How PHP Containers Improve PHP Application Security

Maintaining PHP application security can be a daunting task, especially when you consider web applications are common targets for cybercriminals. Luckily, approaches like containerization (when done correctly) can help to decrease the attack surface of PHP applications, and, even if exploited, expose less data to bad actors. 

In this blog, we look at how teams can use PHP containers to improve PHP application security, including why teams should consider using container images within their applications, container security best practices teams should consider, and the benefits of using trusted container images like those provided by Zend.

Why Use Containers to Improve PHP Application Security?

By definition, container security is the process of implementing security tools and processes to provide strong information security for any container-based system or workload — including container images, running containers, and all the steps required to create that image and get it running somewhere.

But containerizing applications, when those containers are truly isolated, can serve to improve application security. This is because PHP containers, by virtue of their isolation, expose less of the overall application if an individual container is exploited.

It’s also important to note that while utilizing PHP containers can improve PHP application security, DevOps operators must develop expertise regarding container security best practices for the technologies they plan on using (e.g. Docker, Kubernetes, etc.), otherwise they can introduce new risks to their application(s).

The Importance of Using Secure Container Images for PHP Applications

One of the most important aspects of PHP application security when using PHP containers is ensuring the security of your base image, or golden image. Because it is used as the starting point from which you create derivative images, any security vulnerabilities or flaws found within that base container image will be carried over into derivative images. 

This means that container security starts with finding trusted sources for base images. To ensure security of your base container image, make sure the:

• Image comes from a known company or open-source group
• Image is hosted on a reputable registry
• Source code for all components in the image is available

It’s important to note that, even when using trusted container images, adding applications or making configuration changes will introduce new variables that you must take into account.

Proactive Vulnerability Management for Apps Using PHP Containers

When bringing in external content to build your apps, it’s important to keep proactive vulnerability management in mind.

This includes things like:

• Integrating native security tools used across an enterprise to meet or enhance existing network security policies across your PHP container ecosystem
• Establishing strong cloud security and application security standards
• Identifying modified container images that break policies or documented best practices — known as container misconfigurations — to reduce the likelihood and impact of potential compromises

An effective PHP container security program seeks to remediate vulnerabilities in real-time and reduce the attack surface before images are deployed. By building container security into the pipeline and defending your infrastructure, you can make sure your containers are reliable, scalable, and trusted.

When gathering container images, ask:

• Are the container images signed and from trusted sources?
• Are the runtime and operating system layers up to date?
• How quickly and how often will the container images be updated?
• Are container security risks identified, and how will they be tracked?

Zend PHP Docker Images

Zend provides pre-built PHP Docker images for Ubuntu, CentOS, Debian, Rocky, Amazon Linux 2 (Alpine Linux coming soon) in our container registry located at cr.zend.com, supporting all versions from PHP 7.2 up to PHP 8.3.

These base container images are scanned monthly for security assessments, using modern automated pipelines comprised of best-in-class security toolchains. Once a CVE is disclosed for the PHP engine or any supported pre-compiled extensions, Zend is able to issue a new patched image within days of the official release.

While a ZendPHP license is required to access patched images of end of life PHP versions (we currently offer LTS for PHP 7.2-8.0), PHP versions that are currently supported by the community (currently PHP 8.1-8.3) are available to try for free.

Back to top

About Zend PHP LTS 

If your PHP-based projects run on a PHP version no longer supported by the community, Zend can help. With LTS from Zend, you get fully patched and supported PHP builds – giving you time to upgrade your EOL PHP on your timeline.

 

Zend provides security fixes to the PHP engine and all supported extensions for PHP 7.2, PHP 7.3, PHP 7.4, and PHP 8.0 ensuring compliance to common industry standards like SOX, PCI, or HIPAA.

See LTS Options

Configuring and Orchestrating Zend PHP Container Images

Every ZendPHP image has a user/group with lower privileges already configured:

• User zendphp with UID 10000
• Group zendphp with GID 10001

This default configuration ensures teams make the conscious choice to increase privileges on derivative PHP containers only when necessary.

Note: Images for ‘php-fpm’ always run worker processes as the ‘zendphp’ user.

All images include the script ZendPHPCustomizeWithBuildArgs.sh, which can be invoked in Dockerfile extensions that build from ZendPHP base images.

The script uses build arguments to customize the PHP container image, including:

• Setting up the container's system timezone, including in PHP configuration.
• Setting up ZendPHP package repository credentials (required in order to install additional extensions).
• Installing additional system packages.
• Installing pre-packaged PHP extensions from the ZendPHP package repository.
• Installing PECL extensions.
• Installing Composer.
• Installing ‘php-fpm’ configuration, using either a development or production profile.
• Running a custom post-build script.
• Setting up the container to run as the zendphp user (instead of root).

The S6-Overlay

The S6-Overlay is a very lightweight set of utilities to improve the user experience when running containerized workflows.

It is integrated by default in every base container image distributed by Zend, with the features provided can be summarized as follows:

•    A simple init process which allows the end-user to execute tasks like initialization (cont-init.d), finalization (cont-finish.d) and their own services with dependencies between them  
•    The s6-overlay provides proper PID 1 functionality  
•    You'll never have zombie processes hanging around in your container, they will be properly cleaned up  
•    Multiple processes in a single container  
•    Able to operate in "The Docker Way"  
•    Distributed as a small number of .tar.xz files depending on what exact functionality you need - to keep your image's number of layers small  
•    A whole set of utilities included in s6 and s6-portable-utils. They include handy and composable utilities to manage processes spawning, permissions on files and folders, recurring ephemeral tasks, signals capturing, and etc.  
•    Log rotating out-of-the-box through logutil-service which uses s6-log under the hood  
•    Some support for Docker's USER directive, to run your whole process tree as a specific user.

Final Thoughts

Managing cloud-native application isn’t simple. It requires a wealth of knowledge that spans many different technological domains -- including application security. 

PHP containers, and specifically the base container images distributed by Zend, can help simplify some of the inherent complexities of container-based PHP application security. When combined with SLA-backed support delivered by Zend PHP experts, you get an easy button for keeping your PHP-based applications secure.

See Our Container Images and LTS Options

Zend PHP container images, when paired with Zend PHP LTS, make containerizing and securing your PHP-based applications easy. See our available container image and LTS options via the links below.

Visit Our Container Registry See LTS Options   
 

Additional Resources

• 101 Guide - PHP Security
• Solution - PHP Container Solutions and Services
• Registry - Zend PHP Docker Container Images
• Download - ZendPHP Terraform Template
• Download - ZendPHP Docker Template
• Webinar - The Peaks and Valleys of PHP Containerization and Orchestration
• Blog - Building a Modern Web Application: Top Architectures and Methodologies
• Blog - The DevOps Approach to Updating PHP
• Blog - The Importance of Easy to Use PHP Linux Images