerce in CINA dalla A alla Z
Iacopo Pecchi - Aprire un E-commerce in CINA dalla A alla ZIacopo Pecchi - Aprire un E-commerce in CINA dalla A alla Z
Iacopo Pecchi - Aprire un E-commerce in CINA dalla A alla ZMeet Magento Italy
 
Francesca Bazzi - Lo scenario e-commerce in Italia e nel mondo: dati, trend e...
Francesca Bazzi - Lo scenario e-commerce in Italia e nel mondo: dati, trend e...Francesca Bazzi - Lo scenario e-commerce in Italia e nel mondo: dati, trend e...
Francesca Bazzi - Lo scenario e-commerce in Italia e nel mondo: dati, trend e...Meet Magento Italy
 
Angelo Coletta - Dalla Mass production alla mass customization
Angelo Coletta - Dalla Mass production alla mass customizationAngelo Coletta - Dalla Mass production alla mass customization
Angelo Coletta - Dalla Mass production alla mass customizationMeet Magento Italy
 
Simone Giomi - User experience per gli e-commerce: dall’analisi alla progetta...
Simone Giomi - User experience per gli e-commerce: dall’analisi alla progetta...Simone Giomi - User experience per gli e-commerce: dall’analisi alla progetta...
Simone Giomi - User experience per gli e-commerce: dall’analisi alla progetta...Meet Magento Italy
 
Federico Minzoni - Software as a Service
Federico Minzoni - Software as a ServiceFederico Minzoni - Software as a Service
Federico Minzoni - Software as a ServiceMeet Magento Italy
 
Giuliana Benedetti - Can Magento handle 1M products?
Giuliana Benedetti - Can Magento handle 1M products?Giuliana Benedetti - Can Magento handle 1M products?
Giuliana Benedetti - Can Magento handle 1M products?Meet Magento Italy
 
Giorgio Bignozzi - How to develop a Sticker plug-in for Magento 2: best practice
Giorgio Bignozzi - How to develop a Sticker plug-in for Magento 2: best practiceGiorgio Bignozzi - How to develop a Sticker plug-in for Magento 2: best practice
Giorgio Bignozzi - How to develop a Sticker plug-in for Magento 2: best practiceMeet Magento Italy
 
R.Grassi - P.Sardo - One integration: every wat to pay
R.Grassi - P.Sardo - One integration: every wat to payR.Grassi - P.Sardo - One integration: every wat to pay
R.Grassi - P.Sardo - One integration: every wat to payMeet Magento Italy
 

Destaque (20)

Oleksii Korshenko - Magento 2 Backwards Compatible Policy
Oleksii Korshenko - Magento 2 Backwards Compatible PolicyOleksii Korshenko - Magento 2 Backwards Compatible Policy
Oleksii Korshenko - Magento 2 Backwards Compatible Policy
 
Giovanni Cappellotto - Come gestire le recommendation e le personalizzazioni ...
Giovanni Cappellotto - Come gestire le recommendation e le personalizzazioni ...Giovanni Cappellotto - Come gestire le recommendation e le personalizzazioni ...
Giovanni Cappellotto - Come gestire le recommendation e le personalizzazioni ...
 
Alejandro Cordero - Secure Electronic Commerce New Business and Repeat Busine...
Alejandro Cordero - Secure Electronic Commerce New Business and Repeat Busine...Alejandro Cordero - Secure Electronic Commerce New Business and Repeat Busine...
Alejandro Cordero - Secure Electronic Commerce New Business and Repeat Busine...
 
Dirk Pinamonti - User Experience, Mobile, Cross Border: grow your business wi...
Dirk Pinamonti - User Experience, Mobile, Cross Border: grow your business wi...Dirk Pinamonti - User Experience, Mobile, Cross Border: grow your business wi...
Dirk Pinamonti - User Experience, Mobile, Cross Border: grow your business wi...
 
Eugene Shakhsuvarov - Improving enterprise store scalability using AMQP and A...
Eugene Shakhsuvarov - Improving enterprise store scalability using AMQP and A...Eugene Shakhsuvarov - Improving enterprise store scalability using AMQP and A...
Eugene Shakhsuvarov - Improving enterprise store scalability using AMQP and A...
 
Alan Rhode: Ecommerce export: IVA, dazi doganali, accise e altri importanti t...
Alan Rhode: Ecommerce export: IVA, dazi doganali, accise e altri importanti t...Alan Rhode: Ecommerce export: IVA, dazi doganali, accise e altri importanti t...
Alan Rhode: Ecommerce export: IVA, dazi doganali, accise e altri importanti t...
 
Alessandro La Ciura - Live Chat ed Ecommerce: (ma) la chat vende veramente di...
Alessandro La Ciura - Live Chat ed Ecommerce: (ma) la chat vende veramente di...Alessandro La Ciura - Live Chat ed Ecommerce: (ma) la chat vende veramente di...
Alessandro La Ciura - Live Chat ed Ecommerce: (ma) la chat vende veramente di...
 
Roberto Fumarola - Il marketing nel post spedizione, tante opportunità da cog...
Roberto Fumarola - Il marketing nel post spedizione, tante opportunità da cog...Roberto Fumarola - Il marketing nel post spedizione, tante opportunità da cog...
Roberto Fumarola - Il marketing nel post spedizione, tante opportunità da cog...
 
Giulio Drei - Studio di fattibilità di un progetto eCommerce
Giulio Drei - Studio di fattibilità di un progetto eCommerceGiulio Drei - Studio di fattibilità di un progetto eCommerce
Giulio Drei - Studio di fattibilità di un progetto eCommerce
 
Igor Bondarenko - Magento2 Performance Bottlenecks: How to avoid it
Igor Bondarenko - Magento2 Performance Bottlenecks: How to avoid itIgor Bondarenko - Magento2 Performance Bottlenecks: How to avoid it
Igor Bondarenko - Magento2 Performance Bottlenecks: How to avoid it
 
William Sbarzaglia - Le buyer personas nell'e-commerce
William Sbarzaglia - Le buyer personas nell'e-commerceWilliam Sbarzaglia - Le buyer personas nell'e-commerce
William Sbarzaglia - Le buyer personas nell'e-commerce
 
Gian Mario Infelici - Marketing automation e omnicanalità: come unire i canal...
Gian Mario Infelici - Marketing automation e omnicanalità: come unire i canal...Gian Mario Infelici - Marketing automation e omnicanalità: come unire i canal...
Gian Mario Infelici - Marketing automation e omnicanalità: come unire i canal...
 
