"Security is our business model"

16.04.2020
extendedLogo

June is approaching in leaps and bounds, and with it the date that Magento fans have long refused to believe: Magento 1 EOL. But what does this date actually mean for all online shop operators whose shops run with Magento 1? And how should they prepare for this date? We explore these questions in an interview with Rico Neitzel, managing director of the advertising agency "Büro 71a" and co-founder of "Mage One".

Why did you found MageOne?

I have been active in the Magento community for many years as a trainer and member of the Advisory Board for certifications, and after it was announced that the service for Magento 1 was to be terminated, we got together and decided that Magento 1 must not die. We, that is various people from the community, who have accumulated information and expertise about Magento partly over ten, twelve years: Fabian Blechschmidt, Tobi Vogt & Ingo Hillebrand as well as Carmen Bremen. Our goal in all of our deliberations was to help retailers continue to operate their Magento 1 online shops safely after June or July 2020, while giving them enough time to migrate to another shop system.
We were and are certainly not the only ones who have taken this approach. Mage LTS by Open Mage, for example, is an open source initiative by various community members who offer support. However, this is dependent on the free will and commitment of the members and is only a limited alternative for traders, as legal issues such as PCI compliance etc. are not covered. Therefore, we have decided to found a limited liability company so that we can offer traders the necessary legal security. Our service is therefore not free of charge and we can also act more flexibly in other areas thanks to the capital. For example, we have the opportunity to offer an incentive-based bug bounty programme, which is very important because security-relevant bugs in Magento 1 are now much more difficult to find than in version 2. As soon as Magento 1 is posted by Adobe on Hacker One, we will open an account there and all security researchers can then participate - but of course direct contact via our homepage is also possible.

Logo-MageOne

However, Mage One was not founded for profit - although as an entrepreneur you probably shouldn't say that - but also to some extent out of altruism. This is also the basis of our pricing model: We also want to offer smaller shops the opportunity to use our service and that's why our entry price starts at 29€ per month. You can imagine that this is not cost-covering, but we follow the community idea that the big ones help the small ones and vice versa. Everyone offers a certain added value, for example by making solutions available in open source.

You offer support for at least 5 years - longer if necessary. Who defines the need?

Ultimately, the market defines how long we offer our support. Our business model is not designed for that, because five years is eons in software development and e-commerce. I personally don't think we will be active for longer than five years, because we are in close contact with agencies, customers and service providers and have a good overview of the market, but of course we leave this option open in order to be able to offer the best support.

What exactly do you offer?

We ultimately offer what Adobe also offers - only faster 😊. Previously, it could take several weeks after a security vulnerability was reported before Adobe made a corresponding patch available. We have set ourselves the goal of plugging **security gaps within 30 days after notification**.

Also, merchants can seamlessly continue with Mage One where Adobe will stop at the end of June - if it's Magento 1.9.4.6 at that point, then we'll continue from that version, rather than Mage-LTS with an alternate version. In this way, we want to prevent any undesirable side effects and also ensure that someone using Mage One can continue to work as they have been, without any unnecessary migration effort. Of course, the merchant will always need to upgrade to the latest version of Magento 1.9 though. This should not be a big effort for merchants and agencies, as the last patches and version updates were mostly almost identical and changes were thus minor.

Of course, we also patch Magento with regard to the latest version of PHP, Apache, Nginx and MySQL, so that the server platforms can also be updated to ensure security on them as well.

What is so special about Magento 1 that you support it in this way? And are there adequate alternatives?

Well, to a certain extent, the idea of nostalgia certainly plays a role here. The Magento 1 community has existed in part for many, many years and there are people I have known for almost 12 years, during which we have gathered countless emotional experiences with the system.

However, many agencies simply do not have the personnel resources to migrate all their supported shops to another shop system. In addition, one has to realise that the technology requirements from Magento 1 to Magento 2 have been raised too high that one has to assume an additional cost factor of 1.8 to 2.5 in order to be able to carry out the migration - and these enormous investment sums must first be profitable for a retailer. Thus, we also have many customers who ultimately have no alternative and urgently need a way to bridge the time and financial gap.

One should also not underestimate the fact that Magento 1 can be used to map shops of any size. In the German-speaking world we have a special phenomenon, because here there are actually many small shops that are based on it, and their livelihoods cannot simply be replaced. Of course, there are many other shop systems, such as Shopify and Jimdo, but they are also quite limited in their adaptability. And interestingly, the shops of many of our Magento 1 customers are very individual, with many customisations in design and functionality that you can't map with conventional shop systems.

What we have noticed in recent months with regard to shop systems is that many Magento developers are looking in the direction of Shopware 6 (note: this was already a topic at the last MageUC). As a system, Shopware is certainly interesting, as it is simply very modern and has a very slim design and still comes up with a good feature set. There is also a free and a paid version. And what I find very pleasant is that you have a similar feeling as in the initial phase of Magento 1. You have a very close and hot line to the developers and also really have the feeling that they are still listening to you. With Adobe, it's now the case that you can shout as much as you want, even if you're standing in front of the building with a megaphone...

