Mark Rogers wrote:
It's quite a simple but effective script (just searching for keywords and emailing the offending section of code to me to investigate) but it isn't maintained and there's probably better tools out there.
My question is: what tools do other people use/recommend?
Not sure about the PHP testing but I tend to start security audits with Nessus (warning not free for commercial use and if you want regular automated updates)
It's not going to cope with the specifics of php code you are hosting but it's a broad scanner that will highlight problems with most services, unpatched vulnerabilities and poor configuration as well. Then if I see something I don't like I tend to go at it with one of the service specific tools as included in BackTrack security suite.
Be warned however if running it from a remote host, that nessus will fall foul of some tripwires (and in at least one case for me not at the end I was scanning. It triggered something at my ISP (plusnet) for me once that then put me in a walled garden because they thought a compromised machine on my network was attacking others :)