Over the next few weeks you will see more details from us about a project that we have been working on. As a part of our relationship with Syhunt, one of our elite partners for application security work, we have been testing and reviewing their new tool, Sandcat4PHP. The tool is a sophisticated and user friendly source code scanner for performing deep analysis of PHP applications including their surrounding javascript and HTML components.
Stay posted here for a pretty in-depth review of the new tool, its use and capabilities. We will be doing that review as a part of the project as well.
First, let me start with the purpose and the scope of the project. In the last few months we have worked with a number of clients who have had issues with the security of their content management system. More than a few of them are using popular products, but several are using proprietary tools as well. As such, we have worked on a few incidents and application reviews. That led to a pretty in-depth discussion between a couple of clients and ourselves about the state of content management system security, in general. As an off shoot of that discussion, we decided to test 5 of the most popular content managers using the new Syhunt PHP scanner, since we needed to review it anyway.
Next, we obtained a couple of lists of popular content managers. Selecting our five was pretty easy and we settled on the following:
WordPress, Joomla!, Mambo, Drupal and BitWeaver
We then downloaded the current versions of the CMS (as of that day, a couple of weeks ago…) and set up our testing environment.
We assessed the entire package, but only as downloaded from the web site. That means in most cases, that we tested only the core components and not any additional modules, plugins or components. We considered whatever was in the default download to be the basis for our work.
To date, we have begun our assessments and review of the CMS tools. We will be in contact with each of the CMS projects about the findings of the assessments and they will receive the details of the tool’s findings prior to public release of the technical details. Statistical and numeric data will also be forthcoming.
For now just let us say that we are evaluating our findings and that the tool performed very very well.
I look forward to sharing the details with everyone in the coming days.
Let me know if you have any questions about the product, the project or the work.