Kalpesh Mehta

Blog

  • Hello world!

    Welcome to WordPress. This is your first post. Edit or delete it, then start writing!

  • I asked ChatGPT, what is Magento Master?

    I asked ChatGPT, an AI chatbot from OpenAI, what is Magento Master? The result looks convincing. What do you think?!

    Magento Master is a program designed to recognize and honor members of the Magento community who have made significant contributions to the platform and the ecosystem as a whole. It is a way for the Magento team to recognize and acknowledge the hard work and dedication of these individuals, and to showcase their expertise and leadership within the community.

    To become a Magento Master, an individual must demonstrate a strong track record of contributions to the Magento community, including involvement in events, speaking at conferences, writing blog posts or articles, contributing code to the platform, and generally helping to advance the use and adoption of Magento. There are three levels of Magento Master: Magento Master: Mover, Magento Master: Maker, and Magento Master: Innovator. Each level recognizes a different level of contribution and expertise within the community.

    The Magento Master program is an important part of the Magento community, as it helps to recognize and celebrate the contributions of its most dedicated and influential members.

     

     

  • Security.txt Magento module

    With the recent release of Magento 2.4.0 open source and commerce, you can find a brand new module under vendor/magento/ directory named module-securitytxt. You may find it a small module, but you will amaze to know the importance of that module in terms of the security. Two years ago, I was reading the blog post from Troy Hunt and other reputed people in the security industry about this new file called Security.txt which allows security researchers to report security vulnerabilities to the right people in the organization. I am amazed by this, because of my personal experience in not getting hold of right people in the organization whenever I find any security vulnerability on any website. I found security issues on numerous websites before reading about security.txt, and tried many ways to reach out to the people in the organization in an effort to get a hold of someone who is responsible to fix this. I sent messages to the people working in that organizations via LinkedIn, Twitter DM, tech email addresses I could find from whois, customer service, etc.. But, zero replies!! Of course, who would want to reply to such scary messages about their website right?!

    Security.txt to the rescue

    As soon as I learned about security.txt, I read many articles and checked its official website https://securitytxt.org/ to understand how it works. I really liked the concept, and thought to make it available to everyone in the very platform I love, Magento. I built Magento 2 module to allow administrators to input and store all the security contact details and signature in the database, which can be then easily viewed at the standard locations https://website.com/.well-known/security.txt and https://website.com/.well-known/security.txt.sig

    Security.txt files have been adopted by many big players in the industry like Google, GitHub, LinkedIn and Facebook.

    Listen to the community

    Right after building the module and pushing it to my Github securitytxt repo, I was gathering feedbacks about this new security standard from the Magento community. I asked many well known people in the community, at various events and Dev Exchange, to understand its pros/cons from other people’s perspective. Unsurprisingly, many were in favor of this. There were some people against having a dedicated module for this, because Magento already has many modules that not every merchants need but they still have to keep it because… it comes out of the box. Totally valid point. However, this is a security module and Magento 2 was already infested with security bugs in the early days and not to mention security bugs that gets introduced via third-party extensions. With the modular approach of the securitytxt, it is very convenient for any merchant to enable and input security contact details and save right from the admin, which hardly takes 2 minutes! I do not know why anyone would want to disable any security module tbh. Before the module, there were hardly any merchants who had uploaded security.txt file on their server, even though the argument was it is the easiest approach so why to introduce a module for that. Ultimately, reward outweighed the risk and it was decided to ship this module in the core bundle.

    I presented security.txt’s importance in various meetups last year and gathered feedbacks from the event attendees as well.

    (more…)

  • Magento Master 2020 – Makers

    Many of you already know, I am selected this year as a Magento Master 2020 in the Makers category. I am very grateful to all the people who encouraged and believed in me during this roller-coaster journey. I am thankful to Ben Marks, Sherrie Rohde and the entire Magento, an Adobe company team who had to put lot of efforts to analyze all the contributors across many categories and narrow it down to the final 20 top contributors in the community.

    https://magento.com/magento-masters/meet-the-masters

    Magento Masters – Maker category

    By definition,  Makers are frequent contributors highly valued by Magento and other community members. They actively engage with others in the Magento Community, sharing ideas, insights, innovations and constructive feedback.

    Magento Master - Maker

    Rewards and Benefits to the Magento Masters

    • Invitations to special events
    • Involvement in community feedback opportunities
    • Discounts on events and certifications
    • Quarterly Magento Masters calls with the Magento team
    • Recognition at events, including the Magento Imagine conference
    • Introduction into Magento Community Hall of Fame

    (more…)

  • How to pass Magento 2 certification exams

    Hi folks, I am getting many requests on how to pass M2 certifications via email, twitter, slack, skype, etc.. I recently passed 5th M2 certification exam and would like to share with all my Magento friends how I prepared for these exams. There is no secret mantra which can help you pass M2 certification tests quickly and easily.

    You need hands-on experience, that is the first mandatory requirement. At least an year of experience in Magento 2 will give you good understanding on how everything in it works. If you are the kind of folks who copy and paste the code all the time, you need at least 3 years of Magento 2 experience.

    Second in the list is, Magento DevDocs. No matter what M2 exam you go for, read and understand all the Magento DevDocs articles on it. Being part of the hardest M2 certification test questions writer group, I can assure you, you will not be disappointed if you have prepared DevDocs for your certification exam.

    Thirdly, go prepare SwiftOtter study guides. And prepare it slowly, understand each and every line written in that guide. After completing that, give the SwiftOtter test to know where you stand with your preparation and if you will able to crack the real exam.

    Last but not the least, try things practically. Though I understand you might not have luxury of time to test and learn everything practically, try important areas of the exam by writing the code locally and understand the flow of logic.

    I may edit this post in the future, but if you have followed these three important things mentioned above, your chances to pass any M2 exam will increase exponentially.

  • #MagentoImagine2019 Dev Exchange Recap – Make Magento more secure

    Magento Imagine 2019 Dev Exchange
    Magento Imagine 2019 Dev Exchange

    This year Magento Imagine conference was amazing, around 3,500 people from around the world attended the event which was held at Wynn, Las Vegas. I met many people whom I already knew, and many more whom I never met before in real life but interacted on social media and forums.

    I hosted a table at Dev Exchange around Magento security, which was co-hosted by Pablo Benitez from eBizmarts. Piotr Kaminski and Steven Zurek participated from Magento/Adobe’s side. Talesh Seeparsan took all the notes and contributed to the discussion during the talk. Other people that joined the table from Magento and community were Igor Miniailo, Igor Gorin, Georgiy Slobodenyuk, Lee Saferite, Manish Mittal, Jeanne, Scott N and Shilpa M. Everyone participated in the discussion and gave their valuable feedback on the topics we discussed, overall it was very productive.

    There were 4 main topics we discussed at the table:

    1. Extension developers write secure code

    With the proactive and nimble approach Magento has taken to core security, many time agencies and merchants find external 3rd party extension makers have not put in as much effort. How can we encourage their developers to take a more secure coding approach? Can Magento community maintain secure coding practices document like technical guidelines, security? Validate code using a tool like PHP CodeSniffer? What solutions already exist that we can rely on? What processes already exist that we can implement?

    Static Scanners / RIPS:

    Third party code checking and code scanning is a complex process. RIPS work for some paths, they are also working on improving the support. We can add Regular Expressions to the old open source versions as well. However, we have to do lot of work to deal with the false positives because they don’t directly support Magento.

    Dynamic Scanners:

    Probably Dynamic Scanning is the better idea. Example, using OWASP Zap to test input fields of extensions. There are current efforts to get an easy to set up OWASP Zap fuzzer for Magento Extension makers.

    There is a danger of reporting error in extensions without understanding the value of the error or making it easy to act on the error. Example, using tools that just dump a PDF of all the errors versus categorizing and ranking problems and putting them into bug tracker. We should have documentation of recommended fixes for the types of errors dynamic scanning provides.

