I like this analogy... You buy a new Ford Fusion. Ford tells you about how closing the doors and locking it is a security feature. Then, you go park in a high crime area with the car running, keys in the ignition and the doors wide open.
So who is responsible when the car gets stolen? (The media would report an issue with Ford door locks.) :) Steve -----Original Message----- From: Dave Watts [mailto:dwa...@figleaf.com] Sent: Wednesday, March 26, 2014 9:57 AM To: cf-talk Subject: Re: "The long tail of ColdFusion fail" > CF should install locked down out of the box, there really should be no > need to follow a complex lockdown guide to make it secure. That sounds great in theory, but I don't think it would work well in reality. Whenever you install server software, you are responsible for understanding how it works, and for making tradeoffs between security and functionality. Adobe doesn't know how exactly you're going to use CF, and what tradeoffs you're willing to accept. Those are going to be radically different between various developers and administrators, and even radically different from one project to the next. There's no substitute for basic knowledge here - it's just that simple. If you really think Adobe is responsible for your server's security, and should be installed "locked down out of the box", you must have a different idea of what locked down means than I do. Adobe is responsible for vulnerabilities in the CF Administrator, but you are responsible for ensuring that the CF Administrator isn't exposed to untrusted networks. It's a web application, just like any other. Dave Watts, CTO, Fig Leaf Software 1-202-527-9569 http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358117 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm