Developers are in love with PHP. But, is your vulnerability scanner efficient in dealing with it?
Today, about 80% websites work on PHP in one form or the other.
In fact, the world’s leading content management systems including WordPress and Joomla rely on it. When looking for vulnerability scanners, it is critical to understand that the tool should be efficient with PHP.
While the PHP core is essentially secure, we are looking at dozens of added functionalities and design elements can that compromise your business.
We’re listing five of such tools with free basic plan to help you get started.
1. PHP Malware Finder
If you’ve ever installed a theme on WordPress, you essentially understand the problems it brings. Random ads, redirects and popups will make it difficult for the visitors to navigate through the site.
PHP Malware Finder is a simple, free, and efficient tool to spot the malware troubles. It is available on GitHub and requires some sort of technical knowledge to understand the findings and to deal with them. The makers promote it as the website cleaner but it is hugely restrictive to malware and isn’t recommended for any other kind of scanning.
2. Mister Scanner
When it comes to simplicity of scanning, there is nothing better than Mr. Scanner. This tool is capable to dealing with a number of security issues in PHP websites including malware, OWASP and SANS vulnerabilities, business logic fails and more.
However, the best thing about this tool is the reporting. From non-tech marketing guys to seasoned developers, everyone can understand the impact of security loopholes and why they need to be fixed on priority. Mister Scanner specializes PHP-based sites including those on WordPress and Joomla.
3. RIPS Tech
RIPS is one of the specialists in static code analysis for Java and PHP-based web applications. The company claims to offers solid scanning tech during and after development cycles to ensure that your code is secure at every stage.
Described as the easy-to-integrate DevOps tool to manage risks and vulnerabilities, RIPS offers meaningful insights. You might like the simple interface to display security loopholes.
On the flip side, the security scoring from the tool is often criticized for not being too accurate. Moreover, the analysis reports aren’t useful for people from non-tech backgrounds. They have a tour and free trial that will help you understand the features of the product.
However, if you are not a developer or security enthusiast, the results and recommendations would most likely be incomprehensible. Also, Grabber isn’t a good choice for huge sites due to limited capabilities for the beta version in 2019.
If there is one tool built exclusively for PHP vulnerabilities, it has to be Exakat. With more than 300 tests dedicated to PHP security issues, this downloadable tool offers real-time static code analysis within a few hours. The dashboard offers great insights on compliance, best practices, prevalent risks on your site.
Exakat is an open source php code analysis engine and an open content rules library designed for php developers. Understandably, it lacks support features that you might get with some of the ‘more commercial’ tools on the list.
Do you have any other tools? Leave the comments below and we will try to review those. If you are looking for comprehensive scanning for OWASP, SANS and other vulnerabilities, here’s a list of most popular tools that go over and beyond PHP.