Find security risk and code quality in your php application.
PHP rule the web with around 80% of the market share . It’s everywhere WordPress, Joomla, Lavarel, Drupal, etc.
PHP core is secure but there are a lotmore on top of this which you might be using, and that might be vulnerable. After the development of a site or complex web application, most of the developers and site owner focus on functionality, design,SEO and they forget the essential component security .
As a best practice, you should consider performing a security scan against your application before going live. This applies to any sites small or big. There are some tools to help you with that.
PMFPHP Malware Finder (PMF) is a self-hosted solution to help you findpossible malicious codes in the files. It is known to detect dodgy, encoders, obfuscators, webshellscode.
PMF leverage YARA, so you need that as a pre-requisite to run the test.
RIPSRIPS is one of the popular PHP static code analysis tools to be integrated through the development lifecycle to find security issues in the real-time. You can categorize the finding by industry compliance and standard to prioritize the fixes.
OWASP Top 10 SANS Top 25 PCI-DSS HIPPA
Let’s take a lookat some of the following features.
Pinpoint risk based on severity and option to define weights for critical, high, medium and low. Collaborate the investigation and prioritize the issue Understand the vulnerability impact Evaluate security risk between old and new code Create a to-do list and assign tasks using the ticketing systemRIPS let you export scan results report into multiple formats PDF, CSV and other by using RESTful API.
It is available as a self-hosted and SaaS model. So choose what works for you.
SonarPHPSonarPHP by SonarSource uses pattern matching, data flow techniques to find vulnerabilities in PHP codes. It is a static code analyzer and integrates with Eclipse, IntelliJ.
SonarSource checks the code against more than 140 rules, and it also supports custom rules written in Java.
SensioLabsSensioLabs leverage composer.lock file to check for known security risk. Checker is available in three ways.
Online you upload your composer file to perform a test CLI download the tool to use it locally or integrate within the development lifecycle API use web service to check vulnerabilities. Results are available in text and JSON format.An exciting stats shows 9% of total checks had one or more known vulnerabilities.
Exakat
A real-time static code analyzer engine to check compliance, risk and reinforce best practices. Exakat got more than 300 analyzers dedicated to PHP. There are framework specific analyzers likeWordPress, CakePHP, Zend, etc.
If you have your PHP application code in GitHub, then you can use their public analyzer else you can choose to download or use the cloud-based online.
With the help of Exakat, you can integrate eternal security into your application and the following.
Code review automated with more than 100 rules Compliance ready Automate your code documentation PHP 7 migration made easyWith the robust reporting, you can prioritize the remediation.
PHPStanPHPStan is a fantastic tool to find bugs as you write the code. You don’t need to run anything.
You can try the online version here .
PHPStan requires 7.1 or higher version and composer to use it. However, it is capable of discovering bugs from an older version.
PsalmBuilt on top of PHP Parser, Psalm is good to find errors and help to maintain consistency for better and secure application.
Checkmarx
Checkmarx , a cloud-based solution to find vulnerabilities in PHP code and get a recommendation on how to fix them. Every vulnerability is explained, so you understand the impact.
ProgpilotProgpilot static analyzer let you specify the analysis type like GET, POST, COOKIE, SHELL_EXEC, etc. It supports suiteCRM and CodeIgniter framework at the moment.
PHP Vulnerability HunterA fuzzer to look for vulnerabilities using static and dynamic analysis. This hunter is capable of hunting the following.
Cross-site scripting SQL injection Arbitrary file read and command execution Local file inclusion Full path disclosureThe scan is done in three phases initialization, scan and un-initialization
GrabberGrabber , a python based tool to perform hybrid analysis on aPHP-based application using PHP-SAT.
ConclusionI hope by using the above tools, you make your PHP applications more secure. All of the listed tools focus on analyzing source code and if you need more then check out open source security scanner .
Once your application is ready, then don’t forget to add a cloud-based WAF for continuous security from the edge network.