Correcting the installer won't solve all problems, but it should not be the CAUSE of problems.
"Hey sys admin, I'm going to make your day! Here's an app which we KNOW has security issues and requires a lot of maintenance. You're going to have to become an expert in this new technology, invest even more time patching it and discover security leaks you won't even be informed about, it'll be your job to tell the app vendor about that, too! In addition, the company that produces the application got hacked recently and the hackers got a lot of user data. But we developers, we're not worried about this because if our server gets hacked (through widely published methods well known by the hacker community), it's all YOUR fault! I mean, it's not like you've got anything better to do, is it?" *sound of running feet and screaming* -----Original Message----- From: Dave Watts [mailto:dwa...@figleaf.com] Sent: 29 March 2014 14:23 To: cf-talk Subject: Re: "The long tail of ColdFusion fail" > > > I also once had a client who did this, they were Linux heads who > > > thought that hiding the "sucky insecure windows/cf server" behind > > > a linux server and doing a reverse proxy would make it secure. > > > > There is no such thing as "make it secure", of course. But it is > > more secure. It solves one specific security problem - preventing > > executable code from being directly accessed from an untrusted > > network. > > > > > But of course it didn't as everything still works the same way, > > > the SQL injections still got through, the insecure file upload > > > forms still allowed files to be uploaded, which could then be > > > executed as they had cfexecute and cfregistry enabled. > > > > So what you're saying is that, despite the fact that the environment > > was (more) secure by default, developers accidentally wrote > > exploitable code? > > > > I have the feeling there's some lesson to be drawn from this. I > > wonder what it is? > > A locked door is useless if you leave the windows open. I think we might be in agreement! But maybe for different reasons. Setting up application servers to be secure is hard. Ensuring that application code doesn't contain vulnerabilities is hard. And you're not going to be able to solve security problems with an installer. People need to know what they're doing. They need to have a base level of competence at their jobs. No installer in the world is going to idiot-proof web applications. Dave Watts, CTO, Fig Leaf Software 1-202-527-9569 http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358235 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
