+1 -----Original Message----- From: Russ Michaels [mailto:r...@michaels.me.uk] Sent: 17 March 2014 22:40 To: cf-talk Subject: Re: "The long tail of ColdFusion fail"
CF should install locked down out of the box, there really should be no need to follow a complex lockdown guide to make it secure. On Mon, Mar 17, 2014 at 10:12 PM, Justin Scott <leviat...@darktech.org>wrote: > > > On another hand, why Adobe hasn't change the way CF is installed if > > its not safe? > > Layers... it's all about layers. If a vulnerability is found in the > CF admin or some other exposed piece, you don't want an attacker to be > able to take over the whole operating system. The lockdown guide > shows you how to configure everything around CF so that in the event > of a breach you're not letting it be a path into your entire server. > Many of the vulnerabilities found in CF wouldn't be a big deal if > people configured the server CF runs on in a more secure manner. This > is the whole reason the credit cards companies bang the PCI-DSS drum > so hard... they want multiple layers of security and access controls > so that the failure of any one of those layers will not leave the > entire system out in the open. > > > -Justin > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358085 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm