PHP static code analysis is necessary if you want to ensure that your PHP code will deliver secure applications.
There are plenty of options on the market for PHP static code analysis. These include Klocwork, Atlassian, Checkmarx, etc. However, the real trick with selecting the right tool is to choose one which is accurate so results don’t contain a high rate of false positives / negatives. Such a solution provides developers with the confidence they need in order to act upon those findings. In addition, the way in which the findings are reported is also a key aspect. Scanning your code is a great step in the right direction for secure development but it’s only when the data is delivered in the way that your developers need that it can become an accepted part of your application development lifecycle.
Checkmarx’s findings are provided in the “standard” format as a list of vulnerabilities (which can be exported into various formats such as PDF, XML, etc), but a key differentiator is the graph view which takes a novel approach, and applies graph algorithms on the findings to identify the critical junctions where the code has to be fixed. This high level view of the findings enables the elimination of many vulnerabilities with a single fix, thus optimizing the remediation efforts, saving time and money.
Checkmarx’s extensive research into the security state of PHP based WordPress’s open source CMS platform, and its plugin library, as you can see here helped deliver an additional improvement to Checkmarx’s PHP static code analysis capabilities.