The development of an eCommerce site presents numerous challenges. Having a site that is fast, looks good and works well is a must. On many occasions we believe that this is enough, and we tend to ignore a very important aspect such as security.
eCommerce sites handle secure information that is very valuable to attackers, such as user data and credit card data. Many times, this aspect is relegated to the security that Magento already has, but the best practices of secure development are ignored.
In our most-recent security exercise, together with Damian Gambacorta, one of our Technical Leaders and Ethical Hacker (g4mb4 in the hacker community), we completed a capture the flag (CTF) so that our developers can experience how a Magento site can be vulnerable when mistakes are made when doing custom development.
A CTF (Capture the Flag) is a gamified exercise designed to test cybersecurity skills.
The goal of the game is to get the highest score by capturing the most flags.
When completing a CTF exercise, there are many benefits including:
In this CTF exercise, we focused on common bugs that all companies suffer from, such as:
By using these common bugs, our developers had the opportunity to experience what a hacker seeks to obtain (and do) on a Magento site, and how to address any issues that come up.
Overall, 121’s event was a success! We competed in multidisciplinary teams of 5 and we received 60 reports with possible vulnerabilities. All of them were valid! As part of this exercise, we had our teams of 5 work in different teams than they typically work with on a day-to-day basis. This not only helped with the team building aspect, but with being able to test their problem-solving skills.
At 121eCommerce, and as a Gold Adobe Solution Provider, we believe that eCommerce security is a common responsibility, and gives our agency credibility. It is for this reason that we decided to share the CTF we created, so that other companies can use it and put themselves to the test.
Our CTF Extension is uploaded in our repository. If you want to be part of this initiative, contact us and we will provide you with the guide with instructions to carry it out, at no cost!
We can also provide training on cybersecurity and pentest your custom extensions as we do on our extensions.
In the next few weeks, another write up will be published by G4MB4 about a security vulnerability that affected Magento!
We are already preparing a new CTF with greater difficulty to continue our training in security!