Iacopo Pecchi - Aprire un E-commerce in CINA dalla A alla Z
Iacopo Pecchi - Aprire un E-commerce in CINA dalla A alla ZIacopo Pecchi - Aprire un E-commerce in CINA dalla A alla Z
Iacopo Pecchi - Aprire un E-commerce in CINA dalla A alla Z
 
Francesca Bazzi - Lo scenario e-commerce in Italia e nel mondo: dati, trend e...
Francesca Bazzi - Lo scenario e-commerce in Italia e nel mondo: dati, trend e...Francesca Bazzi - Lo scenario e-commerce in Italia e nel mondo: dati, trend e...
Francesca Bazzi - Lo scenario e-commerce in Italia e nel mondo: dati, trend e...
 
Angelo Coletta - Dalla Mass production alla mass customization
Angelo Coletta - Dalla Mass production alla mass customizationAngelo Coletta - Dalla Mass production alla mass customization
Angelo Coletta - Dalla Mass production alla mass customization
 
Simone Giomi - User experience per gli e-commerce: dall’analisi alla progetta...
Simone Giomi - User experience per gli e-commerce: dall’analisi alla progetta...Simone Giomi - User experience per gli e-commerce: dall’analisi alla progetta...
Simone Giomi - User experience per gli e-commerce: dall’analisi alla progetta...
 
Federico Minzoni - Software as a Service
Federico Minzoni - Software as a ServiceFederico Minzoni - Software as a Service
Federico Minzoni - Software as a Service
 
Giuliana Benedetti - Can Magento handle 1M products?
Giuliana Benedetti - Can Magento handle 1M products?Giuliana Benedetti - Can Magento handle 1M products?
Giuliana Benedetti - Can Magento handle 1M products?
 
Giorgio Bignozzi - How to develop a Sticker plug-in for Magento 2: best practice
Giorgio Bignozzi - How to develop a Sticker plug-in for Magento 2: best practiceGiorgio Bignozzi - How to develop a Sticker plug-in for Magento 2: best practice
Giorgio Bignozzi - How to develop a Sticker plug-in for Magento 2: best practice
 
R.Grassi - P.Sardo - One integration: every wat to pay
R.Grassi - P.Sardo - One integration: every wat to payR.Grassi - P.Sardo - One integration: every wat to pay
R.Grassi - P.Sardo - One integration: every wat to pay
 

Semelhante a Andrea Zwirner - Magento security and hardening strategies

Mli 2017 technical first steps to building secure Magento extensions
Mli 2017 technical first steps to building secure Magento extensionsMli 2017 technical first steps to building secure Magento extensions
Mli 2017 technical first steps to building secure Magento extensionsHanoi MagentoMeetup
 
Patch Tuesday Analysis - January 2017
Patch Tuesday Analysis - January 2017 Patch Tuesday Analysis - January 2017
Patch Tuesday Analysis - January 2017 Ivanti
 
January2017 patchtuesdayshavlik
January2017 patchtuesdayshavlikJanuary2017 patchtuesdayshavlik
January2017 patchtuesdayshavlikLANDESK
 
Secure development environment @ Meet Magento Croatia 2017
Secure development environment @ Meet Magento Croatia 2017Secure development environment @ Meet Magento Croatia 2017
Secure development environment @ Meet Magento Croatia 2017Anna Völkl
 
Jeremy Brown & David Seidman - Microsoft Vulnerability Research: How to be a ...
Jeremy Brown & David Seidman - Microsoft Vulnerability Research: How to be a ...Jeremy Brown & David Seidman - Microsoft Vulnerability Research: How to be a ...
Jeremy Brown & David Seidman - Microsoft Vulnerability Research: How to be a ...RootedCON
 
Defending Man In The Middle Attacks
Defending Man In The Middle AttacksDefending Man In The Middle Attacks
Defending Man In The Middle AttacksIRJET Journal
 
Patch Tuesday Analysis - July 2016
Patch Tuesday Analysis - July 2016Patch Tuesday Analysis - July 2016
Patch Tuesday Analysis - July 2016Ivanti
 
Harald Leitenmüller | DSGVO - globaler, zeitgemäßer Datenschutzstandard für M...
Harald Leitenmüller | DSGVO - globaler, zeitgemäßer Datenschutzstandard für M...Harald Leitenmüller | DSGVO - globaler, zeitgemäßer Datenschutzstandard für M...
Harald Leitenmüller | DSGVO - globaler, zeitgemäßer Datenschutzstandard für M...Microsoft Österreich
 
Hitachi ID Password Manager Security Analysis
Hitachi ID Password Manager Security AnalysisHitachi ID Password Manager Security Analysis
Hitachi ID Password Manager Security AnalysisHitachi ID Systems, Inc.
 
A Closer Look at Isolation: Hype or Next Gen Security?
A Closer Look at Isolation: Hype or Next Gen Security?A Closer Look at Isolation: Hype or Next Gen Security?
A Closer Look at Isolation: Hype or Next Gen Security?MenloSecurity
 
Monitoring Microservices at Scale on OpenShift (OpenShift Commons Briefing #52)
Monitoring Microservices at Scale on OpenShift (OpenShift Commons Briefing #52)Monitoring Microservices at Scale on OpenShift (OpenShift Commons Briefing #52)
Monitoring Microservices at Scale on OpenShift (OpenShift Commons Briefing #52)Martin Etmajer
 
Introducing Restricted Access Protocol to Enhance the Security and Eliminate ...
Introducing Restricted Access Protocol to Enhance the Security and Eliminate ...Introducing Restricted Access Protocol to Enhance the Security and Eliminate ...
Introducing Restricted Access Protocol to Enhance the Security and Eliminate ...IRJET Journal
 
MSP360: Ransomware Prepper Guide
MSP360: Ransomware Prepper GuideMSP360: Ransomware Prepper Guide
MSP360: Ransomware Prepper GuideMSP360
 
Netwatcher Credit Union Tech Talk
Netwatcher Credit Union Tech TalkNetwatcher Credit Union Tech Talk
Netwatcher Credit Union Tech TalkNetWatcher
 
Lessons learned from 2017 cybersecurity incidents, 2018 and beyond
Lessons learned from 2017 cybersecurity incidents, 2018 and beyondLessons learned from 2017 cybersecurity incidents, 2018 and beyond
Lessons learned from 2017 cybersecurity incidents, 2018 and beyondAPNIC
 
ModSecurity 3.0 and NGINX: Getting Started
ModSecurity 3.0 and NGINX: Getting StartedModSecurity 3.0 and NGINX: Getting Started
ModSecurity 3.0 and NGINX: Getting StartedNGINX, Inc.
 
