ZION SECURITY (EN) > Downloads > Whitepaper: Combining the ZEND Framework with the OWASP ESAPI for PHP to have a secure PHP web application
Authors:
Maarten Aerts – Software Security Expert – maarten.aerts@zionsecurity.com
Erwin Geirnaert – CEO & Co-founder – erwin.geirnaert@zionsecurity.com
© ZION SECURITY 2009
All trademarks used are properties of their respective owners.
Current Situation
Even though there are a lot of frameworks around and security has become well important in today’s internet society, the implementation of security into the framework isn’t all that great. Many frameworks bluntly try to make a framework for performance, which isn’t bad, but they make it seem as it is secure as well.
A lot of developers implement the framework, under the assumption it’s safe, and the inevitable happens: They get hacked and sensitive data which either damages the company image or sensitive (user-) data gets stolen.
In this paper we’re going to discuss the ZEND Framework. This is an open-source project with a very large user-base. The core development team has some of the creators of PHP in it.
ZEND pros
1. ZEND is loosely coupled and easy to customize. The components of the framework can be used independent of the framework. This can be extremely useful if you wish to introduce this as a new way of developing to your development team.
2. ZEND has some built-in functions to cover some security issues such as SQL injection, XSS and input validation.
3. ZEND has a lot of features and it has a very high level of extensibility.
ZEND cons
1. The framework requires having at least PHP 5.1 or greater running. This will rule out for projects that are to be hosted on servers running PHP 4.
2. Some of the things that are available by default in other frameworks aren’t present in the ZEND framework e.g. you have to write your own bootstrap to use, which is present in other frameworks.
3. They offer extensive documentation but this is in some, if not to say a lot of, cases poorly written. E.g. “$this->getRequest();” what is the use of this, when you do not know what scope $this is.
4. ZEND, being a performance framework, has a couple issues in the Action Stack, which makes it less performing and more complex because of design issues.
