Security questions.

Report · Dec 14, 2010

What is the best way to secure your website. Like prevent people from being in certain folders / pages and all around hacked. I know nothing is 100%. I do have an old cf 7 book by ben forta, but i feel it's to out of date. Any advice and direction would be great.

Thanks

Report · Dec 14, 2010

There is no 'silver bullet' when it comes to security. However, you'll find a lot of helpful tips from people like Pete Freitag and Jason Dean.

Search for there blogs - they're great.

Here's something to get you started from Pete: http://www.petefreitag.com/item/647.cfm

Report · Dec 14, 2010

Pete also runs http://hackmycf.com/ that will scan your site(s) for common mistakes and alert you to them. It's 100% safe - Pete won't take advantage of any of these vulnerabilities if they exist.

Report · Dec 14, 2010

Adobe also has a CF9 Security Lockdown Guide available:

http://www.adobe.com/products/coldfusion/whitepapers/

Report · Dec 14, 2010

This is a very broad question with a very long answer. I'll second the recommendation to check out Pete and Jason's blogs - they're both very knowledgeable about security.

There are many different aspects of security you need to address. First, you need to ensure that your infrastructure is secure. This includes the operating systems of the servers that host your website and database, and the actual services used to do that hosting: web server software, remote filesystem access like FTP, CF, your database server software (in that order, generally). It includes the application code that you write (queries, file uploads, preventing XSS payloads from being stored in your database or executed by your application, how you store and work with passwords or hashes). Finally, it includes the practices you use to access this application and monitor it.

Rather than write a book about all that stuff here, I'll direct you to a couple of resources that might be useful. I have a list of CF security links here:

http://www.delicious.com/figcto/coldfusion+security

The first one is the Adobe ColdFusion 9 Lockdown Guide, written by Pete (I think) - it's very good and addresses most of the CF-specific deployment security issues.

Dave Watts, CTO, Fig Leaf Software

http://www.figleaf.com/

http://training.figleaf.com/

Dave Watts, Eidolon LLC

Report · Dec 14, 2010

@Dave - I do think you're right about it being written by Pete. I think it's an updated version of the one I linked to.

Report · Dec 14, 2010

Next you will ask how to keep your daughter from dating bikers

Thanks for the plug Todd and Dave.

I have written several posts on ColdFusion security over the last couple years, and I plan to do more. You'll find them here:

http://www.12robots.com/index.cfm/Security

I also have a few online presentations floating around.

http://tv.adobe.com/watch/max-2010-develop/securing-coldfusion-applications/

http://adobechats.adobe.acrobat.com/p90448467/

http://textiles.online.ncsu.edu/online/Catalog/pages/catalog.aspx?catalogId=a846846f-1801-4d28-a0a7-3f3f61dcc161

Good luck

Jason

Report · Dec 15, 2010

In addition the resources already mentioned I would also reveiw the Open Web Application Security Project. Their web site posts an annual top ten list of common vulnerabilites and a wiki that covers principals of web site security.

http://www.owasp.org

Report · Dec 16, 2010

Thanks for the plugs as well guys, and yes I was the one who wrote the Adobe CF9 Lockdown Guide.

If you are looking for a place to start, I would suggest looking into SQL Injection, they are one of the most common types of vulnerabilites in Web Apps, very dangerious, and also usually pretty easy to fix in ColdFusion.

As already mentioned the OWASP is a great place to look for info.

You can find all my security related blog entries here: http://www.petefreitag.com/tag/security as well as some presentations.