security

Magento Security and Us Meet Magento New York 2014 Talk

This Meet Magento New York 2014 tech track presentation is Magento Security and Us by Lee Saferite. Limit your attack surface - don't open unnecessary ports, and ideally use a server in a different subnet from your web server to provide SSH access into your site.

External log file storage - if your server is compromised, you can't trust anything on it. Transfer logs to a 3rd party service or another server in realtime.

Backup security - your backups contain all of your data - it should be secured well.

Your Magento site shouldn't have any writable PHP code - only var and media need to be writable, and they should only be writable by the web server user.

Magento extension authors should define specific, granular permissions in their extensions so that Magento site owners can restrict who can do what.

Don't install extensions directly from Connect - you need to run a code review/security audit first. You also don't want extensions that automatically update, because you don't know what their code might do.

If you're online for long and you're selling online, you will be a target, and at some point you will be compromised. Have a written incident response plan for what needs to be done when this happens so that you're prepared for it.

 

Google Adds Advanced Login Security

Google announced today that they now support 2-factor authentication, or what they're calling 2-step verification. This combines your normal username and password that you use to login with a 2nd piece of information to authenticate yourself when logging in to your account. This 2nd piece of information comes in the form of a series of numbers that Google provides to you via text message, phone or a brand-new app called the Google Authenticator each time you want to login to Gmail. This numerical code changes every time you login, so even if your password is compromised, a hacker can't access your account unless they also have your phone. Given how much information we exchange via email these days, and how Google encourages everyone to save all of their email in Gmail, it's important to keep your Google account secure, so I recommend enabling this feature today.