Zend Security Audit
The security audit follows a comprehensive methodology developed over years of experience in analyzing Web, PHP and application vulnerabilities. The audit delivers a detailed evaluation of your PHP code for vulnerabilities, insecure programming practices and protection against a wide spectrum of known attack techniques. It consists of automated and manual penetration tests, attack prone code pattern identification and application transaction flow review.
Application Security Challenges
The average cost of a data breach has increased to $7.2 M in 2010. Customer abandonment after publically exposed application data breaches is the dominant factor while reputaiton damages originated by security expolits take a substantial time to reverse. With growing number of attacks and exploit methodologies, often targeting multiple functionalities and layers in a single appplication, it is essential for business to identify flaws that could lead to the exposure of sensitive information or melicious execution of undesired application behaviors. Zend’s security audit provides a thorough risk assessment based on the threat classifications defined by the Open Web Application Security Project (OWASP), to all identified coding faults and vulnerabilities. Detailed remediation recommendations are then discussed for each identified security risk.
The security audit assesses a wide array of application vulnerabilities which include:
- Functional vulnerabilities
- PHP Code Inclusion and PHP Code Evaluation
- Shell Execution
- SQL Injection and HTTP Header Injections
- Cross Site Scripting (XSS) Vulnerabilities
- Cross Site Request Forgeries (CSRF)
- File permission, Access control and Installation
- Session Management Analysis
- Weaknesses in the Session management
- Session Fixation and Session Hijacking
- Usage of secure cookies and HttpOnly cookies
- External Interfaces - Database Access, WebServices, Facebook API
- Client side vulnerabilities (Optional)
Zend Security Quick Scan
Zend also offers a quick overview of the security state of the application by performing a remote Security Quick Scan. The Quick Scan will review your application using automated tools to identify coding patterns that can lead to common vulnerabilities.
The Quick Scan is a Black-Box-Test, where Zend’s security engineers imitate typical techniques used by external parties trying to attack the web application without having access or knowledge of the underlying source code or the infrastructure itself.
The Quick Scan will result in a document summarizing the main vulnerabilities identified during the Scan. The Quick Scan automated process is included by default as part of the more extensive Security Audit and can be a preliminary steps prior to performing with a complete code audit.