Mach-II isn't a security risk at all, its no more a security risk then actual hand-code you write. The only concerining part that I would potentially flag is the config.xml being exposed to the web (if its got sensitive data inside). This is easily fixed by either hiding it under the webroot, or naming it config.cfm, put a application.cfm in the same dir that has <cfabort>
The purpose of Mach-II in the end was to enable your Presenter and View access to your abstract model (that's my thoughts anyway). Mach-II really only takes charge of how your presenter/controller works while also allowing you to piece clumps of UI together. It does this by formulating an event process to the point where you can intercept events for specific needs or simply keep a nice consistent re-useable Web-based workflow.
The fact its "implicit invocation security" was even mentioned shows that most likely BuzzWord bingo is being played here. Ask him what airline article he dug that upfrom - or if you want to keep your job - simply ask "How do you mean? What are you're concerns".
Scott.
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]] On Behalf Of David Ross
> Sent: Wednesday, 12 January 2005 8:40 AM
> To: [email protected]
> Subject: Re: [CFCDev] implicit invocation security concerns
>
> tell him he should provide some basis for his opinion (I'd
> honestly like to know what it is... we all know he's FOS, but
> it's interesting to listen to the hairbrain reasoning of others).
>
> -Dave
>
> >>> [EMAIL PROTECTED] 01/11/05 5:02 PM >>>
> A client of mine said that he was concerned with Mach-ii
> because he was worried about implicit invocation security
> concerns. I've searched around but I haven't been able to get
> much information about implicit invocation and security and
> nothing about Mach-ii security concerns. How do I reply to
> his query in a way that will make him confident in the framework?
>
>
> ----------------------------------------------------------
> You are subscribed to cfcdev. To unsubscribe, send an email
> to [EMAIL PROTECTED] with the words 'unsubscribe cfcdev'
> in the message of the email.
>
> CFCDev is run by CFCZone (www.cfczone.org) and supported by
> Mindtool, Corporation (www.mindtool.com).
>
> An archive of the CFCDev list is available at
> www.mail-archive.com/[email protected]
>
