Here is the pdf of the slides of my talk on Risk Management and ColdFusion Security at cf.Objective(ANZ) in Melbourne Australia. Download a PDF of my talk (480 Kb) or view on slide share. More information on some of the topics covered can be found in the related entries below. Any questions on my talk just comment below or email me.
Here is the code and a pdf of the slides of my talk on Risk Management and ColdFusion Security at cf.Objective() in Minneapolis USA.
More information on some of the topics covered can be found in the related entries below. I'll write up a couple of more blog posts covering the other topics in the slide deck in the near future.
Any questions on my talk just comment below or email me.
I'll be speaking about ColdFusion security and risk management at cf.Objective() in Minneapolis in April.
The speakers have been announced and the line up is fantastic. Good to see fellow Australian Mark Mandel speaking and many of the best known people in industry such as (in no particular order) Sean Corfield, Peter Bell, Tom Burleson, Charlie Arehart, Jeff Tapper, Raymond Camden, Rob Rusher and many more. Makes travelling the 14,000 or so kms (from Sydney) to get there well worth it.
The draft 2010 schedule is up now.
Most ColdFusion applications I'm come across tend to use a single datasource or if they use more than one the same user credentials are used. As well as causing possible performance and scalability issues this can be a security risk.
It's quite easy to restrict what SQL statements a datasource will run with the ColdFusion administrator.
No matter how secure your server is there exists the potential for someone to upload their own pages or modify existing pages on the server via an exploit of some sort. How can you detect this or stop this from happening?
A little ColdFusion code can help detect modified or unknown pages and stop these pages from running.
Consider the following code that implements a simple login.
select * from users
where name = '#form.login#' and password = '#form.password#'
// if login failed go back to login page
<cfif user.recordcount is 0>
One of the issues with this is that the password is stored in the database as plain text. Anything with access to the database (including your ColdFusion application) could possibly be used to get a list of all users and their passwords.