    Vulnerabilities in extensions:

    A lot of extension providers are not prepared for a vulnerability in their extension. There are a few common problems with their approach. The problems we find with them, they are:

    • Not fixing vulnerabilities and ignoring input from developer community, or
    • Fixing vulnerabilities silently and not notifying their customers, or
    • No way of notifying their customers of a new version with a fix.

    There should be a process for responding to security vulnerabilities if extension makers want their extensions to be on the Marketplace. There should be consequences instead of enforcement when dealing with extension makers with vulnerabilities.

    Marketplace vs non-marketplace extensions:

    Unfortunately, most of the problems that we see are in extensions that are not from Marketplace, therefore enforcement of security policies may have the unintended consequence of reducing the number of extensions on the Magento Marketplace. One possible solution to extensions not on marketplace is that there may be a warning in Magento if it is code matched to an extension that is on the marketplace. This works for vendors that sell the same extension on Marketplace and on their own site.

    One of the driving reasons for buying extensions from outside the marketplace is because updates from the Marketplace are too slow. The process is improving though.

    It would be good if the marketplace extensions page would show the version that is on the Marketplace and show which past versions may be vulnerable.  (more…)

  • Magento Imagine Dev Exchange 2019

    Magento Imagine 2019 is just 2 weeks away, I cannot wait any longer now! This year would be crazy for me, as I am participating in Contribution Days as a Maintainer that happens on Saturday and Sunday before the conference, and also hosting a Dev Exchange table after the conference on Wednesday. Also, this would be my first Imagine from agency side, so things would be different.

    As many of you know, I have advocated Magento Security for quite a while now. From submitting core security bugs to adding an entire Security topic in the Magento 2 Professional Developer Plus certification, I realized there is many more things to do. This year I am going to host Dev Exchange where I will share my security ideas and also get ideas and feedback from the community. One very important thing that we would address this year is third-party extensions security. Pablo Benitez, CTO at eBizmarts, will join me bringing in business perspective when talking about third-party extension security. Talesh Seeparsan will bring his past Dev Exchange experiences on security and help us in guiding and noting down all the ideas and feedback that we would discuss with all the participants.

    If you are coming to Magento Imagine and would stay little late on Wednesday, please stop by our Dev Exchange table and join the conversation. Here is the topic and details we submitted for Magento Imagine Dev Exchange 2019:

     

    (more…)

  • I am one of the Top 50 Magento Contributors of 2018

    This week Magento announced top contributors from the past year. I was so thrilled to see my name in the top 50 Magento contributors of 2018. It is an honor to be on that list, with other Magento legends most of whom are/were Magento Masters.

    It is just incredible that there were 5,900 contributors that Magento can quantify in 2018. I am so proud to be in the top 1% of the contributors who were recognized in the Top 50 contributors list. It is a very difficult job to find who contributed most or whose contributions impacted most given such a large community contributors, but Sherrie Rohde, Magento Community Manager, just excels in that.

    For all those contributors who couldn’t make it to the top 50 list, here is a thankful quote by Sherri with an orange heart!

    Keep contributing!!

  • Magento 2 Certified Professional Developer Plus Workshop

    Last month I and Jonathan from Corra participated in the M2 Developer Plus certification workshop which happened in London. The goal of this new certification is to test the developers’ skills in Magento 2 Commerce and Open Source. This exam is intended to be difficult than the Professional Developer that was launched earlier this year. The exam will be scenario-based, so don’t come memorizing class and method names to the exam, it will not help 🙂

    Participants

    Developers from Magento, an Adobe Company and few SIs participated in this workshop to come up with the questions for this exam. Everybody was highly skilled in Magento 2, and submitted very good questions which will make it difficult for the developers to pass this exam 🙂 Partners who participated – Corra (I an Jonathan Lorenzi), Something Digital (Max Chadwick), DCKAP (Jaykanth), Vaimo (Sergii) and Cream NL (Julian).  And there were Alex Paliarush and Iryna from Magento. Vitaliy Golomoziy and Vinai Kopp were top of the game, submitting and reviewing some crazy amount of questions respectively. It was great to work with all these awesome folks for four days. This was all possible under the guidance of Peter Manijak, Director of Certification & Special Programs at Magento U.

