I’m trying to choose a framework that provides really good security of web applications, protects against as much of OWASP Top-10 as possible, such as:
- Sql Injection
- XSS
- CSRF
- Authentication
- Authorization
- etc.
the thing is I’ve tried researching really heavily:
Cakephp, Zend, Yii, Code Igniter, Kohana and some have basic authentication, maybe a little authorization, but nothing for any application that needs solid code-security.
Is most of the vulnerability types above currently secured by only writing custom code in these frameworks?
This is kinda my first experience with using frameworks, everything up til this point has been custom php web apps. My whole thought for php-frameworks was it was going to be easy to protect against these vulnerabilities, given it isn’t natively, why use one? Or is there a framework out there I’m not looking at which is better than those listed above for strong web app security? Thanks
Security cannot be applied to an application like some veneer. Each kind of a security problem is dealt with in some other way, and most of PHP frameworks provide tools to write secure code:
Fighting HTML injection / XSS requires the use of a template engine
(like Twig) that escapes values by default or a component-driven
approach to displaying HTML. No framework
will help you, if you allow people to upload their files and have
them served from your own domain (you have to use a separate domain
for that);
You can avoid SQL injection by using db helpers that escape query
parameters; each framework you mentioned provides those (and of
course you can use plain PDO);
You can fight CSRF by using session-bound tokens. Each framework
offers some solution. In each case, however, you have to assist the
framework in some way (by adding a token to each form or by using a
form abstraction provided by the framework).
So in a way – yes, you have to think about security. I don’t think any PHP framework could do anything more that they already do, unless there is a major paradigm shift that lets us design applications by dragging colorful boxes across the screen, not touching dirty, insecure things like HTML or SQL. What kind of support would you expect?