ColdFusion Security and Risk Management at cf.Objective(ANZ) in Melbourne

Here is the pdf of the slides of my talk on Risk Management and ColdFusion Security at cf.Objective(ANZ) in Melbourne Australia. Download a PDF of my talk (480 Kb) or view on slide share. More information on some of the topics covered can be found in the related entries below. Any questions on my talk just comment below or email me.

ColdFusion Security at cf.Objective in Minneapolis

Here is the code and a pdf of the slides of my talk on Risk Management and ColdFusion Security at cf.Objective() in Minneapolis USA.

Download a PDF of my talk (470 Kb) or view on slide share.

More information on some of the topics covered can be found in the related entries below. I'll write up a couple of more blog posts covering the other topics in the slide deck in the near future.

Any questions on my talk just comment below or email me.

Speaking at cf.Objective() in Minneapolis in April

I'll be speaking about ColdFusion security and risk management at cf.Objective() in Minneapolis in April.

The speakers have been announced and the line up is fantastic. Good to see fellow Australian Mark Mandel speaking and many of the best known people in industry such as (in no particular order) Sean Corfield, Peter Bell, Tom Burleson, Charlie Arehart, Jeff Tapper, Raymond Camden, Rob Rusher and many more. Makes travelling the 14,000 or so kms (from Sydney) to get there well worth it.

The draft 2010 schedule is up now.

ColdFusion Securing Databases (part 2)

In ColdFusion Securing Databases (part 1) we looked at restricting what sql statements can be run with a datasource and partitioning applications to use multiple datasources and multiple users to improve security. In this article we'll look at setting the permissions on the database tables.

[More]

ColdFusion Securing Databases (part 1)

Most ColdFusion applications I'm come across tend to use a single datasource or if they use more than one the same user credentials are used. As well as causing possible performance and scalability issues this can be a security risk.

It's quite easy to restrict what SQL statements a datasource will run with the ColdFusion administrator.

[More]

ColdFusion Security - Detecting Modified Pages

No matter how secure your server is there exists the potential for someone to upload their own pages or modify existing pages on the server via an exploit of some sort. How can you detect this or stop this from happening?

A little ColdFusion code can help detect modified or unknown pages and stop these pages from running.

[More]

ColdFusion Securely Storing Passwords

Consider the following code that implements a simple login.

view plain print about
1<cfquery name="user" datasource="#request.dns#">
2select * from users
3where name = '#form.login#' and password = '#form.password#'
4</cfquery>
5
6// if login failed go back to login page
7
<cfif user.recordcount is 0>
8 <cflocation url="login.cfm">
9</cfif>

One of the issues with this is that the password is stored in the database as plain text. Anything with access to the database (including your ColdFusion application) could possibly be used to get a list of all users and their passwords.

[More]