How can you deliver a secure product
How can you deliver a secure productHow can you deliver a secure product
How can you deliver a secure productMichael Furman
 
Luca, Marius Alexandru „BitDefender apsaugos sprendimai organizacijoms“ (Rumu...
Luca, Marius Alexandru „BitDefender apsaugos sprendimai organizacijoms“ (Rumu...Luca, Marius Alexandru „BitDefender apsaugos sprendimai organizacijoms“ (Rumu...
Luca, Marius Alexandru „BitDefender apsaugos sprendimai organizacijoms“ (Rumu...Lietuvos kompiuterininkų sąjunga
 

Semelhante a Andrea Zwirner - Magento security and hardening strategies (20)

Mli 2017 technical first steps to building secure Magento extensions
Mli 2017 technical first steps to building secure Magento extensionsMli 2017 technical first steps to building secure Magento extensions
Mli 2017 technical first steps to building secure Magento extensions
 
Patch Tuesday Analysis - January 2017
Patch Tuesday Analysis - January 2017 Patch Tuesday Analysis - January 2017
Patch Tuesday Analysis - January 2017
 
January2017 patchtuesdayshavlik
January2017 patchtuesdayshavlikJanuary2017 patchtuesdayshavlik
January2017 patchtuesdayshavlik
 
Secure development environment @ Meet Magento Croatia 2017
Secure development environment @ Meet Magento Croatia 2017Secure development environment @ Meet Magento Croatia 2017
Secure development environment @ Meet Magento Croatia 2017
 
Jeremy Brown & David Seidman - Microsoft Vulnerability Research: How to be a ...
Jeremy Brown & David Seidman - Microsoft Vulnerability Research: How to be a ...Jeremy Brown & David Seidman - Microsoft Vulnerability Research: How to be a ...
Jeremy Brown & David Seidman - Microsoft Vulnerability Research: How to be a ...
 
Security Shift Leftmost - Secure Architecture.pdf
Security Shift Leftmost - Secure Architecture.pdfSecurity Shift Leftmost - Secure Architecture.pdf
Security Shift Leftmost - Secure Architecture.pdf
 
Defending Man In The Middle Attacks
Defending Man In The Middle AttacksDefending Man In The Middle Attacks
Defending Man In The Middle Attacks
 
Patch Tuesday Analysis - July 2016
Patch Tuesday Analysis - July 2016Patch Tuesday Analysis - July 2016
Patch Tuesday Analysis - July 2016
 
Harald Leitenmüller | DSGVO - globaler, zeitgemäßer Datenschutzstandard für M...
Harald Leitenmüller | DSGVO - globaler, zeitgemäßer Datenschutzstandard für M...Harald Leitenmüller | DSGVO - globaler, zeitgemäßer Datenschutzstandard für M...
Harald Leitenmüller | DSGVO - globaler, zeitgemäßer Datenschutzstandard für M...
 
Hitachi ID Password Manager Security Analysis
Hitachi ID Password Manager Security AnalysisHitachi ID Password Manager Security Analysis
Hitachi ID Password Manager Security Analysis
 
Fools your enemy with MikroTik
Fools your enemy with MikroTikFools your enemy with MikroTik
Fools your enemy with MikroTik
 
A Closer Look at Isolation: Hype or Next Gen Security?
A Closer Look at Isolation: Hype or Next Gen Security?A Closer Look at Isolation: Hype or Next Gen Security?
A Closer Look at Isolation: Hype or Next Gen Security?
 
Monitoring Microservices at Scale on OpenShift (OpenShift Commons Briefing #52)
Monitoring Microservices at Scale on OpenShift (OpenShift Commons Briefing #52)Monitoring Microservices at Scale on OpenShift (OpenShift Commons Briefing #52)
Monitoring Microservices at Scale on OpenShift (OpenShift Commons Briefing #52)
 
Introducing Restricted Access Protocol to Enhance the Security and Eliminate ...
Introducing Restricted Access Protocol to Enhance the Security and Eliminate ...Introducing Restricted Access Protocol to Enhance the Security and Eliminate ...
Introducing Restricted Access Protocol to Enhance the Security and Eliminate ...
 
MSP360: Ransomware Prepper Guide
MSP360: Ransomware Prepper GuideMSP360: Ransomware Prepper Guide
MSP360: Ransomware Prepper Guide
 
Netwatcher Credit Union Tech Talk
Netwatcher Credit Union Tech TalkNetwatcher Credit Union Tech Talk
Netwatcher Credit Union Tech Talk
 
Lessons learned from 2017 cybersecurity incidents, 2018 and beyond
Lessons learned from 2017 cybersecurity incidents, 2018 and beyondLessons learned from 2017 cybersecurity incidents, 2018 and beyond
Lessons learned from 2017 cybersecurity incidents, 2018 and beyond
 
ModSecurity 3.0 and NGINX: Getting Started
ModSecurity 3.0 and NGINX: Getting StartedModSecurity 3.0 and NGINX: Getting Started
ModSecurity 3.0 and NGINX: Getting Started
 
How can you deliver a secure product
How can you deliver a secure productHow can you deliver a secure product
How can you deliver a secure product
 
Luca, Marius Alexandru „BitDefender apsaugos sprendimai organizacijoms“ (Rumu...
Luca, Marius Alexandru „BitDefender apsaugos sprendimai organizacijoms“ (Rumu...Luca, Marius Alexandru „BitDefender apsaugos sprendimai organizacijoms“ (Rumu...
Luca, Marius Alexandru „BitDefender apsaugos sprendimai organizacijoms“ (Rumu...
 

