Security Analysis with SonarQube Plugin

4 Aug 2017 by Martin Bednorz

SonarQube

SonarQube is one of the leading products for continuous code quality inspection and is used by more than 80,000 organizations world-wide to automatically detect a large variety of code quality issues. But in today’s world the detection of security issues is even more important. RIPS Technologies enables to integrate its awarded security analysis solution directly into SonarQube through a plugin. It allows to continuously scan existing SonarQube projects for security threats and for quality issues so that the deployment of unstable applications can be prevented.

Read More ...

How security flaws in PHP's core can affect your application

20 Jul 2017 by Dr. Johannes Dahse
PHP Core Security

Popular security vulnerabilities occur due to bad coding practices or coding mistakes. Often a single missing character or incautiously used language feature opens the gates for an external attacker. But even when all best practices for secure programming are carefully adhered to, a PHP application’s source code is only as secure as the PHP interpreter it runs on. In this post, we will see how memory corruption bugs in the PHP core itself can affect an application’s security.

Read More ...

Why mail() is dangerous in PHP

3 May 2017 by Robin Peraglie
Email Security in PHP

During our advent of PHP application vulnerabilities, we reported a remote command execution vulnerability in the popular webmailer Roundcube (CVE-2016-9920). This vulnerability allowed a malicious user to execute arbitrary system commands on the targeted server by simply writing an email via the Roundcube interface. After we reported the vulnerability to the vendor and released our blog post, similar security vulnerabilities that base on PHP’s built-in mail() function popped up in other PHP applications 1 2 3 4. In this post, we have a look at the common ground of these vulnerabilities, which security patches are faulty, and how to use mail() securely.

Read More ...

What's new in RIPS 2.0.0?

18 Apr 2017 by Martin Bednorz

New User Interface

We are happy to announce the next iteration of our static analysis software for PHP! The new release RIPS 2.0.0 includes the following major changes:

  • A complete new interface with optimized performance (demo.ripstech.com)
  • A new extensive REST API for full feature automation (api.ripstech.com)
  • Team and user privilege management
  • Application-specific analysis profiles
  • More detailed code summaries and issue descriptions
  • Issue categorization for PCI DSS compliance requirements
  • Improved analysis precision and performance
  • Detection of Cookie Misconfiguration issues (CWE-613, CWE-614, CWE-1004)
  • Detection of Insufficient Certificate Validation issues (CWE-295, CWE-297)

Find out more about the top 5 new features in this blog post.

Read More ...

What we learned from our Advent Calendar

24 Dec 2016 by Johannes Dahse

Advent

In this years Advent of PHP Application Vulnerabilities (APAV), we examined 36 critical security issues which were detected in 19 different PHP applications by our code analysis solution RIPS. In our final post, we would like to summarize what we learned during this thrilling advent time. We reveal how the affected vendors reacted to our reportings behind the scenes. Was it right to publish all these sensitive issues? What conclusions can we draw about the security state of PHP applications from our findings?

Read More ...