Looking around at conference schedules, documentation, and blog postings, there seems (to me) to be a real lack of quality postings and presentations about Application Security using ColdFusion that extend beyond the usual "use <cfqueryparam>" and "Don't log into your dbms as root or SA".
While both of those things are VERY good advice, I fear that many developers think that if they do these few checklist items, that they will be writing completely secure applications.
So, what am I going to do about it?
I'm glad you asked. I am going to begin a blog post series on Application Security and how to implement security best practices in
your ColdFusion code. I will probably cover the basics (like
Last night I sat down and brainstormed a list of topics that I plan to blog about. This list only scratches the surface of what I can (and will) discuss. This list is more an off-the-top-of-my-head list. There are many subjects that I will eventually cover that I have yet to learn about, so this will be a learning exercise for me as well. many of the items in the list below are too broad to cover in a single posting, so I will probably have series within series(nested series?).
Topic List (In no particular order):
- Cross-Site Scripting(XSS) (The Basics and Beyond)
- SQL Injection (of course :)
- Cross-Site Request Forgery(XSRF)
- Ajax Security
- Form Security(Input Validation, Source Validation, Form Interception)
- Data Scrubbing Concerns(Clean on the Way in or the way out)
- Remote Service Layers
- Authentication and Authorization
- Cookies(and why they suck)
- Session Management
- Session Hijacking
- Database Security(more to it than you might think)
- Shared Hosting Concerns
- Password Management and Best Practices
- Encryption, Hashing and Rainbows9these rainbows are not pretty)
- Custom tag security
- Flash/Flex Remoting(I'm still learning about this one so don't expect it for a while)
- ColdFusion Mappings
- And more...
So, I would like to know who is interested in such a series? It is a very broad topic and will keep me busy for a while. My general plan is to explain the
vulnerability/exploit and then show how to code against it using ColdFusion.
Also, I would like to know if you feel like I have missed anything major in this list. Like I said, I know there is a lot to cover, but if you think a good subject is missing or that one of these subjects should "rise to the top", I would love to hear about it.