The Zend Security Audit follows a comprehensive methodology developed over years of experience in analyzing Web, PHP and application vulnerabilities. The audit delivers a detailed evaluation of your PHP code for vulnerabilities, non-secure programming practices, and protection against a wide spectrum of known attack techniques. It consists of automated and manual penetration tests, attack-prone code pattern identification, and application transaction flow review.
The average cost of a data breach increased to $7.2 M in 2010. Customer abandonment after publically exposed application data breaches is the dominant factor while reputation damages originated by security exploits take a substantial time to reverse. With a growing number of attacks and exploit methodologies, often targeting multiple functionalities and layers in a single application, it is essential for businesses to identify flaws that could lead to the exposure of sensitive information or malicious execution of undesired application behaviors. Zend's security audit provides a thorough risk assessment, based on the threat classifications defined by the Open Web Application Security Project (OWASP), to all identified coding faults and vulnerabilities. Detailed remediation recommendations are then discussed for each identified security risk.
The Zend Security Audit assesses a wide array of application vulnerabilities which include
Cross-site Scripting (XSS) Vulnerabilities
Cross-site Request Forgeries (CSRF)
File Permission, Access Control and Installation
Session Management Analysis
External Interfaces - Database Access, WebServices, Facebook API
Client side Vulnerabilities (Optional)
The Quick Scan is a Black-Box Test, during which Zend's security engineers imitate typical techniques used by external parties trying to attack the web application without having access or knowledge of the underlying source code or the infrastructure itself.
The resulting Quick Scan report summarizes the main vulnerabilities identified. The Quick Scan automated process is included by default as part of the more extensive Security Audit. It can be taken as a preliminary step prior to performing a complete code audit.