Zend Server is the ultimate and most secure software platform for deploying, monitoring, debugging, maintaining, and optimizing enterprise PHP applications. With Zend Server, you can easily deploy applications on multiple servers, monitor traffic and events, debug errors with code tracing, and optimize your applications' performance.
It’s the perfect tool for building and operating professional PHP applications with a high demand in stability and reliability.” - Martin Bednorz, CTO at RIPS Technologies.
Figure 1: Zend Server - Professional PHP distribution
Protect Your Technology Stack
While Zend Server was originally designed with production applications in mind - it can also be used during the development stage for increased developer productivity, debugging, and testing PHP applications.
Zend Server keeps your technology stack up-to-date, ensuring you avoid security risks that stem from outdated components. Deploying fixes for known vulnerabilities in the stack is immensely important. Zend Server both simplifies and enables companies to keep their stack secure, even if you’re not using one of the latest versions of PHP, with long-term support.
However, keeping the stack fully patched can only go so far. Statistically, it’s more likely hackers will use vulnerabilities in the application code - that is, the high-level code written in PHP rather than the stack on which it’s running - to get unauthorized access to your server. Popular vulnerability types such as SQL injection and cross-site scripting can enable attackers to steal sensitive user data from the server - even if the underlying stack is fully patched and rock solid. The attack surface is further increased by a variety of security pitfalls in popular coding patterns. It only takes one successful breach to put your company’s reputation and compliance at risk.
Automated Vulnerability Detection With RIPS
To help Zend Server users mitigate this risk - Rogue Wave Software, together with RIPS Technologies, developed a new Zend Server plugin to help to counter attacks before they succeed.
With the RIPS Code Analysis plugin, Zend Server users utilize RIPS leading security analysis solution, to scan the source code of deployed PHP applications for security problems. Developers and operators can track the security state of their applications within Zend Server and identify and resolve security risks in their source code.
RIPS is a static application security testing (SAST) software that scans PHP source code for security bugs. Unlike other SAST solutions, RIPS uses static code analysis algorithms that are specifically designed for the dynamic nature of the PHP language. This enables a very high precision in the automated detection of even complex security vulnerabilities with no false positive noise. On average, 200 security issues are found on initial scanning.
RIPS is a must have for any business-critical PHP application. It finds security pitfalls even if developers think their code is bulletproof. With the Zend Server's secured stack, this is the perfect solution for secured PHP." - Guy Harpaz, VP Zend product management at Rogue Wave Software
New Zend Server Plugin: RIPS Code Analysis
With the new RIPS Code Analysis plugin, you integrate security testing directly into Zend Server. The plugin connects to your RIPS server, allowing you to run comprehensive security checks on any PHP code - both applications that are deployed and managed by Zend Server Deployment in addition to ones deployed using any other custom mechanisms. The analysis results are displayed real-time on the Zend Server dashboard and provide an overview of the overall security status (Figure 2).
Figure 2: RIPS - Automated vulnerability detection
For each security scan, the detected issues are grouped by severity and vulnerability type. Related industry standards are highlighted in order to quickly identify relevant non-compliance, for example with OWASP Top 10 or PCI DSS (Figure 3).
Figure 3: Overview of the applications' risk state and security threats in Zend Server.
Furthermore, security issues can be sorted by the affected file. The plugin shows exactly what security operation is executed in an insecure manner and which input parameter could be used by an attacker to exploit the security flaw (Figure 4). More technical insights, such as a summary of the affected PHP code lines and a detailed issue description for quick verification and remediation can be found in the referenced RIPS dashboard.
Figure 4: Issue breakdown by vulnerability type, severity, and industry standards.
Figure 5: Vulnerability details about the affected file, security-sensitive operation, and affected input parameter.
Integrating RIPS into Zend Server is the ideal combination to ensure your applications run smooth and stable, while at the same time critical security holes or backdoors are addressed immediately.