Innovate faster and cut risk with PHP experts from Zend Services.
Learn PHP from PHP experts with free, on-demand, and instructor led courses.
Submit support requests and browse self-service resources.
Maintaining PHP application security can be a daunting task, especially when you consider web applications are common targets for cybercriminals. Luckily, approaches like containerization (when done correctly) can help to decrease the attack surface of PHP applications, and, even if exploited, expose less data to bad actors.
In this blog, we look at how teams can use containers to improve PHP application security, including why teams should consider containerizing their applications, container security best practices teams should consider, and the benefits of using trusted container images like those provided by Zend.
By definition, container security is the process of implementing security tools and processes to provide strong information security for any container-based system or workload — including the container image, the running container, and all the steps required to create that image and get it running somewhere.
But containerizing applications, when those containers are truly isolated, can serve to improve application security. This is because containers, by virtue of their isolation, expose less of the overall application if an individual container is exploited.
It’s also important to note that while containerizing can improve PHP application security, DevOps operators must develop expertise regarding security best practices for the technologies they plan on using (e.g. Docker, Kubernetes, etc.), otherwise they can introduce new risks to their application(s).
One of the most important aspects of PHP application security when using containers is ensuring the security of your base image, or golden image. Because it is used as the starting point from which you create derivative images, any security vulnerabilities or flaws found within that base image will be carried over into derivative images.
This means that container security starts with finding trusted sources for base images. To ensure security of your base image, make sure the:
It’s important to note that, even when using trusted images, adding applications or making configuration changes will introduce new variables that you must take into account.
When bringing in external content to build your apps, it’s important to keep proactive vulnerability management in mind.
This includes things like:
An effective container security program seeks to remediate vulnerabilities in real-time and reduce the attack surface before images are deployed. By building security into the container pipeline and defending your infrastructure, you can make sure your containers are reliable, scalable, and trusted.
When gathering container images, ask:
Zend provides pre-built PHP Docker images for Ubuntu, CentOS, Debian, Rocky, Amazon Linux 2 (Alpine Linux coming soon) in our container registry located at cr.zend.com, supporting all versions from PHP 7.2 up to PHP 8.2.
These base images are scanned monthly for security assessments, using modern automated pipelines comprised of best-in-class security toolchains. Once a CVE is disclosed for the PHP engine or any supported pre-compiled extensions, Zend is able to issue a new patched image within days of the official release.
While a ZendPHP license is required to access patched images of end of life PHP versions (we currently offer LTS for PHP 7.2-7.4), PHP versions that are currently supported by the community (currently PHP 8.0-8.2) are available to try for free.
About Zend PHP LTS If your PHP-based projects run on a PHP version no longer supported by the community, Zend can help. With LTS from Zend, you get fully patched and supported PHP builds – giving you time to upgrade your EOL PHP on your timeline. Zend provides security fixes to the PHP engine and all supported extensions for PHP 7.2, PHP 7.3 and PHP 7.4, ensuring compliance to common industry standards like SOX, PCI, or HIPPA.See LTS Options
If your PHP-based projects run on a PHP version no longer supported by the community, Zend can help. With LTS from Zend, you get fully patched and supported PHP builds – giving you time to upgrade your EOL PHP on your timeline.
Zend provides security fixes to the PHP engine and all supported extensions for PHP 7.2, PHP 7.3 and PHP 7.4, ensuring compliance to common industry standards like SOX, PCI, or HIPPA.
See LTS Options
Every ZendPHP image has a user/group with lower privileges already configured:
This default configuration ensures teams make the conscious choice to increase privileges on derivative containers only when necessary.
Note: Images for ‘php-fpm’ always run worker processes as the ‘zendphp’ user.
All images include the script ZendPHPCustomizeWithBuildArgs.sh, which can be invoked in Dockerfile extensions that build from ZendPHP base images.
The script uses build arguments to customize the image, including:
The S6-Overlay is a very lightweight set of utilities to improve the user experience when running containerized workflows.
It is integrated by default in every base image distributed by Zend, with the features provided can be summarized as follows:
• A simple init process which allows the end-user to execute tasks like initialization (cont-init.d), finalization (cont-finish.d) and their own services with dependencies between them • The s6-overlay provides proper PID 1 functionality • You'll never have zombie processes hanging around in your container, they will be properly cleaned up • Multiple processes in a single container • Able to operate in "The Docker Way" • Distributed as a small number of .tar.xz files depending on what exact functionality you need - to keep your image's number of layers small • A whole set of utilities included in s6 and s6-portable-utils. They include handy and composable utilities to manage processes spawning, permissions on files and folders, recurring ephemeral tasks, signals capturing, and etc. • Log rotating out-of-the-box through logutil-service which uses s6-log under the hood • Some support for Docker's USER directive, to run your whole process tree as a specific user.
Managing cloud-native application isn’t simple. It requires a wealth of knowledge that spans many different technological domains -- including application security.
Containers, and specifically the base images distributed by Zend, can help simplify some of the inherent complexities of container-based PHP application security. When combined with SLA-backed support delivered by Zend PHP experts, you get an easy button for keeping your PHP-based applications secure.
See Our Container Images and LTS OptionsZend PHP container images, when paired with Zend PHP LTS, make containerizing and securing your PHP-based applications easy. See our available container image and LTS options via the links below.Visit Our Container RegistrySee LTS Options
Zend PHP container images, when paired with Zend PHP LTS, make containerizing and securing your PHP-based applications easy. See our available container image and LTS options via the links below.
Visit Our Container RegistrySee LTS Options
Massimiliano Cavicchioli is a Software Architect at Zend. He has over 20 years of experience in the tech world, 16 of which he spent contributing to the PHP ecosystem at Zend. During his many years of providing consultation to enterprise corporations, Massi has developed a wealth of tangible knowledge — making him highly capable in helping companies achieve best practices in both PHP and OSS.