cancel
Showing results for 
Search instead for 
Did you mean: 

SECURITY: 3rd party extensions, yay or nay

SOLVED

SECURITY: 3rd party extensions, yay or nay

Hey Alan

 

I'm writing here because I have a feeling you are the only one left who can pull a straight and honest answer to this question.

 

What are the general security advice when it comes to sourcing 3rd party extensions? I've just been told today by a security expert to avoid installing 'any' third party extension at all cost. Refr to those extensions coming from less-know sites on the Internet these day.

 

How does this all works security-wise; I'm not a PHP geak in any ways + let's say I need to buy a 3rd party ext for my business operation, is it the norm with other business/store owners to send those scripts to a security professional for code scrutiny before installing them? If so, who, where? please

 

Ps. first business & ecommerce here, and prepping the Co's Sec Operating Procedures. that's all

 

Thanks in advance

1 ACCEPTED SOLUTION

Accepted Solutions

Re: SECURITY: 3rd party extensions, yay or nay

Hi. There are lots of different aspects here - I will do my best to give you my perspective. And note, I worked closely with the security industry back in Australia.

 

Regarding the security advice, let me start with a Lawyer analogy. If you ask them, they will give an opinion. Many lawyers will focus on minimzing legal risk. (Quite reasonable really.) But if you only take their perspective, many businesses would never have gotten off the ground. It is advice, but someone has to decide the upside is worth risk. It really is the same with security advice. You can do things to improve security, but if you go too far you cab end up with something no-one wants to use.

 

So I understand where the opinion comes from - every time something gets bigger, security risk goes up. That is standard "security speak".

 

What can you do about risk? If you are developing a Magento site with a partner, I would rely on their advice. Magento is open source, (most) extensions are provided as raw PHP code you can review (unless precompiled binaries where you cannot inspect or fix security issues). Any extension you get a good partner will review. So there is a lot you can do today with Magento to improve your security - which is often not possible with closed source products.

 

Regarding what Magento is doing, the new Marketplace we do put all extensions through automated security checks. For higher level partners we also do more exhaustive code reviews and work with the partners to address problems. This is one of the major initiatives behind the Marketplace. Will it find every security flaw? No, but Marketplace extensions do go through security audits. And we plan to introduce additional checks over time.

 

As a side plug for Magento 2, one of the platform goals was to streamline the ability to accept updates (patches etc) with less effort and risk by sites. Then if a security patch is released, the effort to apply is lower. It actually is important for security as well. The new Magento Cloud offering has additional capabilities, such as blocking deployment of code with known vulnerabilities, and we are looking towards tools to make security patches even easier. E.g. when a security patch is released, maybe we pre-run all automated tests available so a site manager has confidence to just accept the patch. I cannot commit to exact details yet, but we have lots of plans here.

 

If you are still on Magento 1 and *not* working with a partner, then there are still things you can do. (Magento Marketplace will be extending to cover M1 as well, but that is not available yet.) I would recommend in making sure you apply patches as they are released (from Magento or extension providers). Make it a priority. I would also recommend working with better known brands. Don't automatically go for the cheapest - check the reputation of an extension provider first. Web searches, ratings on Connect, etc can help here. Larger extension developers tend to have more reputation to protect and so invest more into quality.

 

But should you run a Magento store with zero extensions due to security concerns. No. Extension is core to the Magento philosophy. Should you get a security expert? This is not mandatory - if you pick reputable extension vendors. If you do decide it is worthwhile, I would recommend getting a Magento expert, not a generic security expert. A generic security expert will not understand the Magento space - a quality Magento expert understands security as well. Magento is ecommerce! We deal with money! It is not like a foreign concept. If you do use a generic security expert, make sure you have one that talks about risk trade-offs rather than absolutes. "Never install an extension as it increases risk" is not someone delivering value (in my personal opinion). Live at home! Lock the doors! Bar the windows! That is not useful. Better is a discussion around options and the relative risk those options include. Someone who also understands the business imperatives - it is less risky for security to not have an online store at all. But that may be a greater business risk than the security risk - your business does not grow as much as it could have. Someone with only a security focus might not have the balanced opinion you need. I think getting a Magento expert who talks to security experts is better - they can act as the middle man balancing business goals and risk appropriately. Yes, put in 2 factor authentication for administrator login; No, don't automatically reject all extensions as every line of extra code the chance of a bug.

 

There are more secure ways than others in terms of technology. That is harder to give general recommendations on. For example, Magento 2 has moved to models where Magento never collects the credit card details on your site. If you use PayPal for example, all credit card traffic goes to their site. That let's PayPal deal with the harder security considerations. It is a bit lengthy to describe here, but look for payment options that use this approach. It helps.

 

Sorry if this is a bit of a waffle - hopefully some useful aspects in the above.

 

Oh, to find partners, we have a list of Magento partners on the magento.com site. If you have specific needs or concerns around security I can see if I can find someone with greater specialty in your area.

 

View solution in original post

4 REPLIES 4

Re: SECURITY: 3rd party extensions, yay or nay

Hi. There are lots of different aspects here - I will do my best to give you my perspective. And note, I worked closely with the security industry back in Australia.

