Magento Security – Comprehensive Punch List

Security

It is very often that we take a site from another firm and now we are stuck with a conglomeration of code and potentially dozens of people who have worked on a site. I am looking for a punch list of items to ask of a security person to ensure the Magento site is hardened. This would be required if someone were to take full responsibility for all the code and the client did not want to rebuild from scratch.

My question: Is there a top 10 or top 20 list of items to ask and to document?

Best Answer

From my experience, these are important things to get information about when taking over a new shop from a security point of view. This list is not ordered & complete yet, I will continue to work on the list.

Magento Security

  1. HTTPS used (all over the shop, only for checkout)?
  2. Custom Admin Path?
  3. Access to admin path restricted?
  4. How many Admins? Any unneeded users active?
  5. Account protection & passwort encryption (for customers and admins): Standard or customization? 2-factor auth?
  6. (Latest) Magento version used?
  7. Magento Security Patches applied?
  8. Custom root level folders/scripts which are necessary to be accessed from remote?
  9. Access to test/staging system (if available) restricted?
  10. Webservices, import/export functionality used?
  11. How many Webservice roles? Any unneeded roles active?
  12. List of installed extensions
  13. Installed extensions up to date?
  14. PCI-DSS, trusted shops, any other label?
  15. Session/Cookie liftetime?
  16. Only run Magento. (No Wordpress or any other third party software)
  17. Data stored: What kind of customer and order data (as well as data from 3rd party and customized extensions), is stored? Bank data, credit card data (see PCI-DSS)?

System Security

  1. PHP version: recent version or old one?
  2. File permissions: Running as www-data/apache user or root?
  3. Proper file permissions set?
  4. Shop specific database-credentials vs. database runing as root?
  5. SSH/SFTP access? Key-based authentication?
  6. SLA with hosting provider about (regular) OS, PHP + module updates and security updates?

Organisation

  1. Who is responsible for system (security) updates?
  2. Who has access to the live-server?
  3. Who has access to the live-shop?
  4. Where is the code hosted? Who has access to the bare repo and push access?
  5. What does the current software development process look like? Are there code reviews and automatic checks done before deploying code to staging/test/live?
  6. Is there any security testing or security audit done (regularly)?
  7. Is there a regular backup? If so, is it external?
  8. Depending on the shop/company size: Are there business continuity and/or Recovery plans?
Related Topic