by Kevin Schroeder | 11:34 am

Configuring MySQL SSL in Magento (to get your HIPAA auditor off your back)

I’ve been asked a few times now if there is a way to use encrypted MySQL connections in Magento. Most of the time it is when merchants are selling medical products and HIPAA requirements come into play. I am not an expert in HIPAA, nor do I want to be, but with the cost of vulnerabilities on the rise it made sense to at least look into it and get a good answer on how to do it.

  READ ARTICLE
659 words ()
by Kevin Schroeder | 1:33 pm

We don’t need better authentication

I saw a tweet today concerning authentication. Monaco, at White House cybersecurity summit at Stanford, calls for replacing passwords with more secure technologies. — Paul Krill (@pjkrill) February 13, 2015 When reading that the

  READ ARTICLE
521 words ()
by Kevin Schroeder | 1:05 pm

Is prevention the best security practice?

I read a post tweeted by Chris Cornutt today.  The basic gist of the article is that your security is only as strong as your most ethically-challenged developer.  That got me thinking that we

  READ ARTICLE
511 words ()
by Kevin Schroeder | 10:33 am

10 “what to do’s when setting up Magento” and file inclusion attacks

Found this list of things “to do” on Twitter this morning.  I went over the list and saw that there was one item that was missing, which I feel is very important to do.

  READ ARTICLE
265 words ()
by Kevin Schroeder | 1:03 pm

Generating secure cross site request forgery tokens (csrf)

I don’t talk much about security.  This is mostly because it’s such a moving target.  I’m also horrified that I might give bad advice and someone will be hacked because of me. But in

  READ ARTICLE
461 words ()
by Kevin Schroeder | 12:12 pm

How to use PHP with MySQL (without SQL Injection vulnerabilities)

Chris Dale recently posted a horrifying article on his blog.  It is called “Why it’s easy being a hacker – A SQL injection case study“.  The most horrifying part of the post was that

  READ ARTICLE
1616 words ()
by Kevin Schroeder | 12:00 am

Encrypted session handler

A little while ago I had come upon the problem of having to store sensitive data in a user session. The solution that I (and several others came upon) was creating a mechanism for storing encrypted data in a session. But what we wanted to do was build something that didn’t have a single point of failure. We also wanted to build something portable. What we built was a simple Zend Framework session handler for storing sensitive data.

  READ ARTICLE
436 words ()