> Yeah, that's as far as I got also. For reference, here are a few links I > found. I apologize if I am not knowledgeable > in this, because I'm not. Hence the reason I'm asking. > > http://iase.disa.mil/stigs/ - Official (to the extent that it's the first > result on Google not about TopGear and has a >.mil domain). "The STIGs contain technical guidance to "lock down" >information systems/software that might > otherwise be vulnerable to a malicious computer attack." > > http://www.stigviewer.com/ - Is supposed to be the guidelines in a searchable > format. It's fairly recent (as of January 2014). > > I don't see anything relating to ColdFusion directly, which makes me question > as to whether it's A) applicable or B) > under some other naming / category.
I haven't looked at the second link, but the first one is correct. There's a zip file you can download from there that has STIGs for application servers. The zip file contains another zip file, which in turn contains an XML doc and an XSL stylesheet. If you extract both to a directory and open the XML file, your browser should be able to display it properly. There's plenty of stuff in there that applies to CF, although it's not specific to CF at all. It directly targets J2EE application servers. There isn't that much there that you should need to do that you're not already doing. If I recall correctly, there are items about: - limiting concurrent logins from a single user, - encrypting everything in transit, including database connections (you might not be doing that), - using roles to limit user actions, - reviewing mobile code (in other words, JavaScript) to prevent XSS, etc. You don't have to have different database user accounts to comply with the DoD STIGs, but you should separate administrative access from regular user access wherever possible according to the STIGs, and using different user accounts (and therefore datasources) is a good thing to do to make that happen. Dave Watts, CTO, Fig Leaf Software 1-202-527-9569 http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357905 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
