I'm sure all web-platforms suffer from their share of secuirty head-aches. However, I think the issue here, is not whether Coldfusion is or is not up to the job but that Macromedia has done a poor job documenting security issues and providing guidelines.
By contrast Microsoft released a 608 book about building secure asp.net applications. If you are interested, you can download it here.
Cheers, Pete (aka lad4bear)
On 23/08/05, John Farrar <[EMAIL PROTECTED]> wrote:
Cameron... not that I disagree with you at all. In fact we are truly in
agreement on security practice. My question is you sighted CF... so is there
a language that is not dominated by many developers writing insecure
software? (Web or otherwise?)
John Farrar
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf
Of Cameron Childress
Sent: Tuesday, August 23, 2005 3:14 PM
To: CFCDev@cfczone.org
Subject: RE: [CFCDev] OT: ColdFusion Security : oWasp Top Ten
Peter,
I've also found a huge gap in security advice on developing ColdFusion
applications. There are alot of poor programming practices out there when
it comes to security and alot of people are surely doing it the wrong way
every day simply because no-one ever told them why they should do it another
way.
I gave a presentation to the San Diego ColdFusion User Group on
security/ColdFusion a few months ago (just after attending a 3 day Software
Security Summit conference). I think it touches on most issues but most of
the in depth stuff was verbal in the preso. Let me see if I can find the
PPT and I'll send it to you offlist.
I would also very highly recommend downloading Dean Saxe's PPT from the July
2004 ACFUG meeting "Web Application Security: Applying the Principals of
Defense in Depth in Your Applications"
(http://www.acfug.org/index.cfm?fa=meetings.meetingdetail&EventID=52). His
PPT is a bit more complete than mine with very good notes on each slide, but
I think it's a little less CF specific. Dean's an old school CF guy and
currently works as a Senior Consultant at Foundstone, a Security Consulting
company.
-Cameron
-----------------
Cameron Childress
Sumo Consulting Inc
http://www.sumoc.com
---
cell: 678.637.5072
aim: cameroncf
email: [EMAIL PROTECTED]
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Peter Hardy
Sent: Monday, August 22, 2005 5:54 PM
To: CFCDev@cfczone.org
Subject: [CFCDev] OT: ColdFusion Security : oWasp Top Ten
Hi Guyz,
This one is off topic but any advice or links to good docs appreciated.
As part of my job I've been asked to look at two seperate areas, frameworks
and security. The frameworks side of things is going pretty well but the
Security side not so well.
I want to (at least) ensure I've covered the oWasp Top 10. I figured I'd
review the list and then start hunting for documentation on each.
Unfortunately, Coldfusion security docs seem to be a thin on the ground.
I've included a link to the oWasp site below and would be keen to hear how
people are implementing security and any tips / sample code you might have
for each point mentioned.
http://www.owasp.org/documentation/topten.html
I'm specially interested in hearing from people implementing security in
model-glue apps.
Cheers, Pete (aka lad4bear)
----------------------------------------------------------
You are subscribed to cfcdev. To unsubscribe, send an email to
cfcdev@cfczone.org with the words 'unsubscribe cfcdev' as the subject of the
email.
CFCDev is run by CFCZone (www.cfczone.org) and supported by CFXHosting
(www.cfxhosting.com).
CFCDev is supported by New Atlanta, makers of BlueDragon
http://www.newatlanta.com/products/bluedragon/index.cfm
An archive of the CFCDev list is available at
www.mail-archive.com/cfcdev@cfczone.org
----------------------------------------------------------
You are subscribed to cfcdev. To unsubscribe, send an email to
cfcdev@cfczone.org with the words 'unsubscribe cfcdev' as the subject of the
email.
CFCDev is run by CFCZone ( www.cfczone.org) and supported by CFXHosting
(www.cfxhosting.com).
CFCDev is supported by New Atlanta, makers of BlueDragon
http://www.newatlanta.com/products/bluedragon/index.cfm
An archive of the CFCDev list is available at
www.mail-archive.com/cfcdev@cfczone.org
----------------------------------------------------------
You are subscribed to cfcdev. To unsubscribe, send an email to cfcdev@cfczone.org with the words 'unsubscribe cfcdev' as the subject of the email.
CFCDev is run by CFCZone (www.cfczone.org) and supported by CFXHosting (www.cfxhosting.com).
CFCDev is supported by New Atlanta, makers of BlueDragon
http://www.newatlanta.com/products/bluedragon/index.cfm
An archive of the CFCDev list is available at www.mail-archive.com/cfcdev@cfczone.org
----------------------------------------------------------
You are subscribed to cfcdev. To unsubscribe, send an email to cfcdev@cfczone.org with the words 'unsubscribe cfcdev' as the subject of the email.
CFCDev is run by CFCZone (www.cfczone.org) and supported by CFXHosting (www.cfxhosting.com).
CFCDev is supported by New Atlanta, makers of BlueDragon
http://www.newatlanta.com/products/bluedragon/index.cfm
An archive of the CFCDev list is available at www.mail-archive.com/cfcdev@cfczone.org