 

Regarding the security advice, let me start with a Lawyer analogy. If you ask them, they will give an opinion. Many lawyers will focus on minimzing legal risk. (Quite reasonable really.) But if you only take their perspective, many businesses would never have gotten off the ground. It is advice, but someone has to decide the upside is worth risk. It really is the same with security advice. You can do things to improve security, but if you go too far you cab end up with something no-one wants to use.

 

So I understand where the opinion comes from - every time something gets bigger, security risk goes up. That is standard "security speak".

 

What can you do about risk? If you are developing a Magento site with a partner, I would rely on their advice. Magento is open source, (most) extensions are provided as raw PHP code you can review (unless precompiled binaries where you cannot inspect or fix security issues). Any extension you get a good partner will review. So there is a lot you can do today with Magento to improve your security - which is often not possible with closed source products.

 

Regarding what Magento is doing, the new Marketplace we do put all extensions through automated security checks. For higher level partners we also do more exhaustive code reviews and work with the partners to address problems. This is one of the major initiatives behind the Marketplace. Will it find every security flaw? No, but Marketplace extensions do go through security audits. And we plan to introduce additional checks over time.

 

As a side plug for Magento 2, one of the platform goals was to streamline the ability to accept updates (patches etc) with less effort and risk by sites. Then if a security patch is released, the effort to apply is lower. It actually is important for security as well. The new Magento Cloud offering has additional capabilities, such as blocking deployment of code with known vulnerabilities, and we are looking towards tools to make security patches even easier. E.g. when a security patch is released, maybe we pre-run all automated tests available so a site manager has confidence to just accept the patch. I cannot commit to exact details yet, but we have lots of plans here.

 

If you are still on Magento 1 and *not* working with a partner, then there are still things you can do. (Magento Marketplace will be extending to cover M1 as well, but that is not available yet.) I would recommend in making sure you apply patches as they are released (from Magento or extension providers). Make it a priority. I would also recommend working with better known brands. Don't automatically go for the cheapest - check the reputation of an extension provider first. Web searches, ratings on Connect, etc can help here. Larger extension developers tend to have more reputation to protect and so invest more into quality.

 

But should you run a Magento store with zero extensions due to security concerns. No. Extension is core to the Magento philosophy. Should you get a security expert? This is not mandatory - if you pick reputable extension vendors. If you do decide it is worthwhile, I would recommend getting a Magento expert, not a generic security expert. A generic security expert will not understand the Magento space - a quality Magento expert understands security as well. Magento is ecommerce! We deal with money! It is not like a foreign concept. If you do use a generic security expert, make sure you have one that talks about risk trade-offs rather than absolutes. "Never install an extension as it increases risk" is not someone delivering value (in my personal opinion). Live at home! Lock the doors! Bar the windows! That is not useful. Better is a discussion around options and the relative risk those options include. Someone who also understands the business imperatives - it is less risky for security to not have an online store at all. But that may be a greater business risk than the security risk - your business does not grow as much as it could have. Someone with only a security focus might not have the balanced opinion you need. I think getting a Magento expert who talks to security experts is better - they can act as the middle man balancing business goals and risk appropriately. Yes, put in 2 factor authentication for administrator login; No, don't automatically reject all extensions as every line of extra code the chance of a bug.

 

There are more secure ways than others in terms of technology. That is harder to give general recommendations on. For example, Magento 2 has moved to models where Magento never collects the credit card details on your site. If you use PayPal for example, all credit card traffic goes to their site. That let's PayPal deal with the harder security considerations. It is a bit lengthy to describe here, but look for payment options that use this approach. It helps.

 

Sorry if this is a bit of a waffle - hopefully some useful aspects in the above.

 

Oh, to find partners, we have a list of Magento partners on the magento.com site. If you have specific needs or concerns around security I can see if I can find someone with greater specialty in your area.

 

Re: SECURITY: 3rd party extensions, yay or nay

I had to accept your reply as a solution. You should run the Internet Alan

 

Jackpot right there. Knew you'd be honest so thanks for that X1,000! Reassuring for me (and the community I guess) RE some of the issues I had. I was asked some pretty nasty questions RE security this last Friday (by potential investors) and tough it would be a great idea to shoot the ball back in your park! (sorry btw)

 

That is a lot of reading so we'll do this twice here just to make sure we didn't miss anything.

 

Personally I need a psychotherapist more than a security adviser!  Lock the door indeed, my store is on invite only and with only 1 (one) non standard port open to the Internet. Believe it or not, its a strong vpn lolll We currently enjoy M2.05 btw... which is incredible thank you very much (ootb, zero extensions).

 

(We sell performance car parts, B2B, not weapons, no worries there)

 

We plan on adding a few of those ext, soon, and run the http on the internet. But that is only if we can pull off and satisfy the security bit of those wild & mighty extensions. So atm we have tons of questions and worries its almost annoying. Looking for a professional/adviser is one of those to-do-presto task here for sure... need to find someone I can blame in case things breaks down - what else security advisers are good for ; )

 

Thx Alan (Magento)

 

ps> modified my original post at the same time you've posted yours. Apologies. Same question, different words really...

Re: SECURITY: 3rd party extensions, yay or nay

Thanks for accepting my response - I am behind, but it helps me track outstanding vs closed questions.

Re: SECURITY: 3rd party extensions, yay or nay

(comment deleted reason just rumbling ... meaningless)