Magento Security

Configuring MySQL SSL in Magento (to get your HIPAA auditor off your back)

I’ve been asked a few times now if there is a way to use encrypted MySQL connections in Magento. Most of the time it is when merchants are selling medical products and HIPAA requirements come into play. I am not an expert in HIPAA, nor do I want to be, but with the cost of vulnerabilities on the rise it made sense to at least look into it and get a good answer on how to do it.

Opinion Security

We don’t need better authentication

I saw a tweet today concerning authentication. Monaco, at White House cybersecurity summit at Stanford, calls for replacing passwords with more secure technologies. — Paul Krill (@pjkrill) February 13, 2015 When reading that the first thing that came to my mind was “with what?”  When will that one be hacked and then replaced by something else,Continue Reading “We don’t need better authentication”

Security

Is prevention the best security practice?

I read a post tweeted by Chris Cornutt today.  The basic gist of the article is that your security is only as strong as your most ethically-challenged developer.  That got me thinking that we spend so much time trying to prevent intrusions when detection might be a better priority.  Some tactics, such as SQL Injection,Continue Reading “Is prevention the best security practice?”

Magento Security

10 “what to do’s when setting up Magento” and file inclusion attacks

Found this list of things “to do” on Twitter this morning.  I went over the list and saw that there was one item that was missing, which I feel is very important to do.  I saw it in another post on Local File Inclusion for which it seems like there was a local file inclusionContinue Reading “10 “what to do’s when setting up Magento” and file inclusion attacks”

Security

Generating secure cross site request forgery tokens (csrf)

I don’t talk much about security.  This is mostly because it’s such a moving target.  I’m also horrified that I might give bad advice and someone will be hacked because of me. But in researching the second edition for the IBM i Programmer’s Guide to PHP Jeff and I decided to include a chapter onContinue Reading “Generating secure cross site request forgery tokens (csrf)”

Database Security

How to use PHP with MySQL (without SQL Injection vulnerabilities)

Chris Dale recently posted a horrifying article on his blog.  It is called “Why it’s easy being a hacker – A SQL injection case study“.  The most horrifying part of the post was that when you type in the Google search “How to use PHP with MySQL” a significant number of the results come backContinue Reading “How to use PHP with MySQL (without SQL Injection vulnerabilities)”

Security Zend Framework

Encrypted session handler

A little while ago I had come upon the problem of having to store sensitive data in a user session. The solution that I (and several others came upon) was creating a mechanism for storing encrypted data in a session. But what we wanted to do was build something that didn’t have a single point of failure. We also wanted to build something portable. What we built was a simple Zend Framework session handler for storing sensitive data.