Mais de Meet Magento Italy

Dirk Pinamonti - Come affrontare la sfida del nuovo mercato multicanale e del...
Dirk Pinamonti - Come affrontare la sfida del nuovo mercato multicanale e del...Dirk Pinamonti - Come affrontare la sfida del nuovo mercato multicanale e del...
Dirk Pinamonti - Come affrontare la sfida del nuovo mercato multicanale e del...Meet Magento Italy
 
Vinai Kopp - How i develop M2 modules
Vinai Kopp - How i develop M2 modules Vinai Kopp - How i develop M2 modules
Vinai Kopp - How i develop M2 modules Meet Magento Italy
 
Eugene Shaksuvarov - Tuning Magento 2 for Maximum Performance
Eugene Shaksuvarov - Tuning Magento 2 for Maximum PerformanceEugene Shaksuvarov - Tuning Magento 2 for Maximum Performance
Eugene Shaksuvarov - Tuning Magento 2 for Maximum PerformanceMeet Magento Italy
 
Muliadi jeo - How to sell online in Indonesia
Muliadi jeo - How to sell online in IndonesiaMuliadi jeo - How to sell online in Indonesia
Muliadi jeo - How to sell online in IndonesiaMeet Magento Italy
 
Max Pronko - 10 migration mistakes from Magento 1 to Magento 2
Max Pronko - 10 migration mistakes from Magento 1 to Magento 2Max Pronko - 10 migration mistakes from Magento 1 to Magento 2
Max Pronko - 10 migration mistakes from Magento 1 to Magento 2Meet Magento Italy
 
Alessandro La Ciura - Progettare la migliore integrazione tra live chat ed e-...
Alessandro La Ciura - Progettare la migliore integrazione tra live chat ed e-...Alessandro La Ciura - Progettare la migliore integrazione tra live chat ed e-...
Alessandro La Ciura - Progettare la migliore integrazione tra live chat ed e-...Meet Magento Italy
 
Bodin - Hullin & Potencier - Magento Performance Profiling and Best Practices
Bodin - Hullin & Potencier - Magento Performance Profiling and Best PracticesBodin - Hullin & Potencier - Magento Performance Profiling and Best Practices
Bodin - Hullin & Potencier - Magento Performance Profiling and Best PracticesMeet Magento Italy
 
Giulio Gargiullo - Strategie di marketing digitale per avviare l’e-commerce i...
Giulio Gargiullo - Strategie di marketing digitale per avviare l’e-commerce i...Giulio Gargiullo - Strategie di marketing digitale per avviare l’e-commerce i...
Giulio Gargiullo - Strategie di marketing digitale per avviare l’e-commerce i...Meet Magento Italy
 
Vinai Kopp - FPC Hole punching in Magento 2
Vinai Kopp - FPC Hole punching in Magento 2Vinai Kopp - FPC Hole punching in Magento 2
Vinai Kopp - FPC Hole punching in Magento 2Meet Magento Italy
 
Jacopo Nardiello - From CI to Prod: Running Magento at scale with Kubernetes
Jacopo Nardiello - From CI to Prod: Running Magento at scale with KubernetesJacopo Nardiello - From CI to Prod: Running Magento at scale with Kubernetes
Jacopo Nardiello - From CI to Prod: Running Magento at scale with KubernetesMeet Magento Italy
 
James Zetlen - PWA Studio Integration…With You
James Zetlen - PWA Studio Integration…With YouJames Zetlen - PWA Studio Integration…With You
James Zetlen - PWA Studio Integration…With YouMeet Magento Italy
 
Talesh Seeparsan - The Hound of the Malwarevilles
Talesh Seeparsan - The Hound of the MalwarevillesTalesh Seeparsan - The Hound of the Malwarevilles
Talesh Seeparsan - The Hound of the MalwarevillesMeet Magento Italy
 
Miguel Balparda - A day in support
Miguel Balparda - A day in supportMiguel Balparda - A day in support
Miguel Balparda - A day in supportMeet Magento Italy
 
Volodymyr Kublytskyi - Develop Product, Design Platform
Volodymyr Kublytskyi - Develop Product, Design PlatformVolodymyr Kublytskyi - Develop Product, Design Platform
Volodymyr Kublytskyi - Develop Product, Design PlatformMeet Magento Italy
 
Rosario Toscano - Processi di ottimizzazione per una crescita continua
Rosario Toscano - Processi di ottimizzazione per una crescita continuaRosario Toscano - Processi di ottimizzazione per una crescita continua
Rosario Toscano - Processi di ottimizzazione per una crescita continuaMeet Magento Italy
 
Henrik Feld Jakobsen - How to sell online Scandinavia
Henrik Feld Jakobsen - How to sell online ScandinaviaHenrik Feld Jakobsen - How to sell online Scandinavia
Henrik Feld Jakobsen - How to sell online ScandinaviaMeet Magento Italy
 
Rabia Qureshi - How to sell online in UK
Rabia Qureshi - How to sell online in UKRabia Qureshi - How to sell online in UK
Rabia Qureshi - How to sell online in UKMeet Magento Italy
 
Matteo Schuerch - How to sell online in Switzerland
Matteo Schuerch - How to sell online in SwitzerlandMatteo Schuerch - How to sell online in Switzerland
Matteo Schuerch - How to sell online in SwitzerlandMeet Magento Italy
 
Il data-driven nell’e-commerce: il caso studio Alessi
Il data-driven nell’e-commerce: il caso studio AlessiIl data-driven nell’e-commerce: il caso studio Alessi
Il data-driven nell’e-commerce: il caso studio AlessiMeet Magento Italy
 
Philippe Bernou - Seamless omnichannel solutions with Magento order management
Philippe Bernou - Seamless omnichannel solutions with Magento order managementPhilippe Bernou - Seamless omnichannel solutions with Magento order management
Philippe Bernou - Seamless omnichannel solutions with Magento order managementMeet Magento Italy
 

Mais de Meet Magento Italy (20)

Dirk Pinamonti - Come affrontare la sfida del nuovo mercato multicanale e del...
Dirk Pinamonti - Come affrontare la sfida del nuovo mercato multicanale e del...Dirk Pinamonti - Come affrontare la sfida del nuovo mercato multicanale e del...
Dirk Pinamonti - Come affrontare la sfida del nuovo mercato multicanale e del...
 
