Magento Platform Posts

Magento Security Tips and Vulnerabilities

The term “hacker” was coined in the 1960th by the group of programmers from the Massachusetts Institute of Technology and originally meant a person who looked for a way to smartly make things more functional and useful. But nowadays it usually possess a negative meaning referred to computer criminals.

E-commerce and financial sites stand first in the list of potential victims as they deal with monetary transactions. Using the most popular e-commerce platform worldwide, Magento sites are also under threat.

Usually hacker attacks are not exclusive to someone’s business and just use the discovered vulnerabilities of a certain shopping cart application or payment gateway and haunt their own tangible purposes, but sometimes can also be used for unfair competition.

E-commerce Site Vulnerabilities

Most e-commerce platforms and payment gateways possess the same vulnerabilities as they are created using similar development approaches and coding techniques.

Sometimes developers have no necessary knowledge of security programming or are bounded by tight deadlines, which put functionality and design first, and push aside security issues.

The second reason is that due to tricky functionality required by customers web applications are too complex and inevitably contain multiple vulnerabilities, as a result.

Common Hacking Techniques

SQL Injection
SQL injection is an attack technique, which exploits application vulnerability and executed by insertion of malicious SQL statements in users input. Depending on the circumstances, it can result e.g. in receiving detailed error notifications disclosing the backend technology details or getting an access to restricted areas by manipulating always-true Boolean values in their queries.

DDOS Attacks
DDoS or Distributed Denial of Services attack is a kind of hacking technique, when multiple requests, exploiting server capacity bottlenecks, make a site unavailable for users . After that hackers proceed to compromise the entire site or its definite functions.

Broken Authentication and Session Management Attacks
This malicious technique exploits the weaknesses within the authentication procedures, or explores sessions IDs and cookies in order to get access to your account.

Cross-site Scripting
Commonly targeted against the end user, cross-site scripting is usually based on lack of input and output validation and unjustified users’ trust.

Remote Command Execution
Remote command code executions are possible in those cases, when an inadequate input validation allows hackers to execute operation system commands with the privileges of the web server.

Magento stores, the same as many other e-commerce sites, are exposed to hacking, but Magento store owners can undertake some precautionary measures to keep their sites safe.

Magento Stores Security Tips

The biggest danger of hacker attacks is that you almost can’t reveal them until it is too late. So, we should take care about the site security in advance and regularly check its health.

1. Use only the latest Magento version
Despite the complexity of changing Magento versions in your store, try to use only the latest ones. Magento constantly improves its products and fixes possible security vulnerabilities. So, the latest Magento version is usually better and more secured.

The latest Magento version is usually better secured

2. Use two-factor authentication
Secure passwords are not enough for proper safety of your Magento store. You should better use two or several layers of authentication, including trusted IPs and devices, private files and so on.

Keren Aminia: “The Magento Community is Stronger than Ever”

Editor’s note: 2014 has just begun and the entire Magento community is keen to know about Magento plans and strategic ideas for this year. We were curious to hear about the brightest upcoming events and new educational opportunities we can apply to study Magento deeply and extensively. So, we addressed all our questions to one of the most competent persons in the Magento world – Keren Aminia.

Keren Aminia Twitter Profile

KEREN AMINIA

DIRECTOR OF BUSINESS OPERATIONS
As Director of Business Operations, Keren leads Events Strategy and Execution for Magento and is the Executive Producer of Magento events spanning the globe, including the award winning Imagine conference. Keren’s tenure with the company has seen her champion many successes while under the previously held role of CFO, including oversight of the Finance and Operation Organizations, HR, Business Affairs and Administration.

Keren kindly found time in her busy schedule and answered our most pressing questions about Magento, and we are highly grateful to her for this exclusive interview.

aW: How do you assess the results of the previous year for Magento?

Keren: Magento closed 2013 on a high, surpassing 208,000 Community Edition customers and over 2,600 Enterprise Edition customers. The Magento community is stronger than ever. Our 200+ partners and 7K+ extensions represent a $1B service ecosystem, a real juggernaut of innovation, which we’re taking aggressive steps strengthen and improve.

We took an important step in November by becoming part of eBay Enterprise. This combination of the extensive ecommerce, multichannel and marketing capabilities of eBay Inc. together under one umbrella offers an unmatched portfolio of capabilities that seamlessly deliver integrated commerce solutions to drive merchant revenue and growth.

aW: What are the strategic plans of Magento for 2014?