We perform security audits on PHP based applications – to help identify potential vulnerabilities.
Our auditing is based on a combination of manual and automated probing of the application and hosting environment combined with analysis of the source code.
We will normally produce a 10-15 page report containing our findings and listing recommendations for improvement to the code base.
For instance, it may be the case that the source code is vulnerable to SQL Injection, in which case we would explain why it is an issue and provide guidance on how the problem could be resolved (for example, using prepared statements).
Obviously in a large complex application, it may not be possible for us to examine every line of source code – and therefore find every potential vulnerability – as we have a finite amount of time to perform the audit. However, it is quickly apparent when performing a review whether appropriate security considerations have been taken into consideration while the software was being designed – or if developers have tried to patch the problem subsequently.
Where possible, we will try to cover the hosting and development environment within which the software resides – as these can have important implications for security.