Find security risk and code quality in your PHP application.
PHP rule the web with around 80% of the market share. It’s everywhere – WordPress, Joomla, Lavarel, Drupal, etc.
PHP core is secure but there are a lot more on top of this which you might be using, and that might be vulnerable. After the development of a site or complex web application, most of the developers and site owner focus on functionality, design, SEO and they forget the essential component – security.
As a best practice, you should consider performing a security scan against your application before going live. This applies to any sites – small or big. There are some tools to help you with that.
PHP Malware Finder (PMF) is a self-hosted solution to help you find possible malicious codes in the files. It is known to detect dodgy, encoders, obfuscators, webshells code.
PMF leverage YARA, so you need that as a pre-requisite to run the test.
RIPS is one of the popular PHP static code analysis tools to be integrated through the development lifecycle to find security issues in the real-time. You can categorize the finding by industry compliance and standard to prioritize the fixes.
- OWASP Top 10
- SANS Top 25
Let’s take a look at some of the following features.
- Pinpoint risk based on severity and option to define weights for critical, high, medium and low.
- Collaborate the investigation and prioritize the issue
- Understand the vulnerability impact
- Evaluate security risk between old and new code
- Create a to-do list and assign tasks using the ticketing system
RIPS let you export scan results report into multiple formats – PDF, CSV and other by using RESTful API.
It is available as a self-hosted and SaaS model. So choose what works for you.
SonarPHP by SonarSource uses pattern matching, data flow techniques to find vulnerabilities in PHP codes. It is a static code analyzer and integrates with Eclipse, IntelliJ.
SonarSource checks the code against more than 140 rules, and it also supports custom rules written in Java.
composer.lock file to check for known security risk. Checker is available in three ways.
- Online – you upload your composer file to perform a test
- CLI – download the tool to use it locally or integrate within the development lifecycle
- API – use web service to check vulnerabilities. Results are available in text and JSON format.
An exciting stats shows 9% of total checks had one or more known vulnerabilities.
A real-time static code analyzer engine to check compliance, risk and reinforce best practices. Exakat got more than 300 analyzers dedicated to PHP. There are framework specific analyzers like WordPress, CakePHP, Zend, etc.
If you have your PHP application code in GitHub, then you can use their public analyzer else you can choose to download or use the cloud-based online.
With the help of Exakat, you can integrate eternal security into your application and the following.
- Code review automated with more than 100 rules
- Compliance ready
- Automate your code documentation
- PHP 7 migration made easy
With the robust reporting, you can prioritize the remediation.
PHPStan is a fantastic tool to find bugs as you write the code. You don’t need to run anything.
You can try the online version here.
PHPStan requires 7.1 or higher version and composer to use it. However, it is capable of discovering bugs from an older version.
Built on top of PHP Parser, Psalm is good to find errors and help to maintain consistency for better and secure application.
Checkmarx, a cloud-based solution to find vulnerabilities in PHP code and get a recommendation on how to fix them. Every vulnerability is explained, so you understand the impact.
Progpilot static analyzer let you specify the analysis type like GET, POST, COOKIE, SHELL_EXEC, etc. It supports suiteCRM and CodeIgniter framework at the moment.
PHP Vulnerability Hunter
A fuzzer to look for vulnerabilities using static and dynamic analysis. This hunter is capable of hunting the following.
- Cross-site scripting
- SQL injection
- Arbitrary file read and command execution
- Local file inclusion
- Full path disclosure
The scan is done in three phases – initialization, scan and un-initialization
Grabber, a python based tool to perform hybrid analysis on a PHP-based application using PHP-SAT.
I hope by using the above tools, you make your PHP applications more secure. All of the listed tools focus on analyzing source code and if you need more then check out open source security scanner.
Once your application is ready, then don’t forget to add a cloud-based WAF for continuous security from the edge network.