Given that we do a lot of coverage of both the sofware-as-a-service space and PHP applications, it’s a little surprising that I haven’t mentioned this one before, but the folks from Mayflower seem have a neat little security application in Chorizo. Mayflower, for those of you who haven’t heard of them, is an SI/ISV that’s done some in depth PHP work (and XUL, interestingly) with some of the bigger name firms in Europe. Chorizo may be named after a flavor of Mexican sausage, but from the reports I’m getting it’s quite the dish with respect to application lockdown and vulnerability detection.
Basically, it’s an online application that scans your PHP applications by proxy. One good dev I know put his application through it, running around 450 automated tests on his code. They revealed two previously undiscovered medium risk vulnerabilities, but zero high and zero low (didn’t I say he was good?). But Mayflower’s Bjorn Schotte also ran it against a very well known and high profile PHP codebase and discovered 15 XSS bugs and 4 code inclusion bugs. The ISV, incidentally, was not particularly responsive to his notifications of these vulnerabilities.
Chorizo scores pretty well on ease of use as well. It took me under 5 minutes to set it up and scan the library application we used to use at RedMonk – discovering 10 “high risk” vulernabilities (XSS text, Information Disclosure, and SQL Injection types) in the process. Basically, you register a domain, deploy a signature file to the root of that domain, and then browse the site – proxying the requests through Chorizo – scanning in the process. Pretty simple, even for me.
From a macro perspective, Chorizo is indicative, I think, of a larger trend that Cote has touched on before in his writings on hosted systems management. We’re all familiar with the user facing SAAS applications like webmail or CRM, but there’s equal potential to hosted infrastructure applications in my opinion. The same drivers that compel business small and, yes, large to consider applications hosted externally apply to services like monitoring, vulnerability detection and so on. It can be argued, in fact, that particularly in the security space centrally hosted applications actually have an inherent advantage of their inside-the-firewall cousins. While the latter have to wait for new rules or vulnerabilities to be pushed to them, enterprises relying on centrally hosted security applications should always be operating off the most up to date information. More on that – perhaps – later.
Anyway, as is standard practice Chorizo has both free and premium versions available – though the free version is likely to leave you wanting more, as it doesn’t include reports, as well as advice and/or solution code. Overall, Chorizo may be worth looking at if you’re a PHP developer looking for some external validation and assessment. Cost is €289 Euros – around 360 dollars according to Google – for 5 domains. Not too bad.