Find security risk and code quality in your PHP application.

PHP rules the web, with around 80% of the market share. It’s everywhere – WordPress, Joomla, Lavarel, Drupal, etc.

PHP core is secure, but there are a lot more on top of this, which you might be using, and that might be vulnerable. After the development of a site or complex web application, most of the developers and site owners focus on functionality, design, SEO, and they forget the essential component – security.

As a best practice, you should consider performing a security scan against your application before going live. This applies to any site – small or big. There are some tools to help you with that.

PMF

PHP Malware Finder (PMF) is a self-hosted solution to help you find possible malicious codes in the files. It is known to detect dodgy, encoders, obfuscators, web shellcode.

PMF leverage YARA, so you need that as a pre-requisite to run the test.

RIPS

RIPS is one of the popular PHP static code analysis tools to be integrated through the development lifecycle to find security issues in real-time. You can categorize the finding by industry compliance and standard to prioritize the fixes.

  • OWASP Top 10
  • SANS Top 25
  • PCI-DSS
  • HIPPA

Let’s take a look at some of the following features.

  • Pinpoint risk based on severity and option to define weights for critical, high, medium, and low.
  • Collaborate the investigation and prioritize the issue
  • Understand the vulnerability impact
  • Evaluate security risk between old and new code
  • Create a to-do list and assign tasks using the ticketing system

RIPS lets you export scan results report into multiple formats – PDF, CSV, and others by using RESTful API.

It is available as a self-hosted and SaaS model. So choose what works for you.

SonarPHP

SonarPHP by SonarSource uses pattern matching, data flow techniques to find vulnerabilities in PHP codes. It is a static code analyzer and integrates with Eclipse, IntelliJ.

SonarSource checks the code against more than 140 rules, and it also supports custom rules written in Java.

Exakat

A real-time static code analyzer engine to check compliance, risk, and reinforce best practices. Exakat got more than 450 analyzers dedicated to PHP. There are framework-specific analyzers like WordPress, CakePHP, Zend, etc.

If you have your PHP application code in GitHub, then you can use their public analyzer else you can choose to download or use the cloud-based online.

With the help of Exakat, you can integrate eternal security into your application and the following.

  • Code review automated with more than 100 rules
  • Compliance ready
  • Automate your code documentation
  • PHP 7 migration made easy

With the robust reporting, you can prioritize the remediation.

PHPStan

PHPStan is a fantastic tool to find bugs as you write the code. You don’t need to run anything.

You can try the online version here.

PHPStan requires 7.1 or higher version and composer to use it. However, it is capable of discovering bugs from an older version.

Psalm

Built on top of PHP Parser, Psalm is good to find errors and help to maintain consistency for a better and secure application.

Progpilot

Progpilot static analyzer lets you specify the analysis type like GET, POST, COOKIE, SHELL_EXEC, etc. It supports suiteCRM and CodeIgniter framework at the moment.

PHP Vulnerability Hunter

A fuzzer to look for vulnerabilities using static and dynamic analysis. This hunter is capable of hunting the following.

  • Cross-site scripting
  • SQL injection
  • Arbitrary  file read and command execution
  • Local file inclusion
  • Full path disclosure

The scan is done in three phases – initialization, scan and un-initialization

Grabber

Grabber, a python based tool to perform hybrid analysis on a PHP-based application using PHP-SAT. Grabber is also available on Kali Linux.

Symfony

Security Monitoring by Symfony works with any PHP project using the composer. It is a PHP security advisory database for known vulnerabilities. You can either use PHP-CLI, Symfony-CLI, or web-based to check composer.lock for any known issues with the libraries you are using in the project.

Symfony also offers a security notification service. That means you can upload your composer.lock file, and whenever in future any used libraries found to be vulnerable, you will get notified.

Conclusion

I hope by using the above tools, you make your PHP applications more secure. All of the listed tools focus on analyzing source code, and if you need more, then check out an open-source security scanner.

Once your application is ready, then don’t forget to add a cloud-based WAF for continuous security from the edge network.