With the ever-growing threat of data and compliance breaches, the security of web applications and APIs is business critical. Z-Ray provides PHP application developers with fine-grained insights about page requests, warnings and errors, events, and database queries. It can be integrated into Zend Server or used standalone for efficient debugging. But until now, Z-Ray does not track the data flow for security-related issues. In this talk, we present our integration of automated security analysis into Z-Ray.
We use the deep insights provided by Z-Ray to greatly speed-up and simplify a static code analysis process. Due to the reduced analysis time, it can be used during development and testing of single components without the need to analyze the complete code base. At the same time, detected security bugs can be easily verified with one click by combining the collected information about the web requests and the results of a context-sensitive security analysis. We will cover technical insights about how Z-Ray can be extended, basics about static code analysis, and how both technologies can be combined to a new plugin that allows on-the-fly bug detection and verification.