October 14, 2013

R o c k S o l i dS e c u r i n g y o u r C l i e n t s E x p r e s s i o n E n g i n e W e b s i t e

10/14/13 R o c k S o l i d No.

1.Founder of Codesly, Inc. in Los Angeles, CA

2.Working on the web since 1998

3.Built my first ExpressionEngine site in 2007

4.Created and maintain BrilliantRetail

5.and... most importantly.....

David Dexter (@dpdexter)

2

10/14/13 R o c k S o l i d No.

L o o k W h o ’ s T a l k i n g

3

1.File Structure

2.Securing your Site with SSL

3.PCI Compliance

4.Stay up to date

5.Questions?

What are we ta l k ing about . . . .

10/14/13 R o c k S o l i d No.

Disc la imer. . . .

How We Roll!

4

There are a bunch o f ways to se tup , conf igure and work w i th Express ionEng ine ! We love tha t . . .

Th is i s how we do i t ! ( and i t s a lways evo lv ing )

10/14/13 R o c k S o l i d No.

What goes where and why . . . . .

File Stucture

5

1. Move your system folder above the web root.

2. Hide your control panel (and make it prettier for your clients)

1. $system_path = '../../system';

3.Focus Lab’s Master Config

1.https://github.com/focuslabllc/ee-master-config

10/14/13 R o c k S o l i d No.

SSL (Secure Sockets Layer) is the standard security technology for establishing an encrypted link between a web server and a browser.

SSL (https)

6

What is the world is SSL?

10/14/13 R o c k S o l i d No.

SSL (https)

7

Okay... So why do we need SSL?

1.Secure customer / member data

2.Prevent a “Man in the Middle” Attack.

10/14/13 R o c k S o l i d No.

SSL (https)

8

What Would it Take to Break a 2048 Bit SSL Certificate?

If you began cracking it today....

After over 13 billion years....

You’d be 1/468,481th of the way there.

source: http://www.digicert.com

10/14/13 R o c k S o l i d No.

SSL (https)

9

What’s with the broken lock?

1.Including external resources (link, img, script tags)

2.Posting to insecure forms (action)

3.Get Relative (/) or Gimme some double slashes (//:)

4.Should we secure all pages?

10/14/13 R o c k S o l i d No.

The PCI Data Security Standard represents a common set of industry tools and measurements to help ensure the safe handling of sensitive information.

PCI Compliance

10

What in the world is PCI?

1.Originally based on security programs created separate security guidelines created by Visa and MasterCard.

2.There are 12 general requirements to be PCI compliant.

10/14/13 R o c k S o l i d No.

PCI Compliance

11

BUILD AND MAINTAIN A SECURE NETWORK

1 Requirement 1: Install and maintain a firewall configuration to protect cardholder data

2 Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters

PROTECT CARDHOLDER DATA

1 Requirement 3: Protect stored cardholder data2 Requirement 4: Encrypt transmission of cardholder data across open, public

networks

MAINTAIN A VULNERABILITY MANAGEMENT PROGRAM

1 Requirement 5: Use and regularly update anti-virus software2 Requirement 6: Develop and maintain secure systems and applications

IMPLEMENT STRONG ACCESS CONTROL MEASURES

1 Requirement 7: Restrict access to cardholder data by business need-to-know2 Requirement 8: Assign a unique ID to each person with computer access3 Requirement 9: Restrict physical access to cardholder data

REGULARLY MONITOR AND TEST NETWORKS

1 Requirement 10: Track and monitor all access to network resources and cardholder data2 Requirement 11: Regularly test security systems and processes

MAINTAIN AN INFORMATION SECURITY POLICY

1 Requirement 12: Maintain a policy that addresses information security

10/14/13 R o c k S o l i d No.

PCI Compliance

12

Umm. Okay. What’s the take-away from that?

1.Do not store credit card data!

2.If you are using a merchant processor make sure you are maintaining a secure (SSL) network and having quarterly scans performed by an accredited third party (Your merchant processor will require this)

10/14/13 R o c k S o l i d No.

PCI Compliance

13

“Out of Scope” is your Friend!

1.PCI compliance sets standards for processing and storing credit card data.

2.“Out of Scope” hands off that responsibility to a third party

1.PayPal

2.Google Wallet (formerly Google Checkout)

3.Stripe.com

10/14/13 R o c k S o l i d No.

Please Update.

14

Out of date software can be vulnerable!Check the Change Log.

10/14/13 R o c k S o l i d No.

Please Update.

15

Hey, we’ve got tricks up our sleeve!

1.We love Updater.

1.http://www.devdemon.com/updater/

2.Developers license

10/14/13 No.R o c k S o l i d

T h a n k Y o u !

16

R o c k S o l i d No.10/14/13

david@codesly.com codesly.com

Get In Touch!

17

@dpdexter

10/14/13 No.R o c k S o l i d

W a t c h a G o t ?

18