    New topics

    This exam added two new topics that are different than Professional exam. First one is of course Magento 2 Commerce features. The other one, which I personally advocated for few years to include in different areas of the Magento ecosystem, is Magento Security.

    Magento Security

    I proposed this topic to Peter Manijak few weeks before the workshop, he really liked the idea and gave his support to include this in the certification. We were not sure whether to add objectives in other topics or to create an entire new topic for this. Peter took this to the team and we agreed to keep it as it’s own topic. We also got support on this topic from Richard Huie-Buckius, Head of Training & Certification Services at Magento, an Adobe Company. I am very grateful to Peter and Richard for understanding the importance of Security in Magento and making it a part of the certification. Peter is personally a big fan of Security so huge props to him on including this additional topic to the exam.

    The goal to introduce Magento Security in the exam is to test developers’ abilities in security area when they develop something in Magento. Security is a part of development, every developer who works on Magento needs to know at least the basics of security to write secure code while developing extensions or custom in-house modules. The exam will test the developers on frontend, backend and overall architectural related security questions. For full details, wait for the study guide 🙂

    Launch date

    The certification will be available to the developers in November 2018 (as per the tweet from Magento U handle).

    Thanks

    It was a great opportunity for me to participate in this workshop. I learned a lot from all the participants and am thankful to Peter Manijak and Corra for allowing me to participate in the workshop!

  • Magento 2 Certified Professional Developer Exam Experience

    M2 Certified Professional Developer test is here for a while now and I finally got some time to prepare and appear for this test. It asks you 60 questions which you have to answer in a time limit of 90 minutes. So basically you get 1.5 minutes to answer each question. Though you should not waste time if you are able to answer the question quicker, as there are many questions in the test which are lengthy and requires more time to understand the question. If you are a non-native English speaker, you may have to read some of the questions 2-3 times before fully understanding what it is exactly asking. Passing score is 64% – so you need to get 39 correct answers out of 60, which is almost 2 out of 3 questions. At the end of the test, you get the score on screen which is great to know instantly if you passed or you need to re-take the test.

    Yesterday I took the M2 Professional Developer test and passed it. I found it difficult to be honest, questions were lengthy and answers were confusing. Magento recommends developers to at least have 1.5 to 2 years of experience before taking this test to pass, but I think you can still go for the test if you have worked on 4-5 Magento 2 projects hands on with around a year of experience. I believe that is enough if you are fully into Magento and understand the architecture of the system and technical concepts of various features it offers.

    I found SwiftOtter very useful, along with it’s practice test where it offers 44 questions https://swiftotter.com/technical/certifications/magento-2-certified-developer-practice-test. However, it’s not guaranteed that you will pass solely by studying their guide and practice test. You also need to understand the code and should have experience working on it in the M2 projects to clear the exam. I suggest taking the practice test once you have read and understood the topics in the guide and Magento DevDocs and are ready to face the real test.

    It’s evident there’s a lot of hard work done by the Magento U team and developers who contributed to this test by writing questions and answers. It’s really hard to pass this test if you don’t have deep understanding in Magento 2 concepts and don’t have enough practical knowledge to prove your M2 abilities.

    I think this test could have done even better if it had also focused on:

    Security – Not a single question was asked on this topic. I am not talking about Payment, PCI and Magento Vault things when I say Security, I mean writing code that does not leave behind security vulnerabilities. It should be must for a backend or full-stack developer to at least have a basic understanding of how to write secure code, Magento had a great opportunity to include some good security questions (like CSRF token, escaping user-submitted data, XSS prevention, preventing file path exploits, sanitizing user data before saving/getting from db, etc..) here, but….

    Readability – Most of the Magento developers are from non-native English speaking countries, myself included. I feel there were few lengthy questions which were just difficult to understand for non-native speakers. I also heard similar complaints from few developers who took this test confirming that they had to read some of the questions 2-3 times which took much of their time to just understand what the questions were trying to ask. That’s a disadvantage to many developers and I believe Magento U will take a note of that when writing upcoming new test questions.

    Let me know your thoughts! Kudos to Magento U team for creating such an outstanding test.