Zend Server is a certified enterprise PHP distribution that enhances the development, deployment, and debugging process of PHP applications immensely. The application and Z-Ray debugging functionalities can be enhanced via plugins and there are already many Zend-provided and community-made plugins available in the gallery. With our plugin, the deployed applications in Zend Server can be analyzed for security risks.
You can find out more about our Zend Server plugin in our blog post.
The plugin can be installed via the official ZendServer Plugin Gallery (Plugins → Gallery).
The plugin is hosted and developed on GitHub.
|Version||Zend Server Compatibility||Download|
|1.0||>= 9.0||Download via GitHub|
|2.0||>= 9.0||Download via GitHub|
Currently the plugin has to be installed manually via the Deploy Plugin option on the Plugins → Manage Plugins site.
The RIPS plugin can be found in the Security category of the navigation menu. Configuration of the plugin is required before usage so that a connection to your RIPS instance (on-premises solution) or our Software-as-a-Service instance is available.
Please note that the Test Connection button only appears after you have entered your credentials. In addition, the check if the connection was successful is performed by your browser and not the Zend Server instance. There are circumstances in which the environments may differ and the connection still fails afterwards if not properly setup.
The RIPS API credentials are stored in plain text on the Zend Server instance.
The plugin recognizes two types of deployed applications that can be scanned which are described in the following sections.
New Scan from Deployed Application
You can scan applications that are already deployed in your Zend Server. For this purpose, an application slot in RIPS is used for scanning. You can create a new application slot, or use an existing one for a rescan.
The plugin will create a Zip archive of the deployed source code on Zend Server and send it to the previously configured RIPS instance for analysis.
New Scan from Document Root
You can also scan source code located in your Document Root of your Zend Server instance. The document root path is extracted from the web server's configuration file.
Similar to the previous type, you can create a new application in RIPS, or select a preexisting one for rescanning.
The results view shows the most recent scans of your RIPS account. Scans that are currently active are automatically updated and findings can be viewed in real-time while the scan is still running.
In addition to the overview we provide a detailed view with more information on the performed analysis and its results.
An issue breakdown shows the different types of security vulnerabilities that were detected, as well as the related industry standards such as CWE, OWASP Top 10, SANS Top 25, or PCI DSS.
Further, issues can be reviewed in more detail by affected file, sink, source, and user parameter. A reference to the RIPS UI can be used for more fine-grained issue verification and remediation.