What I've been thinking about

I've been thinking a lot lately about Blue River Interactive's Mura Content Managent System (hence forth referred to as Mura CMS or just Mura), probably because I have been working a lot with it lately. I am in the process of converting a large, mostly static, web site to Mura, and I have been amazed by its power, versatility and ease-of-use. I have been especially pleased with how easy it is for me to make plugins for it.

While thinking about Mura, I have realized something important. Mura CMS is an incredible products with the potential to change the way that ColdFusion and CFML are viewed. And this needs to be recognized. It also has the potential to become a very popular, open source product used outside of the ColdFusion/CFML community.

[More]

A long, long time has passed since my first post on Cross-Site Scripting. Looking back on it now, I realize that I have learned a lot since then. I do not think that post cuts the mustard anymore and I will need to do some writing to make up for that.

In the meantime, the topic of XSS came up on a discussion board a few weeks before I started writing this, and again on Ray's blog today, and I wanted to take some time to explore it in more depth. One common misconception about XSS mitigation in ColdFusion is that the best way to handle it is to use HTMLEditFormat() to output any user generated data. I had this same misconception for a long time and have helped to spread it.

While it is true that HTMLEditFormat() can stop many attacks in many locations in your applications, it is not a catch all for XSS. HTMLEditFormat() only works in the HTML block content context of your applications. Your applications have several other contexts where, if you use dynamic code, you can open up XSS vulnerabilities that HTMLEditFormat() cannot stop.

In this post, we will discuss these contexts, what the are, and why they need to be treated differently.

[More]

I am pretty late in the game to blog about this, but I am going to do it anyway, because I can ;)

As many of you know, I am a very big fan of the Open Web Application Security Project (OWASP) and recently OWASP has announce the first release candidate of its Top 10 List for 2010.

[More]

On Thursday evening (Nov 12, 2009 @ 5:30) I will be speaking to the Twin Cities Language User Group about CFML.

The Twin Cities Language User Group is, to me, a unique group. It is not focused on a particular language or family of languages, its concept seems to be to bridge the divide between languages and to expose developers to new ideas and methodologies. It seemed like a perfect place to pitch CFML and show other developers just how great CFML is.

[More]

I've stated before how highly I think of the Open Web Application Security Project (OWASP) and I am now very glad to see that they have started a new blog. Hopefully the OWASP Blog will be a great resources for staying up-to-date on security related current events, and to learn more about the status of on-going OWASP projects.

[More]

I have recently given up trying to keep up with Microsoft Office. I have nothing against the product, I just don't want to afford it. Especially when there is an excellent free alternative, namely OpenOffice.

I've been using OpenOffice Impress (the OpenOffice alternative to PowerPoint) for a while now, and I really like it. It has done everything that I have needed it to, until last month's Twin Cities ColdFusion User Group meeting.

[More]

So I thought I would take a few minutes and blog about what I am working on. I don't expect anyone to care. Feel free to stop reading. I just wanted to write about something that does not require hours of research. I also wanted to just write SOMETHING, to get me back into it so that I do not become to lax in my blogging.

OWASP ESAPI for CFML

This is something that I had not really planned on talking about until it was closer to usable. But it is also something that I was hoping would be closer to usable by now.

[More]

Tomorrow, October 21st, 2008, is the OWASP & FLOSS Application Security Mini-Conference 2008.

The Open Web Application Security Project (OWASP) is a worldwide free and open community focused on improving the security of application software. - OWASP Website

[More]

Google has announced that they have open-sourced RatProxy, which, according to the Google Code site is:

"A semi-automated, largely passive web application security audit tool, optimized for an accurate and sensitive detection, and automatic annotation, of potential problems and security-relevant design patterns based on the observation of existing, user-initiated traffic in complex web 2.0 environments."

[More]