We perform security audits on PHP based applications – to help identify potential vulnerabilities.
Our auditing is based on a combination of manual and automated probing of the application and hosting environment combined with analysis of the source code.
We will normally produce a 10-15 page report containing our findings and listing recommendations for improvement to the code base.
As an example, it may be the case that the source code is vulnerable to SQL Injection. Our report would explain why this is an issue, provide examples of the problem and provide guidance on how the problem could be resolved (for example, using prepared statements).
Obviously in a large application, it may not be possible for us to examine every line of source code – and therefore find every potential vulnerability – as we have a finite amount of time to perform the audit. However, combining our expertise with some code analysis tools will help illuminate any potential problems within the code base.
Where we can, our review will also cover the hosting and development environment within which the software resides – as these can have important implications for security.