BlogeCommerceMagento 2.4Magento2

Magento 2.4 Latest Security Enhancements

Magento 2.4 latest security enhancements

The latest enhancements to the Magento Commerce platform that include greater security and new analytical tools for improved self-service site management. This blog post explains the new security features that are updated in the version Magento 2.4.

Topics are:

  • Custom VCL
  • TLS and Fastly
  • Managed Alerts
  • Site-Wide Analysis Tool (SWAT)
  • Enhanced Security Scan and
  • Magento Commerce Quality Patches (MQP)

Let’s take a look at each topic in little detail-

1. Custom VCL to bypass Fastly cache

Fastly is required for Magento Commerce Cloud, and is used in both the Staging and Production environments. Fastly works with Varnish to provide a Content Delivery Network (CDN) and fast caching capabilities for static assets.

Fastly provides the following services to optimize and secure content delivery operations for Magento Commerce Cloud projects. These services are included with Magento Commerce Cloud subscription at no additional cost.

  • Content delivery network (CDN)
  • Security
  • – DDoS Protection
    – Web Application Firewall

  • Image Optimization
  • Fastly CDN and WAF logs

VCL or Varnish Configuration Language allows you to define the caching policy. We can write VCL code which Varnish will parse, translate to C code, compile and link to.

In Magento, Custom VCL snippets are blocks of VCL logic added to the active VCL version. A custom VCL snippet modifies the way Fastly caching services respond to request traffic. For example, we can add a custom VCL snippet to limit traffic only from specified client IP addresses or to block traffic from websites known for sending referral spam to your website sites.

Custom VCL snippets are generated, compiled, and transmitted to all Fastly caches, and can be loaded and activated without server downtime.
Fastly supports two types of custom VCL snippets:

– Regular snippets: Custom regular VCL snippets are dependent on VCL versions. We can create, modify, and deploy regular VCL snippets from the Magento Admin UI or the Fastly API.
– Dynamic snippets: VCL snippets which are created using the Fastly API. We can modify and deploy dynamic snippets without having to update the Fastly VCL version for your service.

Magento recommends using custom VCL snippets with Edge Dictionaries and Access Control Lists (ACL) to store data used in your custom code.

– Edge dictionary: Stores data as key-value pairs in a dictionary container which will be referenced from custom VCL snippets.
– Edge ACL: Stores the client IP address data which defines the access control list for block/allow rules implemented using custom VCL snippets

Now we can create a custom VCL snippet to bypass the Fastly cache so you can troubleshoot request traffic to the origin server, for example, to determine whether site issues are caused by caching or to troubleshoot headers. This is otherwise called as Origin Clocking
You can configure the VCL snippet to bypass Fastly caching for requests coming from a specific IP address or URL.

2. TLS and Fastly

Now Magento replaces the current method of shared certificates with the new Fastly Platform TLS by providing individual certificates to each merchant with measures to validate the certificate.

If you use TLS the updated version of SSL in a Fastly enabled environment, then, When entering your Magento Support ticket for DNS information and going live, you need to inform that you are using TLS, provide the domain name and request the TXT record. You can then send this record to your DNS provider. The domain validation process is executed by Fastly.

3. Managed Alerts

Now it’s easy to proactively track the performance of the platform and take steps such as up-sizing to prevent site performance issues or avoiding downtime by monitoring 200 metrics in four different categories: CPU, Apdex, disk, and memory.

To track the following metrics, Adobe provides the Managed Alerts for Magento Commerce alert policy on Cloud Pro Production environments:

    – Apdex score
    – Error rate
    – Disk space (on Pro Production environments)
    – CPU usage
    – Memory usage

For Magento Commerce Cloud Pro customers, you can use managed alerts to understand the health of your site. Magento has set up key dashboards and alerts to aid you in understanding when your site is reaching critical storage and Apdex levels (users’ satisfaction with applications and services response time). This can help you take action before you notice slow response times or an outage.

4. Site-Wide Analysis Tool (SWAT)

The manual process of site analysis is automated with the Site Wide Analysis Tool, which can schedule an automatic site analysis and generate a customer-specific report based on its findings. This is known as the SWAT report. In other words, A SWAT report is a fully automated report produced by the SWAT tool, that includes,

    – Site status information
    – Issue findings
    – Best Practices Recommendations
    – Third-party extension information
    – Exception log analysis.

The findings in the SWAT report are explained by saying

    – What is found(Issue)
    – Its root cause
    – The impact of this issue on the website,
    – The recommended solutions or best practices.

5. Enhanced Security Scan

The Magento Security Scan tool is an important part of Adobe’s strategy that helps Magento Commerce and Magento Open Source merchants to enhance security for their storefronts. The Security Scan tool will help merchants identify:

    – Potential malware and vulnerabilities on the web store
    – Out-of-date security patches
    – Potentially vulnerable extensions
    – Digital skimming injections
    – Security misconfigurations
    – Streamlined guidance about Magento Commerce security best practices

The Magento Security Scan tool can alert the admin through an automated email notification when potential threats are identified.

Adobe has partnered with Sansec, which is a leading security company helping to prevent digital skimming. With this partnership, Adobe will be adding over 9,000 malware and vulnerability signatures to the Magento Security Scan tool. Each of these signatures has undergone a multistage testing and validation process before being added to the scan tool. Sanguine Security’s research team analyses more than 300 known eCommerce attacks every week. This information produces a valuable stream of possible attack vectors and indicators of compromise (IOCs). The data is continuously fed as threat signatures into the enhanced Security Scan tool, leading to approximately 300 new signatures added monthly.

The enhanced scan tool will help customers:

  • Real-time insights of the security status of our Magento store and suggestions on best practices that assist in fixing the issue.
  • Run over 17,000 security tests to help identify potential malware on our website.
  • Get access to the historical security reports of our Magento sites to track and monitor the progress over time.
  • Access to the scan report which shows the successful and failed checks and recommends further action if any.

6. Magento Commerce Quality Patches (MQP)

Adobe has released Magento Quality Patches (MQP) which is a tool that  allows for applying, reverting, and viewing general information about quality patches available for our installed version of Magento. The Magento Quality Patches package delivers individual patches developed by Magento and allows us to apply individual patches that are available for Magento Commerce or Magento Open Source version.

MQP provides faster self-service issue resolution, allowing you to easily apply patches suggested by Magento Support for issues you might experience with Magento.