It's 2019 and security is a top priority of Magento/Adobe. Every participant in the ecosystem has their part to play to keep merchant stores secure. Let us discuss current low hanging fruits in the ecosystem and share strategies/tools for managing them effectively. For each item we will outline the topic and it’s security shortcomings then begin a deeper investigation into solutions with knowledge and idea sharing before moving to the next one. This is a co-hosted panel: Kalpesh Mehta leading with deep technical security experience and Pablo Benitez bringing the experience and technical/business concerns from an extension developer for a fully rounded conversation. Special thanks to Talesh Seeparsan and Kristof Ringleff for bringing their past Dev Exchange experience around extension security.
1.) Extension Developers write secure code.
With the proactive and nimble approach Magento has taken to core security, many time agencies and merchants find external 3rd party extensions makers have not put in as much effort. How can we encourage their developers to take a more secure coding approach? Can Magento community maintain secure coding practices document like technical guidelines, security? Validate code using a tool like PHP CodeSniffer ? What solutions already exist that we can rely on? What processes already exist that we can implement?
2.) Better ways to report vulnerabilities on a merchant's site
Magento has a bug bounty program to report vulnerabilities in their code and websites. If a user or security researcher finds vulnerabilities in some Magento powered web store, not owned by Magento - an Adobe company, how can they reach out to the right person on the merchant's team? How to pass the information given the sensitive nature of the issue? Should Magento accept security.txt standard?
3.) Code review in community submitted Pull Requests
Is Magento doing security code review when someone submits a PR to core code? What to check for when doing code reviews to identify security risks?
4.) Add Security topics in Developer certifications
Magento has already included Security topic in Magento 2 Professional Developer Plus exam. Can we ask Magento to include Security in Associate as well as Developer exam? Can it help developers learn security best practices?
All recommendations and suggestions will be documented and shared with the Magento security team and the community afterwards. Remember to keep the privacy of your client intact while discussing vulnerabilities and attacks.