We all know the adage - better safe than sorry. But in most of the cases, when operational challenges start driving the business, under compulsion we leave our site vulnerable - security down, performance overlooked and health ignored. It’s unfortunate, but we get in the reactive mode and work on incidences that show up, staying completely oblivious to those that leech the system from deep within. And trust us, it’s the latter that takes the most toll.
Instead of hitting the alarm when your site slows down or crashes for no apparent reason, a new extension rattles its stability or customers cry foul over an unauthorized transaction, it’s better to set up a watch on the areas that matter the most to your site and schedule a periodic audit.
But given the breadth of your site that doesn’t say all. So we’ve decided to present a detailed audit checklist that’ll help you maintain the sanctity of your site and the reputation of your business.
Why do I Need an Audit?
Your site is pumping the lifeblood into your business. As the owner, it’s your responsibility to ensure that your customers stay unharmed. A site audit lets you identify whether there has been any attempt to hack your site, steal the card information, or control the customers’ personal data. Your Magento site audit helps you find out any existing issue that may be bugging your system and allows you to fix them before they grow out of proportion. The code audit helps you chart out the next course of action for your site - do you need to perform minor fixes, an update or a migration.
You can conclude that if you need to maintain the security of your site, develop the performance and keep your site healthy, you simply don’t have any option other than performing regular site audit.
What do I Audit?
There are three main sectors that you should cover.
You can’t let your site security slump, mainly because you site collects your customers’ personal information and enables them to make financial transactions. Therefore, you need to minutely monitor any known symptoms of common Magento hacks. You need to review the existing security patches, check the code for any changes or modifications done in the extensions and standalone files, review the payment configuration and relook the administrator accounts. The Magento code audit involves close combing of the site code to detect any vulnerability in the payment methods, administrative credentials, and site control due to the changes in certain settings.
How your business performs rests on how your site performs. You should measure the speed for your hosting services, response time, and page download. Check out for the use of compressions, find out if your site throws any 404 and inspect how does it render third-party plugins. User experience is one qualitative factor that contributes to the success of your site. See for yourself whether your site design and theme is responsive, is the navigation intuitive, do all the product pages have complete product information and are the information and design consistent across the site. A performance audit may come up with recommendations pertaining to design enhancements, or a complete overhaul. You may get heads up on design optimization, need for upgrading to newer versions, and existing duplicate requests awaiting elimination.
This is a combination of security and performance. A health audit primarily focuses on adherence to the best practices. It brings out the lacunae in your theme, extensions, file system, and database. The health audit also points out at any core edits or overrides to the Magento core code. Whether a module or an extension should be disabled, the size of your database and number of logs are within limits, the file system needs cleaning, settings need a change, all records are intact, answers to these questions come up through a health check.
How do I Audit
A Magento website audit takes into account four main areas.
A server audit involves looking deep into users, network configuration, security, log files, and application and services. How to audit these are elaborated below:
For operational purposes, different types of users with different roles and functions access your site. As a part of the security audit, you need to first assess how a user accesses a system and what authentication mode the system uses. Post this identification, you categorize the list of users into roles and functions and evaluate their need to access the site. This helps you in identifying the types of users who have a valid reason to access the site and setting up different types of access rights for the users in accordance with the business need. If you find any user with an access right but without a need, simply remove the user.
1.2. Network configuration
You need to focus on three prime aspects of the network configuration while performing a technical audit:
To audit, a configuration, check whether the IP addresses, netmask, and gateway are untampered. Find out if a bridged network has been allowed, identify in what network segment and network zone the system has been active. And finally, determine if the segments or zones are free of an anomaly.
1.2.2. Listening ports
As listening ports are entry points to any system, they make for the most vulnerable factors in a network. Hence, monitoring listening port plays a pivotal role in server audit. A review of listening ports offers insights on the active services and help you figure if they are in line with the business purpose.
This is your network’s shield, so you have to ensure this remains the strongest to minimize the number of infiltrations. Depending on what type of data you are storing in your system, you can configure the setting of the firewall. Follow a simple rule of thumb, the more sensitive the data, the less number of systems it should communicate with.
At the core of security lies access. Check out whether proper access rights have been assigned to different users based on their business roles. To harden the system you may choose to assign controlled access to the users and prevent any unauthorized execution of files. The controlled access to the system, knitted with file permissions, help in assigning a proper owner of files. This is especially important in a networked set up as it helps in identifying the sole owner of an action from a crowd of users. Even with such secured setting, you’ll come across situations where a few files won’t have a proper owner. To counter such situations you have to put SetUID or SetGID into action and block any type of illicit file execution. It helps in defending your system from attacks that are planted using executables.
