ColdFusion Security Resources

This morning I received an email from Nadia asking the following:

I do check your website and also the Robots.com website for CF tips and info especially about security.
I am A Ph.D. Student and am required to write a paper and try to submit it to the ACM Journal. I have had some experience with ColdFusion Security Fixes, at my previous job at JSC-NASA. I am thinking to write my paper about Preventive measure in CF against security threats in regards to SQL Injection, XSS and maybe CSRF Attacks and recommended steps to mitigate these vulnerabilities.

I have two questions: I was wondering if you have links somewhere to these topics, like recent blogs or something. My other question would be would there be a more recently related CF Security problems and fixes that I can write about?

This is a topic that comes up pretty often. There is an official Adobe ColdFusion Security page: http://www.adobe.com/devnet/coldfusion/security.html. It’s pretty bare but has the damn good lockdown guide by Pete Freitag. This PDF is more server related then code related, but I’d consider it required reading for any ColdFusion installation.

You mentioned robots.com. I assume you mean 12robots.com which is Jason Dean’s blog. You can find his security category here: http://www.12robots.com/index.cfm/Security

Pete Freitag (author of the lockdown guide above) also has a security category for his blog: http://www.petefreitag.com/tag/security

Finally, I’d also mention UGTV – here is a search page for security: http://www.carehart.org/ugtv/list.cfm?search=security

Hopefully this is enough to get you started. Readers – please feel free to add more links.