


























Magento 1 will no longer receive official updates & security fixes per July 1st, 2020 (the end-of-life, or EOL date). Merchants are urged to upgrade to Magento 2, but for many stores this deadline is not feasible. Merchants want to know:
Before we answer those, let's take a look at the numbers. Sansec actively monitors the global eCommerce space, and has observed a steady decline in Magento 1 stores. We estimate that 105 thousand Magento 1 stores will still operate beyond July 1st. Effectively, a great number of merchants need to prepare for the upcoming deadline.

Almost all hacked Magento stores are compromised via security bugs in the code. Therefore, the risk of getting hacked is a function of a) the discovery of new bugs and b) the ability to quickly patch those bugs.
Bugs can exist in core Magento code (as maintained by Adobe) and third party extensions.
Bugs are discovered all the time. Since 2015, Magento has found and fixed hundreds of security bugs. But when they cease doing that, it surely would boost malicious actors? The reality is less frightening. Not all security bugs are equal. Out of hundreds of discovered bugs since 2015, only three bugs were super-bugs. They proved so critical that criminals could launch massive, automated hacks into stores. Many other bugs require specific conditions before they can be actually exploited. For example, criminals would need prior administrative access. Or exploitation requires weeks or months of sophisticated preparation. The chance of getting hacked via one of those minor bugs has proven to be negligible in practice.
However, there is a realistic chance that another super bug will be discovered in the coming months. You really should prepare for this event. First, make sure that you will receive a timely alert when a super bug is discovered. And second, you should have a plan ready so that you can apply a fix within 24 hours of discovery. Read ahead on how to accomplish this.
Another common source of Magento hacks are bugs in 3rd party components. Some vendors will release fixes, others will not. Key strategy here is getting timely alerts about vulnerable components, so you can take appropriate action. It is extremely costly to stay up to date on all your extensions, all the time. So selectively updating just those vulnerable extensions is a big cost saver.
Payment providers have released ambigious statements, which sparked extensive discussion. Merchants need to put proper safeguards in place, but what qualifies is up for interpretation. This has been discussed extensively, and Joe Rollinson has written an excellent overview. The gist of it: PCI requires you to install vendor security patches. If you cannot, you will need to implement compensating controls:
With these measures in place, you will be properly equipped to stay securely on Magento 1 beyond July 1st. And you will be able to present a convincing set of measures to apply for compensating controls with your payment provider, should it be necessary.
(M1 EOL image by Artūrs Krūze)
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。