Vinai Kopp - How i develop M2 modules
Vinai Kopp - How i develop M2 modules Vinai Kopp - How i develop M2 modules
Vinai Kopp - How i develop M2 modules
 
Eugene Shaksuvarov - Tuning Magento 2 for Maximum Performance
Eugene Shaksuvarov - Tuning Magento 2 for Maximum PerformanceEugene Shaksuvarov - Tuning Magento 2 for Maximum Performance
Eugene Shaksuvarov - Tuning Magento 2 for Maximum Performance
 
Muliadi jeo - How to sell online in Indonesia
Muliadi jeo - How to sell online in IndonesiaMuliadi jeo - How to sell online in Indonesia
Muliadi jeo - How to sell online in Indonesia
 
Max Pronko - 10 migration mistakes from Magento 1 to Magento 2
Max Pronko - 10 migration mistakes from Magento 1 to Magento 2Max Pronko - 10 migration mistakes from Magento 1 to Magento 2
Max Pronko - 10 migration mistakes from Magento 1 to Magento 2
 
Alessandro La Ciura - Progettare la migliore integrazione tra live chat ed e-...
Alessandro La Ciura - Progettare la migliore integrazione tra live chat ed e-...Alessandro La Ciura - Progettare la migliore integrazione tra live chat ed e-...
Alessandro La Ciura - Progettare la migliore integrazione tra live chat ed e-...
 
Bodin - Hullin & Potencier - Magento Performance Profiling and Best Practices
Bodin - Hullin & Potencier - Magento Performance Profiling and Best PracticesBodin - Hullin & Potencier - Magento Performance Profiling and Best Practices
Bodin - Hullin & Potencier - Magento Performance Profiling and Best Practices
 
Giulio Gargiullo - Strategie di marketing digitale per avviare l’e-commerce i...
Giulio Gargiullo - Strategie di marketing digitale per avviare l’e-commerce i...Giulio Gargiullo - Strategie di marketing digitale per avviare l’e-commerce i...
Giulio Gargiullo - Strategie di marketing digitale per avviare l’e-commerce i...
 
Vinai Kopp - FPC Hole punching in Magento 2
Vinai Kopp - FPC Hole punching in Magento 2Vinai Kopp - FPC Hole punching in Magento 2
Vinai Kopp - FPC Hole punching in Magento 2
 
Jacopo Nardiello - From CI to Prod: Running Magento at scale with Kubernetes
Jacopo Nardiello - From CI to Prod: Running Magento at scale with KubernetesJacopo Nardiello - From CI to Prod: Running Magento at scale with Kubernetes
Jacopo Nardiello - From CI to Prod: Running Magento at scale with Kubernetes
 
James Zetlen - PWA Studio Integration…With You
James Zetlen - PWA Studio Integration…With YouJames Zetlen - PWA Studio Integration…With You
James Zetlen - PWA Studio Integration…With You
 
Talesh Seeparsan - The Hound of the Malwarevilles
Talesh Seeparsan - The Hound of the MalwarevillesTalesh Seeparsan - The Hound of the Malwarevilles
Talesh Seeparsan - The Hound of the Malwarevilles
 
Miguel Balparda - A day in support
Miguel Balparda - A day in supportMiguel Balparda - A day in support
Miguel Balparda - A day in support
 
Volodymyr Kublytskyi - Develop Product, Design Platform
Volodymyr Kublytskyi - Develop Product, Design PlatformVolodymyr Kublytskyi - Develop Product, Design Platform
Volodymyr Kublytskyi - Develop Product, Design Platform
 
Rosario Toscano - Processi di ottimizzazione per una crescita continua
Rosario Toscano - Processi di ottimizzazione per una crescita continuaRosario Toscano - Processi di ottimizzazione per una crescita continua
Rosario Toscano - Processi di ottimizzazione per una crescita continua
 
Henrik Feld Jakobsen - How to sell online Scandinavia
Henrik Feld Jakobsen - How to sell online ScandinaviaHenrik Feld Jakobsen - How to sell online Scandinavia
Henrik Feld Jakobsen - How to sell online Scandinavia
 
Rabia Qureshi - How to sell online in UK
Rabia Qureshi - How to sell online in UKRabia Qureshi - How to sell online in UK
Rabia Qureshi - How to sell online in UK
 
Matteo Schuerch - How to sell online in Switzerland
Matteo Schuerch - How to sell online in SwitzerlandMatteo Schuerch - How to sell online in Switzerland
Matteo Schuerch - How to sell online in Switzerland
 
Il data-driven nell’e-commerce: il caso studio Alessi
Il data-driven nell’e-commerce: il caso studio AlessiIl data-driven nell’e-commerce: il caso studio Alessi
Il data-driven nell’e-commerce: il caso studio Alessi
 
Philippe Bernou - Seamless omnichannel solutions with Magento order management
Philippe Bernou - Seamless omnichannel solutions with Magento order managementPhilippe Bernou - Seamless omnichannel solutions with Magento order management
Philippe Bernou - Seamless omnichannel solutions with Magento order management
 

Último

ANCHORING SCRIPT FOR A CULTURAL EVENT.docx
ANCHORING SCRIPT FOR A CULTURAL EVENT.docxANCHORING SCRIPT FOR A CULTURAL EVENT.docx
ANCHORING SCRIPT FOR A CULTURAL EVENT.docxNikitaBankoti2
 
Night 7k Call Girls Noida Sector 128 Call Me: 8448380779
Night 7k Call Girls Noida Sector 128 Call Me: 8448380779Night 7k Call Girls Noida Sector 128 Call Me: 8448380779
Night 7k Call Girls Noida Sector 128 Call Me: 8448380779Delhi Call girls
 
Call Girl Number in Khar Mumbai📲 9892124323 💞 Full Night Enjoy
Call Girl Number in Khar Mumbai📲 9892124323 💞 Full Night EnjoyCall Girl Number in Khar Mumbai📲 9892124323 💞 Full Night Enjoy
Call Girl Number in Khar Mumbai📲 9892124323 💞 Full Night EnjoyPooja Nehwal
 
George Lever - eCommerce Day Chile 2024
George Lever - eCommerce Day Chile 2024George Lever - eCommerce Day Chile 2024
George Lever - eCommerce Day Chile 2024eCommerce Institute
 