1.4. Log files
This is the gold mine for auditors. Log files hold an account of all the actions that have been performed on the system. This is the reason why log files should be protected and rotated. Study this file as minutely as possible as they help in performing the most accurate RCA in case of an incident. Check whether all calls and actions are properly logged, critically examine the logs related to the user information connected the to main applications. For a secured logging mechanism check the syslog configuration and find out if remote logging is allowed by the system. It keeps the valuable proof of incident unaltered by preventing any malicious adjustments that may hide traces of actions. In case remote logging is not found on the system, then we suggest deploying a SIEM solution to start the practice.
1.5. Applications and services
Your server is the storehouse of your applications and services. As a part of the server audit, take a look at these applications. The types of applications help you assess how much your server is exposed to attacks. Find out if any of them are untrusted and can create backdoors for other applications. In case you zero down on any, go for a complete removal. Besides, examine the services to find out which one of them is consuming too many resources. Flag such services and probe deep to find out the reason. This check has an impact on both the security and performance.
The PHP: Hypertext Preprocessor has become the standard for most of the systems that create a page dynamically or work with multiple RDBMS. In action, PHP acts as a filter, and that makes it a prime module in need of a thorough inspection. While auditing PHP, start with checking whether the latest and updated version is installed on your system. An updated version gets published with security fixes and better performance capability. Hence, it’s a must for your system.
PHP runs to perform different types of functions and in the process, it consumes the resource. While performing an audit, check out how much resource it is consuming, is there a way to optimize the consumption, is it working with the minimum recommended configuration to deliver the best performance with minimum resource consumption.
Like all codes, even PHP codes breakdown. But you need to ensure that in case of any such stumbles, be it for incorrect compilation or wrong configuration or just a code break, the errors don’t show up on your live site.
3.1. Backend audit
The backend audit involves checking the Magento development standards and the security updates. Identifying if there are any loopholes in the code that may result in backdoor entry into your system, checking the overall performance, examining the queries made in PHP and determining if there are any bottlenecks that might be affecting page load time also form a part of the backend audit. The audit extends to checking the server-side technologies, integration process, and usage of external modules for the development of a site.
3.2. Front end audit
To audit MySQL, you need to have a clear understanding of the entire database architecture and the relation between one database and the other. Needless to say, it starts with the identification of tables. Once you get a complete picture of the different types of tables, you may move to check out what storage engines are deployed. From MySQL 5.5 onwards the default engine is InnoDB. The ACID compliant InnoDB offers transaction support, row-level locking, crash recovery and to top it all, the foreign key referential integrity constraint, making it the most the reliable engine for a site that deals with financial transactions.
Next comes the indexes. For quick lookup of data and to efficiently order access to records all RDBMS use a database index or a set of database indexes. Check out whether if there is any such index present in your system.
The stored procedure is another important function you should review. Used for data validation and access control, stored procedure, saved under data dictionary, helps your system save time and simplify extensive and complex processing. Check out what procedures are saved, whether there are nested procedures, find out what trigger invokes a stored procedure.
Generally, when you have a large set of databases that are tightly knit, usage of database trigger becomes imperative to maintain the integrity of the entire RDBMS. Find out at what point these triggers come into play.
Finally, take a look at the user permissions. This cannot be ignored when you have a critical system running to capture your customer information, product information, transaction information and more. You don’t need someone dealing with product data to look into customer data and vice versa, right?
Gathering an idea of the architecture is the first step in auditing MySQL. Once done, you should move to inspect the log files. MySQL uses diverse types of logging technologies that can be used to auditing.
3.1. Error log
It works on log_warning system variable that maintains a record of all the warnings. This log is used to debug any critical errors.
3.2. Slow query log
The SQL statements that have taken long to execute are logged here. It helps in identifying the queries that take longer time and impact the performance of the site.
3.3. Binary log
When you’re to review data modifications done using committed transaction, you’re to find them under the binary log. This may not help in pointing out at any suspicious select but helps you to find out the detail on any changes done to the database.
3.4. Custom made triggers
As an alternative to binary log review, you may choose to use custom made triggers to get the detail on any modification of data. Although it offers flexibility in the auditing, it’s too cumbersome to maintain.
3.5. General log
This is a catch-all technique. The general log records all queries a server receives. This is the most detailed logging technique, at the same time it takes a lot of time to sift through as this one doesn’t have any filtering mechanism.
In 2017, a little more than 2,200 Magento sites fell victim to malicious attacks, within the first three months of 2018, the number has already touched 1,000. With 9 more months to go and complete ignorance with respect to how many more sites, 2018 will claim, all we can comment is, the rise of attack on Magento is scary. But it needn’t be this way. A little more careful deployment, a regular maintenance, and a periodic audit, by trained webmasters, can bring this number down. If you plot the set of checks discussed and start tracking them, then you will save a lot of stress, effort, and money involved in correcting your system. And that we believe is the way to go for a site that deals with sensitive data - from a customer’s delivery address to her money.