Closed lorikrell closed 3 years ago
Talesh Seeparson and @jfrontain will be working together on this issue. Getting this github account to assign.
You can assign to me.
OK here are my initial high level thoughts for later implementation:
Maybe we have a single section about security similar to how we have the B2B Developer Guide. We can call it the Magento Security guide or something similar. Importantly though I think we should link to it from all the locations listed above: (Writing Secure Code + Security, Performance and Data Handling) so we're always directing developers to it..
This Major topic then be split into two sections:
The main reason is that I think technical people that are the audience of the DevDocs need to inculcate the habit of secure maintenance of their sites and if it's listed here, there is a higher chance they'll do it.
Merge Writing Secure code tips with the ones from Security, Performance and Data Handling into one subtopic called "Writing Secure Magento code" ..* Add in extra secure development notes
Create a section for testing the security of your Magento code .. Introductory section about dynamic testing vs static code analysis .. Add notes on PHP Codesniffer .. Add notes on OWASP ZAP .. Add notes on RetireJS/Roave security advisories .. Add notes on GrumpPHP and similar tools .. Add notes for extension developers and the EQP ..* Add notes on Advanced topics like penetration testing for eCommerce etc
Awesome and thank you @talesh ! I was trying to assign this one to you, but not seeing you in the list. You may need to join the repo, etc.
@lorikrell, ask EngComm to add him to the Community Contributor team and then you can assign it to @talesh. Please keep Jeanne in the assignment list as well.
Tossed a request their way!
We can also incorporate the Sensitive and Environment Settings information into Technical practices for secure store operation section of this.
CONTRIBUTORS: Talesh and Jeanne are working on this issue together. If you would like to join them, feel free to post here!
Adding links from multiple docs and info pages @ DevExchange Imagine 2019:
http://ka.lpe.sh/2019/06/09/magentoimagine2019-dev-exchange-recap-make-magento-secure/ https://extdn.org/resources/ten-tips-for-secure-magento-2-development/ https://extdn.org/wp-content/uploads/2019/06/extdn-security-flyer.pdf There is a Google Doc (not adding that link unless ok). Jeanne has it.
Please see the Security Center for up-to-date best practices.
New topic request
This issue is created for Magento Imagine 2019, but is open to everyone! We welcome PRs to help document this info.
Description
We are seeking your knowledge, expertise, and best practices for security and secure coding. Do you have recommendations, warnings, tips and tricks for extension development?
Where to write?
If you create a new topic, and need a location, you can add it to this directory as part of your PR, unless it fits better in another directory: https://github.com/magento/devdocs/tree/master/src/community/resources
Or you can enhance existing topics such as:
Content checklist
Additional information/resources