Report Writing Webinar Training
Report Writing Webinar TrainingReport Writing Webinar Training
Report Writing Webinar TrainingKylaCullinane
 
BDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort ServiceBDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort ServiceDelhi Call girls
 
Chiulli_Aurora_Oman_Raffaele_Beowulf.pptx
Chiulli_Aurora_Oman_Raffaele_Beowulf.pptxChiulli_Aurora_Oman_Raffaele_Beowulf.pptx
Chiulli_Aurora_Oman_Raffaele_Beowulf.pptxraffaeleoman
 
VVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara Services
VVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara ServicesVVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara Services
VVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara ServicesPooja Nehwal
 
No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...
No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...
No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...Sheetaleventcompany
 
Introduction to Prompt Engineering (Focusing on ChatGPT)
Introduction to Prompt Engineering (Focusing on ChatGPT)Introduction to Prompt Engineering (Focusing on ChatGPT)
Introduction to Prompt Engineering (Focusing on ChatGPT)Chameera Dedduwage
 
Mathematics of Finance Presentation.pptx
Mathematics of Finance Presentation.pptxMathematics of Finance Presentation.pptx
Mathematics of Finance Presentation.pptxMoumonDas2
 
Microsoft Copilot AI for Everyone - created by AI
Microsoft Copilot AI for Everyone - created by AIMicrosoft Copilot AI for Everyone - created by AI
Microsoft Copilot AI for Everyone - created by AITatiana Gurgel
 
Air breathing and respiratory adaptations in diver animals
Air breathing and respiratory adaptations in diver animalsAir breathing and respiratory adaptations in diver animals
Air breathing and respiratory adaptations in diver animalsaqsarehman5055
 
BDSM⚡Call Girls in Sector 97 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 97 Noida Escorts >༒8448380779 Escort ServiceBDSM⚡Call Girls in Sector 97 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 97 Noida Escorts >༒8448380779 Escort ServiceDelhi Call girls
 
Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...
Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...
Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...Kayode Fayemi
 
Mohammad_Alnahdi_Oral_Presentation_Assignment.pptx
Mohammad_Alnahdi_Oral_Presentation_Assignment.pptxMohammad_Alnahdi_Oral_Presentation_Assignment.pptx
Mohammad_Alnahdi_Oral_Presentation_Assignment.pptxmohammadalnahdi22
 
Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...
Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...
Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...Hasting Chen
 
Thirunelveli call girls Tamil escorts 7877702510
Thirunelveli call girls Tamil escorts 7877702510Thirunelveli call girls Tamil escorts 7877702510
Thirunelveli call girls Tamil escorts 7877702510Vipesco
 
The workplace ecosystem of the future 24.4.2024 Fabritius_share ii.pdf
The workplace ecosystem of the future 24.4.2024 Fabritius_share ii.pdfThe workplace ecosystem of the future 24.4.2024 Fabritius_share ii.pdf
The workplace ecosystem of the future 24.4.2024 Fabritius_share ii.pdfSenaatti-kiinteistöt
 
SaaStr Workshop Wednesday w/ Lucas Price, Yardstick
SaaStr Workshop Wednesday w/ Lucas Price, YardstickSaaStr Workshop Wednesday w/ Lucas Price, Yardstick
SaaStr Workshop Wednesday w/ Lucas Price, Yardsticksaastr
 

Último (20)

ANCHORING SCRIPT FOR A CULTURAL EVENT.docx
ANCHORING SCRIPT FOR A CULTURAL EVENT.docxANCHORING SCRIPT FOR A CULTURAL EVENT.docx
ANCHORING SCRIPT FOR A CULTURAL EVENT.docx
 
Night 7k Call Girls Noida Sector 128 Call Me: 8448380779
Night 7k Call Girls Noida Sector 128 Call Me: 8448380779Night 7k Call Girls Noida Sector 128 Call Me: 8448380779
Night 7k Call Girls Noida Sector 128 Call Me: 8448380779
 
Call Girl Number in Khar Mumbai📲 9892124323 💞 Full Night Enjoy
Call Girl Number in Khar Mumbai📲 9892124323 💞 Full Night EnjoyCall Girl Number in Khar Mumbai📲 9892124323 💞 Full Night Enjoy
Call Girl Number in Khar Mumbai📲 9892124323 💞 Full Night Enjoy
 
George Lever - eCommerce Day Chile 2024
George Lever - eCommerce Day Chile 2024George Lever - eCommerce Day Chile 2024
George Lever - eCommerce Day Chile 2024
 
Report Writing Webinar Training
Report Writing Webinar TrainingReport Writing Webinar Training
Report Writing Webinar Training
 
BDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort ServiceBDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort Service
 
Chiulli_Aurora_Oman_Raffaele_Beowulf.pptx
Chiulli_Aurora_Oman_Raffaele_Beowulf.pptxChiulli_Aurora_Oman_Raffaele_Beowulf.pptx
Chiulli_Aurora_Oman_Raffaele_Beowulf.pptx
 
VVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara Services
VVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara ServicesVVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara Services
VVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara Services
 
No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...
No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...
No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...
 
Introduction to Prompt Engineering (Focusing on ChatGPT)
Introduction to Prompt Engineering (Focusing on ChatGPT)Introduction to Prompt Engineering (Focusing on ChatGPT)
Introduction to Prompt Engineering (Focusing on ChatGPT)
 
Mathematics of Finance Presentation.pptx
Mathematics of Finance Presentation.pptxMathematics of Finance Presentation.pptx
Mathematics of Finance Presentation.pptx
 
Microsoft Copilot AI for Everyone - created by AI
Microsoft Copilot AI for Everyone - created by AIMicrosoft Copilot AI for Everyone - created by AI
Microsoft Copilot AI for Everyone - created by AI
 
Air breathing and respiratory adaptations in diver animals
Air breathing and respiratory adaptations in diver animalsAir breathing and respiratory adaptations in diver animals
Air breathing and respiratory adaptations in diver animals
 
BDSM⚡Call Girls in Sector 97 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 97 Noida Escorts >༒8448380779 Escort ServiceBDSM⚡Call Girls in Sector 97 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 97 Noida Escorts >༒8448380779 Escort Service
 
Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...
Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...
Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...
 
