Until today there have been a lot of blog postings about the Zend Framework. People love or hate it for their own special reasons. I personally think that everyone who works on it should really consider what he does by signing the CLA and working on it. The message he gives is, that Zend is right in communicating the Zend Framework as a must, because all other frameworks are by definition bad and untrustworthy, because they are only developed by a bunch of open source geeks and there is no company in control. I seriously dislike this kind of message, because it is simply not true. I have released lots of security advisories and dealt with lots of vendors during the last 6 years. The worst security contacts were either when the project was developed by 16 year olds or when there was a company behind the project. These companies usually consider security holes as very bad publicity and always try to downplay the impact.

On the other hand one must see what a framework, which is used everywhere means for security researchers like me. When a common framework is used, this is a single point of failure for tons of web applications. A security hole in the framework will expose a large number of servers at the same time. We have recently seen how a flaw in PHP ($GLOBALS) put PEAR.php at risk and with it everything that is build around it. When everyone is using the Zend Framework, this also means, that the bad guys have a single attack vector to concentrate their power on.

The good thing from an attacker's point of view is, that the whole security of the Zend Framework will most probably rely on the skills of Chris 'not really an international recognised expert in the field of PHP Security and no PHP core developer at all' Shiflett. As long Zend continues to rely on his services, no serious security researcher will join their team and so long there will be no real security in the Zend Framework.