A reader just asked:
Hello, I am Brazilian and I am starting to develop with ColdFusion. I would like some tips on how to develop with security, my applications, so you never have problems. Thanks.
That's a pretty huge question. Before I start to delve into some answers, I think it is absolutely critical that you never assume you will not have problems. You will always have problems. You can - however - work very hard to mitigate and minimize your problems as much as possible. When it comes to security, there is absolutely no "silver bullet" that you can do once and simply move on from. Security is an ongoing, ever present concern.
With that out of the way, here are some resources that I think can help you. I encourage my readers to add to this list.
- First, check the Administering Security chapter of the online guide Configuring and Administering Adobe ColdFusion 9 . This is part of the thousands of pages of free documentation for ColdFusion 9.
- You can then check Securing Applications. This is part of the Developing Adobe ColdFusion 9 Applications online book.
- The most complete resource, and again, 100% free, is the PDF Adobe ColdFusion 9 Server Lockdown Guide. It's pretty intense, but it gives a great blueprint for locking everything down on your server.
- That last guide was created by Pete Freitag, whose company also runs the online tool, Hack My CF. This will perform various network requests against your server looking for vulnerabilities. Oh - and this too is 100% free.
- You should also keep track of security bulletins issue by Adobe. You can find them here: http://www.adobe.com/support/security/#coldfusion
- Fancy a recorded presentation? Check out the recording of Jason Dean on ColdFusion Application Security. Free too.
- Finally, I'll mention my own little guide, ColdFusion Security Checklist. It hasn't been updated for a while, but it's another resource you can consider as well.
Archived Comments
Very timely post, Ray! I'm sitting here in a web application security class...
I would recommend Jason's website (12robots.com) as a great general resource, but there's so much there that it can be a bit overwhelming. I really like how you've simplified where to *start*.
Indeed. Just finished a security course and was searching for CF specific info. Thanks
Two more great general resources for learning about website security are:
OWASP Top 10:
http://www.owasp.org/index....
Jarlsberg:
http://jarlsberg.appspot.com/
I have not had time to go through Jarlsberg completely, but from what I've seen it's a really nice introduction to identifying security problems by example.
Thank you for links, useful.
"Security is an ongoing, ever present concern.".
My fellow developer in a bank says "Security is a process".
I'd, like Sarah Kelly, recommend the extensive security series Jason Dean has created on his website: http://www.12robots.com/ind...
I learned a lot from them, not only locking down your server but also on how to program with security in mind.
And for those of you on ACF8: http://www.adobe.com/devnet...
Here you can find similar documents for earlier versions of ACF, as many companies haven't made the jump to ACF9.
For Railo users: Hmmm, documentation still needs to improve. Googling doesn't really provide me with the desired information, not like ACF. Locking down the Administrator is possible, but otherwise I guess one has to follow the guidelines set out by Adobe.
Might I suggest http://www.rachaelandtom.in... for some practical advice too ?