Mohammad_Alnahdi_Oral_Presentation_Assignment.pptx
Mohammad_Alnahdi_Oral_Presentation_Assignment.pptxMohammad_Alnahdi_Oral_Presentation_Assignment.pptx
Mohammad_Alnahdi_Oral_Presentation_Assignment.pptx
 
Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...
Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...
Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...
 
Thirunelveli call girls Tamil escorts 7877702510
Thirunelveli call girls Tamil escorts 7877702510Thirunelveli call girls Tamil escorts 7877702510
Thirunelveli call girls Tamil escorts 7877702510
 
The workplace ecosystem of the future 24.4.2024 Fabritius_share ii.pdf
The workplace ecosystem of the future 24.4.2024 Fabritius_share ii.pdfThe workplace ecosystem of the future 24.4.2024 Fabritius_share ii.pdf
The workplace ecosystem of the future 24.4.2024 Fabritius_share ii.pdf
 
SaaStr Workshop Wednesday w/ Lucas Price, Yardstick
SaaStr Workshop Wednesday w/ Lucas Price, YardstickSaaStr Workshop Wednesday w/ Lucas Price, Yardstick
SaaStr Workshop Wednesday w/ Lucas Price, Yardstick
 

Andrea Zwirner - Magento security and hardening strategies

  • 1.
  • 2. Mar 2, 2017 Meet Magento 2017, Milan Andrea Zwirner – Linkspirit Magento security and hardening strategies 2 Magento security and hardening strategies Andrea Zwirner andrea@linkspirit.it @AndreaZwirner Sicurezza informatica
  • 3. Mar 2, 2017 Meet Magento 2017, Milan Andrea Zwirner – Linkspirit Magento security and hardening strategies 3 ● Linux, Apache, MariaDB, PHP ● Magento 1.9.x.y – We will be as platform independent as possible Environment
  • 4. Mar 2, 2017 Meet Magento 2017, Milan Andrea Zwirner – Linkspirit Magento security and hardening strategies 4 ● Magento is a good product, security is never underestimated – Fast security patches for both 1.9.x and 2.x versions – URL protection (via secret keys addition) – Sessions validation (session poisoning, hijacking, fixation attacks) – CSRF protection – CAPCHA for admin login (brute force) Magento average security
  • 5. Mar 2, 2017 Meet Magento 2017, Milan Andrea Zwirner – Linkspirit Magento security and hardening strategies 5 ● Sensitive data are encrypted via additional encryption key (cards, integration passwords) ● There also is a lot of documentation on security and hardening Magento average security
  • 6. Mar 2, 2017 Meet Magento 2017, Milan Andrea Zwirner – Linkspirit Magento security and hardening strategies 6 ● Anyway, the team is doing a great job! ● But it might all be useless if… Magento average security
  • 7. Mar 2, 2017 Meet Magento 2017, Milan Andrea Zwirner – Linkspirit Magento security and hardening strategies 7 A secure platform in an insecure world Hardware Operating System LibrariesApplication Services
  • 8. Mar 2, 2017 Meet Magento 2017, Milan Andrea Zwirner – Linkspirit Magento security and hardening strategies 8 Full of unprepared users... Hardware Operating System LibrariesApplication User Services
  • 9. Mar 2, 2017 Meet Magento 2017, Milan Andrea Zwirner – Linkspirit Magento security and hardening strategies 9 ● Workstations that work with the backend need to be hardened ● The same applies to the environment in which workstations work – And the environments it is connected to, including suppliers, clients, etc ● Users need to be made aware of the risks they might expose the application to Backend security
  • 10. Mar 2, 2017 Meet Magento 2017, Milan Andrea Zwirner – Linkspirit Magento security and hardening strategies 10 What’s the strategy?
  • 11. Mar 2, 2017 Meet Magento 2017, Milan Andrea Zwirner – Linkspirit Magento security and hardening strategies 11 “Ensuring cybersecurity is a common responsibility. End users play a crucial role in ensuring the security of networks and information systems: they need to be made aware of the risks they face online and be empowered to take simple steps to guard against them.” Cybersecurity Strategy of the European Union European Commision, Feb 2013 Never understimate end users importance
  • 13. Mar 2, 2017 Meet Magento 2017, Milan Andrea Zwirner – Linkspirit Magento security and hardening strategies 13 ● If you want to crack it, you need to know it ● The quieter you become, the more you’re able to hear ● You can’t just try every single weapon you have in your armory ● This would alarm any kind of IPS at any level Enumeration is the key
  • 14. Mar 2, 2017 Meet Magento 2017, Milan Andrea Zwirner – Linkspirit Magento security and hardening strategies 14 Enumeration – /magento_version
  • 15. Mar 2, 2017 Meet Magento 2017, Milan Andrea Zwirner – Linkspirit Magento security and hardening strategies 15 Enumeration - /downloader
  • 16. Mar 2, 2017 Meet Magento 2017, Milan Andrea Zwirner – Linkspirit Magento security and hardening strategies 16 ● /skin/frontend/default/default/css/styles.css Enumeration – static files 1
  • 17. Mar 2, 2017 Meet Magento 2017, Milan Andrea Zwirner – Linkspirit Magento security and hardening strategies 17 Enumeration – static files 2
  • 18. Mar 2, 2017 Meet Magento 2017, Milan Andrea Zwirner – Linkspirit Magento security and hardening strategies 18 Enumeration in web application scanners
  • 19. Mar 2, 2017 Meet Magento 2017, Milan Andrea Zwirner – Linkspirit Magento security and hardening strategies 19 It’s attack time! ● We have to do a couple of assumptions – Magento vulnerable version (1.9.1.0 CE or 1.14.1.0 EE) – Not patched with SUPEE-5344 – It means RCE… Uh ohhh…
  • 20. Mar 2, 2017 Meet Magento 2017, Milan Andrea Zwirner – Linkspirit Magento security and hardening strategies 20 It’s attack time!
  • 21. Mar 2, 2017 Meet Magento 2017, Milan Andrea Zwirner – Linkspirit Magento security and hardening strategies 21 It’s attack time!
  • 22. Mar 2, 2017 Meet Magento 2017, Milan Andrea Zwirner – Linkspirit Magento security and hardening strategies 22 It’s attack time!
