I have a PHP application that I would like to have audited for security. I'm familiar with most of the general security issues, but want to make sure I didn't miss anything.
What steps should I take to perform a self-audit? What tools are available? What is the best way to find a 3rd-party auditor? Any recommendations?
Interested in both whitebox/codereview audit and blackbox/pentest?
I suggest taking a look at the following links:
You should start with any interactive web proxy, such as burp proxy, paros, etc.
Myself, I'm partial to Fiddler. Whichever tool you choose, this lets you examine all the request/response flow, and interact with the requests post-javascript. Great place to start.
Eventually, I imagine OWASP's code crawler will support PHP too... though right now I'm not familiar with any free automated tool for this. Just manual eyeballs for now...
Of course you can go for one of the big vendors, e.g. Fortify, Ounce Labs, etc - but thats quite expensive and another can of worms...
Give Google's Skipfish a look: http://code.google.com/p/skipfish/wiki/SkipfishDoc
There are tons of tools and it's really a personal preference on what will one use for a pentest. So try all of those mentioned by me and others and choose ones that fit you best.
For security code review (whitebox test), I'd recommend using RIPS. It's the best among those I tried.
For doing some blackbox testing, you certainly need some intercepting proxy. There's a lot of those, but I'd suggest you take a look at Fiddler if you're on Windows. Burp / WebScarab / Zed Attack Proxy are great too. If you want to automate some of the injection tests, grab some common payloads from fuzzdb.
Also, make yourself familiar with browser addons like Firebug and Chrome Developer Tools, they are a great help.
Finally, try bookmarks from Open Penetration Testing Bookmarks Collection. It's a huge list (just so that you know how many tools are there), but there are many gems inside.
If you want to make sure you don't miss anything, the best way is to get an actual expert to look at it. Too many problems arise in websites where a developer simply isn't aware that they aren't following best practices, or fail to understand that common "secure" practices aren't actually secure at all! (e.g. "I don't need to parameterize my SQL so long as I replace single quotes with backslash single-quotes, right!?").
If you're a company, hire an external pentesting company to do a test of your application. They're not very expensive, and they'll find most of the issues. It's certainly cheaper for a company to hire a pentesting firm than to waste days of time training staff members on full salary how to find some bugs, and it's certainly cheaper than trying to rebuild your company after a major breach of customer data.
