Is Zend Framework/Server on AWS a secure option for web application authentication/authorization

Question

Currently working on a pretty basic hosted PHP app which I'm in the process of migrating to Zend on AWS. I have no real background in security, which is why I'm delegating the 'sysadmin' side of things to Amazon/Zend. Is it reasonable to assume that I can rely on Zend's authentication and authorization for my web app which will be deployed in a commercial context? I don't want to put something out there which will be vulnerable to a login attack.

Answer 1

The answer to your question in the title would be a simple yes because they offer options to make your web app secure. But, when I read the text I am worried about your expectations because the secure options are just that, options. You cannot delegate 'sysadmin' to either of them.

Zend's authentication and access controls are loose components waiting for you to be used and AWS, in their own words, is "an infrastructure web services platform in the cloud", i.e. just a network. Just because of their existence you cannot expect to have a secure web app. AWS will allow you to host your web server and web app in a secure way. On the other hand with Zend's authentication and ACL you have excellent classes for an easy authentication setup but for both you have to know how to use them and how to implement them properly in your web app.

Unfortunately you say you have no real background in security. If you don't know how to implement authentication--in any form or style--then your web app will have more holes than Swiss cheese.

Answer 2

Don't think you have reasons to worry about the Zend Framework components handling authentication and authorization.

You can use other components, which you 'trust' in your Zend Framework Deployment easily in case you think that ZF components are not suitable for deployments in a commercial context.