  • 23. Mar 2, 2017 Meet Magento 2017, Milan Andrea Zwirner – Linkspirit Magento security and hardening strategies 23 It’s attack time! ● backdoor.tgz adds backdoor.php (a meterpreter reverse shell) in /errors
  • 24. Mar 2, 2017 Meet Magento 2017, Milan Andrea Zwirner – Linkspirit Magento security and hardening strategies 24 It’s attack time! ● Misconfigurations – Downloader is exposed and unprotected – File system permissions has not been reset (maybe after last extension install)
  • 25. Mar 2, 2017 Meet Magento 2017, Milan Andrea Zwirner – Linkspirit Magento security and hardening strategies 25 TCP reverse shell
  • 26. Mar 2, 2017 Meet Magento 2017, Milan Andrea Zwirner – Linkspirit Magento security and hardening strategies 26 Getting DB credentials
  • 27. Mar 2, 2017 Meet Magento 2017, Milan Andrea Zwirner – Linkspirit Magento security and hardening strategies 27 It’s attack time!
  • 28. Mar 2, 2017 Meet Magento 2017, Milan Andrea Zwirner – Linkspirit Magento security and hardening strategies 28 DB dump!
  • 29. Mar 2, 2017 Meet Magento 2017, Milan Andrea Zwirner – Linkspirit Magento security and hardening strategies 29 Passwords ● md5/sha-256(salt+password):salt no bcrypt, scrypt, pbkdf2 :-(
  • 30. Mar 2, 2017 Meet Magento 2017, Milan Andrea Zwirner – Linkspirit Magento security and hardening strategies 30 Let’s crack them, with hashcat!
  • 31. Mar 2, 2017 Meet Magento 2017, Milan Andrea Zwirner – Linkspirit Magento security and hardening strategies 31 Option two: frontend malware (common!)
  • 32. Mar 2, 2017 Meet Magento 2017, Milan Andrea Zwirner – Linkspirit Magento security and hardening strategies 32 And your card number is?
  • 33. Mar 2, 2017 Meet Magento 2017, Milan Andrea Zwirner – Linkspirit Magento security and hardening strategies 33 ● Using vulnerable components (at any level of the stack) – It doesn’t matter the Magento version you use, it has to be (quickly) patched! Why all this stuff works?
  • 34. Mar 2, 2017 Meet Magento 2017, Milan Andrea Zwirner – Linkspirit Magento security and hardening strategies 34 ● Using vulnerable components (at any level of the stack) – It doesn’t matter the Magento version you use, it has to be (quickly) patched! ● Misconfigurations – Who works inside the environment has to (well) know what he is doing! Why all this stuff works?
  • 35. Mar 2, 2017 Meet Magento 2017, Milan Andrea Zwirner – Linkspirit Magento security and hardening strategies 35 ● Monitor issues for every single component of the stack, and patch accordingly ● Restrict access to administrative functions from specific IP addesses ● Hide sensitive URLs (admin / downloader / extensions) with custom URLs ● Block access to development / staging / test environments So, let’s harden it – basic
  • 36. Mar 2, 2017 Meet Magento 2017, Milan Andrea Zwirner – Linkspirit Magento security and hardening strategies 36 ● Run Magento inside a dedicated environment ● Always apply the principle of the least privilege ● Automate the deployment process – Extensions should not be installed in production – Implement automated checks (unit test, static code analisys, etc) ● Audit user list and enable 2 factor authentication (Nexcess, miniOrange, etc) So, let’s harden it – mid
  • 37. Mar 2, 2017 Meet Magento 2017, Milan Andrea Zwirner – Linkspirit Magento security and hardening strategies 37 ● Check Admin Action Logs and compare with policies / timing / etc ● Check file integrity (compare production with clean version) / mtimes, etc ● Monitor all system logins and compare with policies / timing / etc ● Choose extensions accordingly (e.g. ASVS compliance / code review / pen-test) – If possible, avoid using extensions with upload functions So, let’s harden it - advanced
  • 38. Mar 2, 2017 Meet Magento 2017, Milan Andrea Zwirner – Linkspirit Magento security and hardening strategies 38 ● Monitor for common malicious functions or code – curl(, FILE_APPEND, file_put_, fwrite, , http.open, http.send, mail, <script, etc ● Monitor for files bigger than 2-3 Mb – They can contain stolen data to be sent to the attacker ● Monitor for common backdoor code – A lot: base64, exec, wget, system, move_uploaded_file, encodeURI, etc So, let’s harden it - advanced
  • 39. Mar 2, 2017 Meet Magento 2017, Milan Andrea Zwirner – Linkspirit Magento security and hardening strategies 39 ● Do anything you can to make enumeration harder – Remove service banners – Metadata – Remove/change static files ● *_version, README, etc ● *css, *js So, let’s harden it - advanced
  • 40. Mar 2, 2017 Meet Magento 2017, Milan Andrea Zwirner – Linkspirit Magento security and hardening strategies 40 A common attack: brute force
  • 41. Mar 2, 2017 Meet Magento 2017, Milan Andrea Zwirner – Linkspirit Magento security and hardening strategies 41 ● Should we just wait for the attacker to guess the password? ● Intrusion Prevention Systems – Policy verification trough log analysis ● Web application firewalls – Configuration (platform dependent) – Review (at least on application changes) Intrusion Prevention
  • 42. Mar 2, 2017 Meet Magento 2017, Milan Andrea Zwirner – Linkspirit Magento security and hardening strategies 42 ● Should we just wait for the attacker to find the right path? ● Attacks informations must be collected and analyzed ● You have to understand who is the attacker and what’s his goal Know your enemy
  • 43. Mar 2, 2017 Meet Magento 2017, Milan Andrea Zwirner – Linkspirit Magento security and hardening strategies 43 ● Make sure your governance level is granular enough to understand what’s happening ● You have to know what the system is doing and not just that it is “working” ● And if everything has been fucked up, the keywords are – Backup – Restore – Disaster recovery plan And then… Shit happens!
  • 44. Mar 2, 2017 Meet Magento 2017, Milan Andrea Zwirner – Linkspirit Magento security and hardening strategies 44 Magento security and hardening strategies Andrea Zwirner andrea@linkspirit.it @AndreaZwirner Sicurezza informatica