About me
Story
Prevalence
Source: own data
Business risks
Targeted vs. untargeted attacks
You do not have to be a high-profile target to become a victim.
Impact of AI
Use of AI tools
According to a GitHub survey in 2023
https://github.blog/news-insights/research/survey-reveals-ais-impact-on-the-developer-experience/
Security of AI-generated code
According to a study in 2024
Takeaway #1
What is it?
Why use it?
Popular tools
Comparing to manual code review and automated testing
Static analysis for security
Takeaway #2
Let's see what tools we can use
Impact of code quality
Prevalence
Such as:
Checking code quality
Takeaway #3
Prevalence in audited applications
Unknown vulnerabilities
Outdated PHP versions
Source: Packagist.org package installations by PHP < 8.1 in February 2025
Unpatched PHP vulnerabilities
PHP version | Known vulnerabilities |
---|---|
8.0.30 | 1 |
7.4.33 | 2 |
7.3.33 | 6 |
7.0.33 | 21 |
5.6.40 | 13 |
5.5.38 | 74 |
Detecting vulnerable dependencies
Alternatives
Scanning Docker images
Takeaway #4
To make sure your dependencies don't contain (known) security vulnerabilities
Detecting committed secrets
Dockerfile best practices
Checking Dockerfiles for best practices
Scanning php.ini configuration values
Scans your PHP environment for secure settings
Injection-style vulnerabilities
Taint Analysis
Tools
Comparison
Comparison
Takeaway #5
Run tools manually to analyse your project and see what they find
Run static analysis tools automatically for every commit
Find new vulnerabilities in dependencies for projects that are not actively developed
Not a silver bullet
Takeaway #6
Detect security vulnerabilities before they reach production
Thank you