“You manage your PHP project dependencies with Composer, right? But are you sure that your project is not dependent on a package with known security issues? The SensioLabs security advisories checker is a simple tool, available as a web service or as an online application, that uses the information from your
composer.lock file to check for known security vulnerabilities. This checker is a frontend for the security advisories database.” / SensioLabs.
Source: Check your PHP project for known security issues – SensioLabs Security Advisories Checker
phpcs-security-audit is a set of PHP_CodeSniffer rules that finds flaws or weaknesses related to security in PHP and its popular CMS or frameworks.
It currently has core PHP rules as well as Drupal 7 specific rules. Next planned CMS/framework is Symfony 2, which are also relevant to Moodle.
As a bonus set of rules, the tool also check for CVE issues and security advisories related to CMS/framework. You can use it in order to follow the versioning of components during static code analysis.
The main reasons of this project for being an extension of PHP_CodeSniffer is to have easy integration into continuous integration systems and to be able to find security bugs that are not detected with object oriented analysis (like in RIPS or PHPMD).
phpcs-security-audit is backed by Floe design + technologies and written by Jonathan Marcil.
- Install: https://moodle.org/plugins/local_codechecker
- Git clone above github project (phpcs-security-audit)
- Follow project’s README install instructions, and also…
- Copy https://github.com/FloeDesignTechnologies/phpcs-security-audit/tree/master/Security/Sniffs/BadFunctions folder into your Moodle local/codechecker/moodle/Sniffs
- Copy https://github.com/FloeDesignTechnologies/phpcs-security-audit/tree/master/Security/Sniffs/CVE folder into your Moodle local/codechecker/moodle/Sniffs
This plugin is a Static Code Analysis tool for PHP (aka inspections in JetBrains products).
– architecture related issues (e.g. design pattern violations)
– weak types control and possible code construct simplifications
– performance issues
– non-optimal, duplicate and suspicious “if” conditions
– validation of magic methods usage
– regular expressions
– validation of exception handling workflow
– compatibility issues
– variety of time-consuming bugs
– PhpUnit API usage
– security issues
מקור: Php Inspections (EA Extended) :: JetBrains Plugin Repository
The objective of Let’s Encrypt and the ACME protocol is to make it possible to set up an HTTPS server and have it automatically obtain a browser-trusted certificate, without any human intervention. This is accomplished by running a certificate management agent on the web server.
Let’s Encrypt is a free, automated, and open certificate authority brought to you by the Internet Security Research Group (ISRG). ISRG is a California public benefit corporation, and is recognized by the IRS as a tax-exempt organization under Section 501(c)(3) of the Internal Revenue Code. ISRG’s mission is to reduce financial, technological, and education barriers to secure communication over the Internet.
מקור: How It Works – Let’s Encrypt – Free SSL/TLS Certificates
I was recently setting up a web server on #centos with apache and php. The installation of #apache was fine, but the http port of the system was not accessible from outside. This is because centOS by default has some #iptables #firewall rules in effect. Only the #ssh port (22) was accessible and remote shell worked. So its necessary to open up port 80 for webserver like nginx to work.
ב-Open http port ( 80 ) in iptables on CentOS.