BreadcrumbHomeResourcesBlog Using Containers To Improve PHP Application Security March 23, 2023 Using Containers to Improve PHP Application SecurityPHP DevelopmentBy Massimiliano CavicchioliMaintaining PHP application security can be a daunting task, especially when you consider web applications are common targets for cybercriminals. Luckily, approaches like containerization (when done correctly) can help to decrease the attack surface of PHP applications, and, even if exploited, expose less data to bad actors. In this blog, we look at how teams can use containers to improve PHP application security, including why teams should consider containerizing their applications, container security best practices teams should consider, and the benefits of using trusted container images like those provided by Zend.Table of ContentsWhy Use Containers to Improve PHP Application Security?The Importance of Using Secure Container Images for PHP ApplicationsProactive Vulnerability Management for Containerized PHPZend PHP Docker ImagesAbout Zend PHP LTS Configuring and Orchestrating Zend PHP Container ImagesFinal ThoughtsTable of Contents1 - Why Use Containers to Improve PHP Application Security?2 - The Importance of Using Secure Container Images for PHP Applications3 - Proactive Vulnerability Management for Containerized PHP4 - Zend PHP Docker Images5 - About Zend PHP LTS 6 - Configuring and Orchestrating Zend PHP Container Images7 - Final ThoughtsBack to topWhy Use Containers to Improve PHP Application Security?By definition, container security is the process of implementing security tools and processes to provide strong information security for any container-based system or workload — including the container image, the running container, and all the steps required to create that image and get it running somewhere.But containerizing applications, when those containers are truly isolated, can serve to improve application security. This is because containers, by virtue of their isolation, expose less of the overall application if an individual container is exploited.It’s also important to note that while containerizing can improve PHP application security, DevOps operators must develop expertise regarding security best practices for the technologies they plan on using (e.g. Docker, Kubernetes, etc.), otherwise they can introduce new risks to their application(s).Back to topThe Importance of Using Secure Container Images for PHP ApplicationsOne of the most important aspects of PHP application security when using containers is ensuring the security of your base image, or golden image. Because it is used as the starting point from which you create derivative images, any security vulnerabilities or flaws found within that base image will be carried over into derivative images. This means that container security starts with finding trusted sources for base images. To ensure security of your base image, make sure the:Image comes from a known company or open-source groupImage is hosted on a reputable registrySource code for all components in the image is availableIt’s important to note that, even when using trusted images, adding applications or making configuration changes will introduce new variables that you must take into account.Back to topProactive Vulnerability Management for Containerized PHPWhen bringing in external content to build your apps, it’s important to keep proactive vulnerability management in mind.This includes things like:Integrating native security tools used across an enterprise to meet or enhance existing network security policies across your container ecosystemEstablishing strong cloud security and application security standardsIdentifying modified container images that break policies or documented best practices — known as container misconfigurations — to reduce the likelihood and impact of potential compromisesAn effective container security program seeks to remediate vulnerabilities in real-time and reduce the attack surface before images are deployed. By building security into the container pipeline and defending your infrastructure, you can make sure your containers are reliable, scalable, and trusted.When gathering container images, ask:Are the container images signed and from trusted sources?Are the runtime and operating system layers up to date?How quickly and how often will the container be updated?Are security risks identified, and how will they be tracked?Back to topZend PHP Docker ImagesZend provides pre-built PHP Docker images for Ubuntu, CentOS, Debian, Rocky, Amazon Linux 2 (Alpine Linux coming soon) in our container registry located at cr.zend.com, supporting all versions from PHP 7.2 up to PHP 8.3.These base images are scanned monthly for security assessments, using modern automated pipelines comprised of best-in-class security toolchains. Once a CVE is disclosed for the PHP engine or any supported pre-compiled extensions, Zend is able to issue a new patched image within days of the official release.While a ZendPHP