A reader just asked:
Hello, I am Brazilian and I am starting to develop with ColdFusion. I would like some tips on how to develop with security, my applications, so you never have problems. Thanks.
That's a pretty huge question. Before I start to delve into some answers, I think it is absolutely critical that you never assume you will not have problems. You will always have problems. You can - however - work very hard to mitigate and minimize your problems as much as possible. When it comes to security, there is absolutely no "silver bullet" that you can do once and simply move on from. Security is an ongoing, ever present concern.
With that out of the way, here are some resources that I think can help you. I encourage my readers to add to this list.
- First, check the Administering Security chapter of the online guide Configuring and Administering Adobe ColdFusion 9 . This is part of the thousands of pages of free documentation for ColdFusion 9.
- You can then check Securing Applications. This is part of the Developing Adobe ColdFusion 9 Applications online book.
- The most complete resource, and again, 100% free, is the PDF Adobe ColdFusion 9 Server Lockdown Guide. It's pretty intense, but it gives a great blueprint for locking everything down on your server.
- That last guide was created by Pete Freitag, whose company also runs the online tool, Hack My CF. This will perform various network requests against your server looking for vulnerabilities. Oh - and this too is 100% free.
- You should also keep track of security bulletins issue by Adobe. You can find them here: http://www.adobe.com/support/security/#coldfusion
- Fancy a recorded presentation? Check out the recording of Jason Dean on ColdFusion Application Security. Free too.
- Finally, I'll mention my own little guide, ColdFusion Security Checklist. It hasn't been updated for a while, but it's another resource you can consider as well.