Brian Sowers, Senior Technical Product Manager, Contrast Security
Brian spent 14 years in security monitoring and software engineering roles focused primarily on .NET web applications. He has worked for large technology and media companies, small startups, regulatory agencies, and many others in between. He is passionate about building applications that bridge the gap between security and engineering.
Subscribe to the Contrast Blog
By subscribing to our blog, you’ll stay up to date with the latest appsec news and DevOps best practices. You’ll also be informed about Contrast’s latest product news and exciting application security events.
Contrast is pleased to announce that Assess and SCA support is now available for PHP applications. Although PHP represents a substantial part of server-side application development, it has been largely neglected by security automation tools currently on the market. Our customers and partners have expressed that they want us to bring the capabilities of Contrast to their PHP applications, and we’ve listened.
Our initial support for PHP is focused on the Laravel framework, considered the most popular MVC framework for PHP developers. Its main repository has 69,000 stars in GitHub, more than twice that of its closest competitor. in the most recent JetBrains Survey, 67% of all PHP developers reported using Laravel regularly. Laravel has played a major role in bringing PHP into the modern software engineering mainstream with its first-class support for dependency injection, its routing library, and its ORM integration.
The Contrast PHP agent is implemented as a PHP extension. To use it, simply install the agent package on your server, enable the agent extension, and configure the appropriate configuration and authentication settings. Once configured, use your existing processes to perform manual and/or automated tests to exercise your instrumented application and enable the agent to detect and report vulnerabilities. No specific security tests are needed, as the agent will detect insecure handling of requests, whether or not the payload is potentially malicious.
By leveraging function hooks, the Contrast agent can observe relevant function calls, trace data through the call stack, and determine when the application has handled user-controlled data in an insecure manner. It detects a wide variety of vulnerabilities, including SQL injection, OS command injection, path traversal, and reflected XSS (this is a non-exhaustive list).
We are excited that our PHP broker is securing our clients’ applications with the same level of excellence that you have come to expect from our other brokers. If you are interested in learning more about our PHP capabilities, please Contact Us.