Integrate Security Testing into PhpStorm20 Feb 2018 by Julian Karl
PhpStorm is one of the leading IDEs for developing PHP applications. Its support for key developer tools, such as version control systems, remote deployment, and databases makes it easy for developers to write code efficiently. Although it offers code analysis features in the range of code completion and code quality analysis it is not able to detect pervasive security issues, such as Cross-Site Scripting or SQL Injection. With the help of our PhpStorm plugin you can seamlessly integrate our best-in-class security analysis directly into PhpStorm. This enables developers to quickly scan their project, to review found security vulnerabilities, and to apply patches at the lowest cost point without ever leaving PhpStorm. Get a trial and test it!
New State-of-the-Art Reduces Costs
Typically, application security testing is performed after the source code was already committed to the source code repository. For example, a security scan is manually performed before deployment, or continuous integration is used that automatically tests the build. Our PhpStorm plugin, however, enables a new and even more efficient approach to security testing. Using our PhpStorm integration, security issues are detected where they are made - directly in the IDE. Developers can scan their source code during the development process and before any push is made to the source code repository. This increases the development speed due to a quicker response time on security issues. When a developer is immediately warned about mistakes in the moment he made them, it is easier to fix the faulty code with the current ideas in mind than to rethink the code at a later stage and when other features already depend on it. Further, there is no need anymore to switch between tools and to map the security issues in your report to your IDE for patching. The issues are highlighted right there where you made them and are ready to be resolved with our patch guide. This significantly reduces the amount of time, effort, involved people, and in the end the costs per security issue.
How the Integration Works
Our PhpStorm plugin can be installed directly through the official plugin repository or be installed manually. It is available for both PhpStorm and IntelliJ IDEA with the PHP language support installed. The plugin enables developers easy access to the most important features of RIPS, such as initiating scans, reviewing results, or using team collaboration features. Both our developers and security researchers at RIPS Technologies are already using the plugin to simplify their workflows. You can find a detailed documentation of the plugin in our knowledge base.
Next to a simplified workflow, the most important feature of the plugin is that the reviewing process of found security vulnerabilities is significantly enhanced by the power of PhpStorms code navigation features. When assessing deeply nested security issues through multiple files and functions, it is immensely helpful to jump back and forth through the affected code lines in PhpStorm and way easier to verify a vulnerability or to implement a patch.
The exemplary results in the figure are taken from a scan of DVWA. It shows all the basic informationen of a security issue and is structured similarly to our Web Interface. You can find all vulnerability types and issues that were found by the analysis on the left side and a code summary of all affected lines of code on the right side. There are a lot of different ways to navigate to the source code of the issue at hand:
- Clicking on an issue in the issue list.
- Right mouse click on the issue in the issue list. Here you can select into which part of the security vulnerability you want to jump in (Source, Concat, or Sink).
- Clicking on a file name in the code summary.
- Clicking on a line in the code summary.
The sink of a vulnerability will be marked directly in the source code based on the severity of the issue. To avoid any clutter in the source code, this marking is done intelligently and takes the review status into account. Reviewing the issue as fixed will hide the mark immediately. This status is also propagated into future scans so that negatively reviewed issues no longer show up in future analysis results.
The plugin allows not only to view existing scans which were created in the past via the webinterface, CI plugin or custom API calls, it also enables developers to start new scans from inside the IDE. You can start a scan with just a few clicks and the plugin will pack your relevant project files and send them to your local RIPS installation or our SaaS solution. The analysis results are available in realtime and can already be reviewed while the scan is still running.
During a scan, notifications will pop up in PhpStorm as soon as a critical or high-severe security issue is found. This ensures that the most dangerous issues always have top priority. Our plugin also lists the current review status for each issue in the issue tree. You can further specify that the issues, which have been reviewed as fixed or similar, are not displayed by the plugin. This results in a list of only unreviewed or exploitable security issues to focus on. It also allows reviewing issues while the analysis is still in progress, so no waiting time is required. To cover some more features of RIPS, the plugin allows creation of new applications and showing the command context of an issue. Further it’s possible to view and add comments for each issue.
The RIPS PhpStorm plugin is an extremely useful tool for developers and researchers to review and fix vulnerabilities even more efficiently than before. Its straightforward features save time when locating and patching security vulnerabilities in your project without switching between reports or tools. Combining one of the most used IDEs for PHP with great code navigation features and our best-in-class security analysis helps to produce the most stable and secure PHP applications. At the same time it constantly trains your PHP security knowledge.