The Zend Security Audit follows a comprehensive methodology developed over years of experience in analyzing Web, PHP and application vulnerabilities. The audit delivers a detailed evaluation of your PHP code for vulnerabilities, non-secure programming practices, and protection against a wide spectrum of known attack techniques. It consists of automated and manual penetration tests, attack-prone code pattern identification, and application transaction flow review.

Application Security Challenges

The average cost of a data breach increased to $7.2 M in 2010. Customer abandonment after publically exposed application data breaches is the dominant factor while reputation damages originated by security exploits take a substantial time to reverse. With a growing number of attacks and exploit methodologies, often targeting multiple functionalities and layers in a single application, it is essential for businesses to identify flaws that could lead to the exposure of sensitive information or malicious execution of undesired application behaviors. Zend's security audit provides a thorough risk assessment, based on the threat classifications defined by the Open Web Application Security Project (OWASP), to all identified coding faults and vulnerabilities. Detailed remediation recommendations are then discussed for each identified security risk.

 


The Zend Security Audit assesses a wide array of application vulnerabilities which include

  • Functional vulnerabilities

    • PHP Code Inclusion and PHP Code Evaluation
    • Shell Execution
    • SQL Injection and HTTP Header Injections
  • Cross-site Scripting (XSS) Vulnerabilities

  • Cross-site Request Forgeries (CSRF)

  • File Permission, Access Control and Installation

  • Session Management Analysis

    • Weaknesses in Session Management
    • Session Fixation and Session Hijacking
    • Usage of Secure Cookies and HTTP-only cookies
  • External Interfaces  - Database Access, WebServices, Facebook API

  • Client side Vulnerabilities (Optional)
     

Zend Security Quick Scan

The Quick Scan is a Black-Box Test, during which Zend's security engineers imitate typical techniques used by external parties trying to attack the web application without having access or knowledge of the underlying source code or the infrastructure itself.

The resulting Quick Scan report summarizes the main vulnerabilities identified. The Quick Scan automated process is included by default as part of the more extensive Security Audit. It can be taken as a preliminary step prior to performing a complete code audit.