I'm starting a new series on Secure Application Development with ColdFusion

Looking around at conference schedules, documentation, and blog postings, there seems (to me) to be a real lack of quality postings and presentations about Application Security using ColdFusion that extend beyond the usual "use <cfqueryparam>" and "Don't log into your dbms as root or SA".

While both of those things are VERY good advice, I fear that many developers think that if they do these few checklist items, that they will be writing completely secure applications.

So, what am I going to do about it?

I'm glad you asked. I am going to begin a blog post series on Application Security and how to implement security best practices in your ColdFusion code. I will probably cover the basics (like and other simple solutions) for the n00bs, but I will also be covering advanced topics in application security of which even some of the veteran coders may not be aware. I have been studying Application Security for a while now and the more I learn and talk to people about it, the more I realize that most developers have very little knowledge of the subject beyond the basics.

Last night I sat down and brainstormed a list of topics that I plan to blog about. This list only scratches the surface of what I can (and will) discuss. This list is more an off-the-top-of-my-head list. There are many subjects that I will eventually cover that I have yet to learn about, so this will be a learning exercise for me as well. many of the items in the list below are too broad to cover in a single posting, so I will probably have series within series(nested series?).

Topic List (In no particular order):

• Cross-Site Scripting(XSS) (The Basics and Beyond)
• SQL Injection (of course :)
• Cross-Site Request Forgery(XSRF)
• Ajax Security
• Form Security(Input Validation, Source Validation, Form Interception)
• Data Scrubbing Concerns(Clean on the Way in or the way out)
• Remote Service Layers
• Authentication and Authorization
• Spoofing
• Cookies(and why they suck)
• Session Management
• Session Hijacking
• Database Security(more to it than you might think)
• Shared Hosting Concerns
• Password Management and Best Practices
• Encryption, Hashing and Rainbows9these rainbows are not pretty)
• SSL
• Custom tag security
• Flash/Flex Remoting(I'm still learning about this one so don't expect it for a while)
• ColdFusion Mappings
• And more...

So, I would like to know who is interested in such a series? It is a very broad topic and will keep me busy for a while. My general plan is to explain the vulnerability/exploit and then show how to code against it using ColdFusion.

Also, I would like to know if you feel like I have missed anything major in this list. Like I said, I know there is a lot to cover, but if you think a good subject is missing or that one of these subjects should "rise to the top", I would love to hear about it.