Talking to Magento about security
A Space 48 interview with Piotr Kaminski
Piotr Kaminski is a Lead Product Manager at Magento, and has been with Magento since the early days way back in 2003. Currently Piotr is responsible for all of Magento 1, Magento application security, and Magento 2 developer experience and translations. Image source: Piotr Kaminski
There have been a lot of high-profile intrusions and ransomware attacks in the news lately. What steps has Magento taken toward securing the platform against hackers?
When Magento joined eBay/PayPal in 2010, we joined their well-developed security programs. We learned a great deal from this experience and we carry on many of their best practices today. For example, we run external penetration tests every quarter, we do thorough code audits and static code scans, and conduct automated penetration testing using OWASP’s Zed Attack Proxy tools. We also launched a very successful Bug Bounty program.
“We learned a lot of security lessons from eBay/PayPal.”
What’s a Bug Bounty program?
This is when we open up our code and invite both the Magento community and the larger security community to help us identify potential security vulnerabilities. We issue rewards for security issues that they find. It was through the Bug Bounty program that we found and patched the Shoplift exploit so quickly last year.
I heard about the Shoplift exploit in the news last year. What happened?
In January 2015, we learned about a remote code execution and SQL injection issue, later called Shoplift. We issued a patch by February 2015, less than a month after it was discovered. But not everyone updated their Magento shops with the patch. So in April, we ran a very large-scale communication campaign to get merchants to patch their sites and reviewed and enhanced our patch process to include:
- Releasing patches on Tuesdays, to give merchants plenty of time to install them before the weekend.
- Releasing on both Community and Enterprise Editions at the same time.
- Issuing new releases with security improvements at the same time we release patches, so that anyone who installs the latest release of Magento will always have the latest security patches.
- Conducting thorough audits on 3rd party libraries, because attacks often do not target Magento directly, but through a weakness from a 3rd party.
- Creating the Magento Security Center and maintaining a thorough, up-to-date Best Practices Guide.
- Improving our communication efforts to get the word out when new security updates are available. We introduced a special “Security Alert Registry” newsletter that’s only used for security alerts. We encourage everyone to sign up to receive these alerts (link: https://magento.com/security/sign-up). We also inform security information specialists and hosting partners, publish blog posts, use social media, post on our forums, and push a message to the Magento Admin to let everyone know.
“In Magento 2, we’re doing away with issuing stand-alone patches to fix security problems.”
What about Magento 2? Are there any changes in security in Magento 2 that differ from Magento 1?
Yes. In Magento 2, we’re doing away with issuing stand-alone patches to fix security problems. In many cases, merchants don’t always know when there is a new issue or a patch to be installed. Or, they know about the patch but they don’t have the knowledge or skills to apply it, or feel it takes too much time or cost.
So in Magento 2, we will only be issuing security fixes as minor release versions, which should be painless to upgrade. This process can already be seen with our patch releases of Magento 2.0.1-2.0.4 which addressed several cross-site scripting, SQL injection, and other security vulnerabilities.
“Hackers can see the changes and develop exploits to take advantage of those who are slow to patch.”
If you could convince Magento users to do 1 thing to improve their security, what would it be?
The most important thing is to always patch or upgrade Magento immediately. Once a security patch is released, it’s public, and the hackers can see the changes and develop exploits to take advantage of merchants who are slow to patch.
To make sure you always know about new patches or issues, sign up for the Security Alert Registry. Also, try scanning your website at MageReport (www.magereport.com), a community security project maintained by Byte.nl. It does an external scan of your site, trying to guess which patches are installed based on fingerprints of some of the changes. It helps to identify if you are missing any security patches.
“There is very high chance all e-commerce businesses will try to be exploited at some point, regardless of the platform. Be prepared for when it happens to you.”
What other security tips do you have?
I have many!
Start by making sure you read our Security Best Practices guide. It is a very well written document and contains a lot of important and practical advice.
Make sure that developers are not taking any shortcuts. Write secure code. Get training if needed. I highly recommend Talesh Seeparsan’s presentations: https://www.youtube.com/channel/UCC1clcwfoLWdc6EV1RM3t-Q
Be careful with using developer code on production environments, like Magmi (the Magento Mass Importer) which is a developer tool that has direct access to the database. If it is unsecured, then hackers could gain direct access to your database, too. Also protect your code repository, including your local xml and any database tunnels.
In Magento Admin, check for any users that you don’t recognise. Many of the exploits we’ve seen have tried to create fake Admin users to give them full access to Magento.
Avoid putting other systems, like WordPress, on the Magento server. This increases the security risk of both systems, because a vulnerability on one could lead to access to the other.
Host your site with a Magento Hosting Partner. They understand security much better than a generic hosting provider and can help you make sure that you have the right protections in place.
Train your employees how to identify and avoid phishing attempts. Also, make sure that they do not share admin accounts because it becomes impossible to sort out who did what if you need to review actions later.
And lastly, prepare an incident response plan for disaster recovery and business continuity in the event of an attack. The growing incidence and sophistication of security exploits means that all businesses will be targeted at some point, regardless of the platform. Be prepared for when it happens to you. There is a very good template to help you prepare maintained by Talesh Seeparsan at https://github.com/talesh/response.
Lastly, what should I do if I think my Magento site has been compromised?
Seek help immediately. Start with contacting your hosting provider. Also remember that upgrading or adding the security patch after an attack might not be enough to fix the problem. If there was malware already on the system, it may still be hiding. For example, if the hackers had created fake Admin users, then the security upgrade may stop them from creating new Admins, but the hackers would still have full access from the ones that are already there.
If you suspect that data was stolen or fraudulent charges were made, you may also need to work with law enforcement and/or your payment provider to resolve those issues.
Magento Security References:
- Magento’s Security Best Practices guide: https://magento.com/security/best-practices/security-best-practices
- Magento’s Security Alert Registration: https://magento.com/security/sign-up
- Magento’s Bug Bounty program: https://magento.com/security/tag/bug-bounty
- MageReport.com for scanning vulnerabilities on your website.
- Talesh Seeparsan’s YouTube channel: https://www.youtube.com/channel/UCC1clcwfoLWdc6EV1RM3t-Q
- Incident response template: https://github.com/talesh/response