Zend Server is the ultimate and most secure software platform for deploying, monitoring, debugging, maintaining, and optimizing enterprise PHP applications. It also helps to keep the technology stack up-to-date and to avoid security risks that stem from outdated components. However, most of the daily web attacks try to exploit security bugs in the applications’ source code. Popular vulnerability types such as SQL injection and cross-site scripting can enable attackers to steal sensitive user data from the server. The attack surface is further increased by a variety of PHP-specific security pitfalls. A single successful breach puts a company’s reputation and compliance at danger.

Rogue Wave Software developed together with RIPS Technologies a new Zend Server plugin that helps to counter attacks before they can succeed. With the RIPS Code Analysis plugin, Zend Server users can now scan the source code of deployed PHP applications for security problems by using RIPS leading security analysis solution. It enables developers and operators to track the security state of their applications within Zend Server and to identify and resolve security risks in their source code. On average, 200 security issues are found on initial scanning.

Introducing Zend Server - Professional PHP Distribution

Zend Server can be used either in development stage for debugging and testing PHP applications, or in production stage to monitor and isolate problems. With Zend Server you can easily deploy applications on multiple servers. You can then monitor traffic and events, debug errors and bugs with code tracing, and optimize the performance.

“It’s the perfect tool for building and operating professional PHP applications with a high demand in stability and reliability.” – Martin Bednorz, CTO at RIPS Technologies.

Introducing RIPS - Automated Vulnerability Detection

RIPS is a static application security testing (SAST) software that scans PHP source code for security bugs. Unlike other SAST solutions, RIPS uses static code analysis algorithms that are specifically designed for the dynamic nature of the PHP language. This enables a very high precision in the automated detection of even complex security vulnerabilities with no false positive noise.

“RIPS is a must have for any PHP application. It finds security pitfalls even if developers think their code is bullet proof. With the Zend Server’s secured stack, this is the perfect solution for secured PHP.” – Guy Harpaz, VP Zend product management at Rogue Wave Software.

New Zend Server Plugin: RIPS Code Analysis

With the new RIPS Code Analysis plugin you can integrate security testing directly into Zend Server. The plugin connects to your RIPS server and allows you to run comprehensive security checks on any PHP code, no matter whether it has been deployed by the Zend Server Deployment feature or by a custom mechanism provided by the Ops team. The analysis results are displayed in real-time in Zend Server’s dashboard and provide an overview of the overall security status (Figure 2).

For each security scan, the detected issues are grouped by severity and vulnerability type. Related industry standards are highlighted in order to quickly identify relevant non-compliance, for example with OWASP Top 10 or PCI DSS (Figure 3).

Furthermore, security issues can be listed by the affected file. The plugin shows exactly what security operation is executed in an insecure manner and which input parameter could be used by an attacker to exploit the security flaw (Figure 4). More technical insights, such as a summary of the affected PHP code lines and a detailed issue description for quick verification and remediation can be found in the referenced RIPS dashboard.

Integrating RIPS into Zend Server is the ideal combination that helps to ensure that your applications run smooth and stable, while at the same time critical security holes or backdoors are addressed immediately.