Class Software - Security

ColdFusion Security at cf.Objective in Minneapolis

Tue, 27 Apr 2010 10:01:00 +1000

Here is the code and a pdf of the slides of my talk on Risk Management and ColdFusion Security at cf.Objective() in Minneapolis USA. Download a PDF of my talk (470 Kb) or view on slide share. More information on some of the topics covered can be found in the related entries below. I'll write up a couple of more blog posts covering the other topics in the slide deck in the near future. Any questions on my talk just comment below or email me.

Speaking at cf.Objective() in Minneapolis in April

Mon, 11 Jan 2010 10:30:00 +1000

I'll be speaking about ColdFusion security and risk management at cf.Objective() in Minneapolis in April. The speakers have been announced and the line up is fantastic. Good to see fellow Australian Mark Mandel speaking and many of the best known people in industry such as (in no particular order) Sean Corfield, Peter Bell, Tom Burleson, Charlie Arehart, Jeff Tapper, Raymond Camden, Rob Rusher and many more. Makes travelling the 14,000 or so kms (from Sydney) to get there well worth it. The draft 2010 schedule is up now.

ColdFusion Securing Databases (part 2)

Sun, 13 May 2007 06:42:00 +1000

In ColdFusion Securing Databases (part 1) we looked at restricting what sql statements can be run with a datasource and partitioning applications to use multiple datasources and multiple users to improve security. In this article we'll look at setting the permissions on the database tables. [More]

ColdFusion Securing Databases (part 1)

Mon, 07 May 2007 16:25:00 +1000

Most ColdFusion applications I'm come across tend to use a single datasource or if they use more than one the same user credentials are used. As well as causing possible performance and scalability issues this can be a security risk. It's quite easy to restrict what SQL statements a datasource will run with the ColdFusion administrator. [More]

ColdFusion Security - Detecting Modified Pages

Wed, 25 Apr 2007 11:52:00 +1000

No matter how secure your server is there exists the potential for someone to upload their own pages or modify existing pages on the server via an exploit of some sort. How can you detect this or stop this from happening? A little ColdFusion code can help detect modified or unknown pages and stop these pages from running. [More]

ColdFusion Securely Storing Passwords

Sat, 31 Mar 2007 16:44:00 +1000

Consider the following code that implements a simple login.



select * from users
where name = '#form.login#' and password = '#form.password#'


// if login failed go back to login page

One of the issues with this is that the password is stored in the database as plain text. Anything with access to the database (including your ColdFusion application) could possibly be used to get a list of all users and their passwords. [More]