I'm starting a new series on Secure Application Development with ColdFusion

Looking around at conference schedules, documentation, and blog postings, there seems (to me) to be a real lack of quality postings and presentations about Application Security using ColdFusion that extend beyond the usual "use <cfqueryparam>" and "Don't log into your dbms as root or SA".

While both of those things are VERY good advice, I fear that many developers think that if they do these few checklist items, that they will be writing completely secure applications.

So, what am I going to do about it?

I'm glad you asked. I am going to begin a blog post series on Application Security and how to implement security best practices in your ColdFusion code. I will probably cover the basics (like and other simple solutions) for the n00bs, but I will also be covering advanced topics in application security of which even some of the veteran coders may not be aware. I have been studying Application Security for a while now and the more I learn and talk to people about it, the more I realize that most developers have very little knowledge of the subject beyond the basics.

Last night I sat down and brainstormed a list of topics that I plan to blog about. This list only scratches the surface of what I can (and will) discuss. This list is more an off-the-top-of-my-head list. There are many subjects that I will eventually cover that I have yet to learn about, so this will be a learning exercise for me as well. many of the items in the list below are too broad to cover in a single posting, so I will probably have series within series(nested series?).

Topic List (In no particular order):

  • Cross-Site Scripting(XSS) (The Basics and Beyond)
  • SQL Injection (of course :)
  • Cross-Site Request Forgery(XSRF)
  • Ajax Security
  • Form Security(Input Validation, Source Validation, Form Interception)
  • Data Scrubbing Concerns(Clean on the Way in or the way out)
  • Remote Service Layers
  • Authentication and Authorization
  • Spoofing
  • Cookies(and why they suck)
  • Session Management
  • Session Hijacking
  • Database Security(more to it than you might think)
  • Shared Hosting Concerns
  • Password Management and Best Practices
  • Encryption, Hashing and Rainbows9these rainbows are not pretty)
  • SSL
  • Custom tag security
  • Flash/Flex Remoting(I'm still learning about this one so don't expect it for a while)
  • ColdFusion Mappings
  • And more...

So, I would like to know who is interested in such a series? It is a very broad topic and will keep me busy for a while. My general plan is to explain the vulnerability/exploit and then show how to code against it using ColdFusion.

Also, I would like to know if you feel like I have missed anything major in this list. Like I said, I know there is a lot to cover, but if you think a good subject is missing or that one of these subjects should "rise to the top", I would love to hear about it.

Comments
Ed's Gravatar

Sounds nice and it definitely will be useful for new guys.

# Posted By Ed | 5/6/08 12:17 PM
Aaron Longnion's Gravatar

Great idea! Thank you!

# Posted By Aaron Longnion | 5/6/08 1:07 PM
Daniel Sellers's Gravatar

Always good to hear more about security!

# Posted By Daniel Sellers | 5/6/08 1:09 PM
Chris's Gravatar

Sounds like a great idea!

# Posted By Chris | 5/6/08 1:36 PM
Fernando Lopez's Gravatar

I'm having a hard time trying to find information on the subject, let alone code that shows you how to do things.



I would be really interested in the whole series.


When's the first article coming out? ;)

# Posted By Fernando Lopez | 5/6/08 1:39 PM
Jeffrey Price's Gravatar

Sign me up!



How about adding:


* Why adding CAPTCHA doesn't make your application secure.

# Posted By Jeffrey Price | 5/6/08 1:44 PM
Jason Dean's Gravatar

Thanks for the great feedback, everyone.



@Fernando - I will try to have the first article out later today. It will likely be a short one. I am processing 300,000 huge records in Oracle on this machine right now and it is DRAGGIN' and my Interwebs at home are on the fritz :( So hopefully today.



@Jeffrey - That's an interesting idea. I had not thought of people thinking that captcha was a form of security instead of just thinking that is was a huge pain.

# Posted By Jason Dean | 5/6/08 1:58 PM
Michael Brennan-White's Gravatar

This sounds very informative and look forward to the first installment.

# Posted By Michael Brennan-White | 5/6/08 5:19 PM
felix's Gravatar

Sign me up, would love to learn more on hardening CF. Thanks for doing it.

# Posted By felix | 5/7/08 12:31 AM
duncan's Gravatar

In your first paragraph, your cfqueryparam tag is being treated by the browser as an html tag, i.e. it's not being rendered to the screen. you'll need to escape your > and <

# Posted By duncan | 5/7/08 2:52 AM
Tom K's Gravatar

I'd like to hear more!

# Posted By Tom K | 5/7/08 3:35 AM
Jason Dean's Gravatar

@duncan



Thanks, got it!

# Posted By Jason Dean | 5/7/08 4:04 AM
Richard Davies's Gravatar

Sounds like a great blog series! And it looks like you've got enough to keep you busy writing for a very long time. I'm looking forward to seeing what you've got to say.



P.S. I HATE captchas. I'm now on the 5th try trying to get it correct. Is that the letter O or the number 0, etc!!

# Posted By Richard Davies | 5/7/08 3:14 PM
Barry Crowley's Gravatar I also would be very interested in reading this, your timing is perfect to as
I am begininng to develop an enterprise app now and want to make sure
it is as secure as possible.

Thank you for writing this series.
# Posted By Barry Crowley | 5/27/08 9:07 AM
Jason Dean's Gravatar @Barry - Great! Glad to hear it will be of some use.

Not sure if you saw, but I have already begun the series. You can find all of the security posts at

http://www.12robots.com/index.cfm/Security

I hope to have the next one out later this week.
# Posted By Jason Dean | 5/27/08 9:56 AM
jason's Gravatar yes... and would like more info on CFEXECUTE, securing it and using it in production environment.
# Posted By jason | 5/14/09 10:05 AM
Eddie's Gravatar Excellent idea.

How about adding Regular Expression pattern matching to block XSS?
# Posted By Eddie | 11/12/10 6:04 PM
Jason Dean's Gravatar @eddie,

The problem with using Regex (or anything) to try to stop XSS is that it is impossible to know all of the different patterns that could be used to deploy XSS payloads. There are so many different ways of encoding characters, and there are so many contexts into which XSS can be injected, that it would just be too hard to maintain.

Did you know that in certain contexts it's possible to write an XSS payload using nothing but letter, numbers, parentheses, and periods? How would I write something to stop that?
# Posted By Jason Dean | 11/13/10 5:48 PM
BlogCFC was created by Raymond Camden. This blog is running version 5.9.1. Contact Blog Owner