license is required to access patched images of end of life PHP versions (we currently offer LTS for PHP 7.2-8.0), PHP versions that are currently supported by the community (currently PHP 8.1-8.3) are available to try for free.Back to topAbout Zend PHP LTS If your PHP-based projects run on a PHP version no longer supported by the community, Zend can help. With LTS from Zend, you get fully patched and supported PHP builds – giving you time to upgrade your EOL PHP on your timeline. Zend provides security fixes to the PHP engine and all supported extensions for PHP 7.2, PHP 7.3, PHP 7.4, and PHP 8.0 ensuring compliance to common industry standards like SOX, PCI, or HIPPA.See LTS OptionsBack to topConfiguring and Orchestrating Zend PHP Container ImagesEvery ZendPHP image has a user/group with lower privileges already configured:User zendphp with UID 10000Group zendphp with GID 10001This default configuration ensures teams make the conscious choice to increase privileges on derivative containers only when necessary.Note: Images for ‘php-fpm’ always run worker processes as the ‘zendphp’ user.All images include the script ZendPHPCustomizeWithBuildArgs.sh, which can be invoked in Dockerfile extensions that build from ZendPHP base images.The script uses build arguments to customize the image, including:Setting up the container's system timezone, including in PHP configuration.Setting up ZendPHP package repository credentials (required in order to install additional extensions).Installing additional system packages.Installing pre-packaged PHP extensions from the ZendPHP package repository.Installing PECL extensions.Installing Composer.Installing ‘php-fpm’ configuration, using either a development or production profile.Running a custom post-build script.Setting up the container to run as the zendphp user (instead of root).The S6-OverlayThe S6-Overlay is a very lightweight set of utilities to improve the user experience when running containerized workflows.It is integrated by default in every base image distributed by Zend, with the features provided can be summarized as follows:• A simple init process which allows the end-user to execute tasks like initialization (cont-init.d), finalization (cont-finish.d) and their own services with dependencies between them • The s6-overlay provides proper PID 1 functionality • You'll never have zombie processes hanging around in your container, they will be properly cleaned up • Multiple processes in a single container • Able to operate in "The Docker Way" • Distributed as a small number of .tar.xz files depending on what exact functionality you need - to keep your image's number of layers small • A whole set of utilities included in s6 and s6-portable-utils. They include handy and composable utilities to manage processes spawning, permissions on files and folders, recurring ephemeral tasks, signals capturing, and etc. • Log rotating out-of-the-box through logutil-service which uses s6-log under the hood • Some support for Docker's USER directive, to run your whole process tree as a specific user.Back to topFinal ThoughtsManaging cloud-native application isn’t simple. It requires a wealth of knowledge that spans many different technological domains -- including application security. Containers, and specifically the base images distributed by Zend, can help simplify some of the inherent complexities of container-based PHP application security. When combined with SLA-backed support delivered by Zend PHP experts, you get an easy button for keeping your PHP-based applications secure.See Our Container Images and LTS OptionsZend PHP container images, when paired with Zend PHP LTS, make containerizing and securing your PHP-based applications easy. See our available container image and LTS options via the links below.Visit Our Container RegistrySee LTS Options Additional ResourcesSolution - PHP Container Solutions and ServicesSolution - Zend PHP Consulting ServicesSolution - Zend PHP Security and Consulting ServicesRegistry - Zend PHP Docker Container ImagesDownload - ZendPHP Terraform TemplateDownload - ZendPHP Docker TemplateWebinar - The Peaks and Valleys of PHP Containerization and OrchestrationBlog - Building a Modern Web Application: Top Architectures and MethodologiesBlog - The DevOps Approach to Updating PHPBlog - The Importance of Easy to Use PHP Linux ImagesBlog - Everything You Need to Know About Maintaining PHP ComplianceBlog - How to Assess and Prevent PHP VulnerabilitiesBlog - 6 PHP Security Best PracticesBlog - Introducing the New Zend Alpine Linux PHP ImagesBack to top
Massimiliano Cavicchioli Software Architect Massimiliano Cavicchioli is a Software Architect at Zend. He has over 20 years of experience in the tech world, 16 of which he spent contributing to the PHP ecosystem at Zend. During his many years of providing consultation to enterprise corporations, Massi has developed a wealth of tangible knowledge — making him highly capable in helping companies achieve best practices in both PHP and OSS.