Whichever shop system you choose, you should take the opportunity to take a close look at which things are in your current shop and ask yourself whether you still need them, or whether the requirements for a modern and functional shop have changed in the meantime. And until the migration, you will not be able to avoid taking care of Magento 1.

Do you offer your support to customers who want to migrate to another shop system?

No, we do not offer such a service. We don't host and we don't look after shops. Our core business is the development of security patches and we concentrate on that, because we would not have the manpower to do it.

Those who want to switch to Shopware can take advantage of our cooperation with the company: for switchers, our service can be used free of charge for six months, because Shopware takes over the costs.

How many and which shops do you think are affected by Magento 1 EOL?

The number of shops is of course constantly decreasing, but on the EOL date there will certainly still be an estimated 100,000 shops worldwide that run on Magento 1. However, there will certainly also be test instances or lost places, so it is not possible to give an exact number.
The interesting thing is that significantly more enterprise customers are asking us for support than expected. Many are even thinking about downgrading from the Enterprise to the Community version, because they have built up a solid platform over the years and would now have to completely rebuild it, since the technological basis of Magento 2 is different. The basis for the considerations is the fact that the Enterprise source code is not accessible, or Adobe does not release it. However, the licence conditions prevent us from working on the source code and therefore we cannot support the customer. For enterprise customers, there are a few ways to deal with this dilemma::

  • Since the Enterprise Edition is more or less a community version with additional modules, only the community edition part could be patched, since it is publicly accessible. With regard to the Enterprise Edition part, the probability of an attack is relatively low because the code is not public, but increased vigilance is nevertheless advisable. Increased cooperation with security service providers and other experts could be used here.
  • Downgrading to the community version is an option if you have ordered an enterprise edition in order to receive support through it.
  • You take full risks and hope for the best.

I assume that the attacks on Magento 1 will increase from June onwards, because it is of course a lucrative target, so as an enterprise customer you should have found a solution for yourself in advance.

How do you see the issue of PWA as another alternative?

Interestingly, I recently had a conversation with a shop operator who told me that he would actually have to switch to Magento 2 because he would like to use the PWA theme. I then explained to him that a change is not absolutely necessary because you build an application for which it is actually irrelevant what sits behind it. Magento 1 also has an API that you can use for this (note: GastroHero has developed a PWA shop with Magento 1 -more in this blog). It's not particularly fast, but if you integrate some sophisticated logic into Magento 1 that provides what you need up front in your javascript application, then you can do it without any problems. When talking about Magento 2, the API approach is certainly a bit more in the foreground, but it is still not a system that was developed according to the API first approach and due to the structure of Magento 2, there is ultimately no great advantage to migrating first before developing a PWA.

If you really want to get into PWA, you should look for software that is built API first - that is, a big core that provides an API to the outside, technical endpoints that provide me with structured data. Here, by the way, we come back to the topic of Shopware 6: both the admin panel and the frontend are completely API driven and it doesn't matter what frontend I put in front of it. I could even use Shopware 6 as the backend and Magento as the frontend 😊.

What are the next three steps you recommend for Magento 1 customers?

In any case, the first thing you should do is update Magento, i.e. update patches and use the latest version, because Mage One will only work with the latest version.
The second step should be to provide a plan for how to proceed with Magento 1 over the next five years:

  • Was ist meine Exit-Strategie?
  • Möchte ich auf eine andere Plattform wechseln?
  • Werde ich mein Geschäftsmodell ändern?
  • Habe ich vielleicht die Möglichkeit Magento 1 komplett selber zu übernehmen und weiterzuentwickeln?

And the third step should be to find the right partners to help implement these plans and ensure the security of my shop during the implementation phase. And by that I don't just mean the actual server security, but also someone who actively checks various components and services used for gaps. It is indispensable for the retailer to offer a secure platform for his customer data, because it is not only since the GDPR that the customer trusts that his data is safe with the retailer - and only those who trust will also buy.
If you have all these points organised, I think you can work well with Magento 1 for the next five years and meanwhile prepare for a change, an upgrade or "something". This also leaves enough time to make sensible and cost-efficient decisions and then carry out a really good migration..


Anyone who wants to get in touch with Rico and needs support with their Magento 1 shop can reach him via Büro 71a or Mage One.
Want to report a bug in Magento 1? Then take part in the Mage One Bug Bounty Programme via Hacker One, CVE Board or directly via Mage One.

Note: this interview has been shortened.

You have questions, requests, criticism, suggestions or just want to tell us your opinion about our blog? Here you have the opportunity to contact us directly.

Send e-mail