12Robots.com - Jason Dean - ColdFusion

Wha sup, yo?

Wed, 01 Sep 2010 08:07:00 -0500

Wow. Things have been busy and I have been neglecting my blog. I feel bad about that. My blog is so important to me, and things have been keeping me away. I am a teacher at heart. I love to teach. That is why I blog, that is why I present at conferences, and that is why I am going to grad school. So the fact that I have been unable to blog for a while upsets me greatly. But I want to tell you a little bit about why. This is not about making excuses. This is about what is keeping me busy and what I am learning about. It will also motivate me to blog about these things, and that's the important part. [More]

My Presentation slides from cf.Objective, NCDevCon, and CFUnited

Thu, 19 Aug 2010 07:14:00 -0500

I keep forgetting to do this. Sorry :( I have given three presentations so far this year, and I will have 2 or three more et before the end of the year. Here are the slides for the first three in both Keynote and PDF formats. [More]

Adding more resource navigator filters to ColdFusion Builder (Eclipse)

Tue, 10 Aug 2010 12:19:00 -0500

One thing that has always bugged the crap out of me is our inability to add additional resource filters to the navigator view in Eclipse. Specifically, I mean these: Resource filters are very useful little tools that will hide anything that matches the filter from the navigator view. Which is great for things like .svn folders or any other crap you don't feel like you need distracting you at the moment. Like if you want to hide all the images in a project so that it is not as cluttered. But for some reason, we have never been able to add our own filters. So I can't, for example, hide the stupid Settings.xml file that CFB likes to add to my projects or the .settings folder. Grrrrr!! [More]

Using Asymmetric Cryptography in your ColdFusion Application - Security Series #16.10

Mon, 19 Jul 2010 05:03:00 -0500

A reader emailed me and asked:

I have a question re asymmetric encryption and the best way to achieve it.... I need to encrypt a CreditCard number on one server and store the encrypted string in a db and then 5 minutes later another server takes the card number off that DB and then needs to decrypt it. Any suggestions gratefully received :)

After an e-mail exchange we determined that we were NOT just talking about using SSL between ColdFusion and the DB and we determined that using a symmetric algorithm would not be acceptable to the credit card service. So it seems that this user really did need asymmetric encryption in his application. [More]

My 10 ideas to improve security in ColdFusion 10 (Link)

Mon, 12 Jul 2010 10:00:00 -0500

A few weeks ago my buddy Pete Freitag posted his ideas for improving security for CF10 (link) (or whatever they call the next version of ColdFusion). I thought it would be a good idea to post my own ideas. It's not that I disagree with any of Pete's ideas, I think they are great, I just thought a few more might be good, and I think some of my priorities might be different. [More]

My review of NCDevCon 2010

Tue, 25 May 2010 12:37:00 -0500

This last weekend I attended, and spoke at, NCDevCon 2010 in Raleigh, NC. As expected, NCDevCon was a great conference put on by an amazing crew of dedicated volunteers.

Content

The content of this conference was very different than last year's CFinNC. Personally, I think the content this year appealed to a much wider audience. Last year's conference was clearly more focused on ColdFusion, CFML and Flex. This year, the focus seems to be more on Web Development, RIA's, and more general topics, yet with hands-on sessions that promoted the education of non-CF and Flex people on those technologies. I thought it was a great plan. [More]

Cryptography Part 2 - Modular Mathematics - Security Series #16.1

Tue, 04 May 2010 10:22:00 -0500

OK, first, let's get this out of the way. I am not a math guy. Not even close. I enjoyed "Math for the Liberal Arts Major" back in my community college days, but I never even completed college algebra (though it is on my list of things to go back and do). So I am about to explain some math, but there is a GOOD chance that I am going to butcher this. If so, please correct me. Now with my disclaimer out of the way, I can say, "MATH IS COOL"! I really do enjoy the little bit of math that I know and while researching cryptography, I came across a little more. In Cryptography: A very short Introduction I was introduced to modular arithmetic. [More]

We have a winner!! cf.Objective() Pre-Conference Secure CMFL training

Thu, 25 Mar 2010 12:02:00 -0500

We had a great response to our contest to give away a seat at our "Building Secure CFML Applications" training at cf.Objective() next month. A total of 42 entries.

And the winner is

[More]

A warning about ColdFusion's scriptProtect

Mon, 01 Mar 2010 08:55:00 -0500

It's not very often that you will hear me badmouth ColdFusion, but in this case, I feel compelled. ColdFusion has some truly fantastic features and in many ways make securing web applications easier, but in this case, it has provided little but a false-sense of security.

What is scriptProtect?

In case you are not familiar with ColdFusion's scriptProtect feature, it is a pattern matching utility that automatically checks all of the ColdFusion scopes over which an end user has control looking for what it deems is malicious script. It is designed to stop Cross-site scripting (XSS) attacks from being used against your application. [More]

Passwords with spaces - Security Series #4.7

Tue, 09 Feb 2010 09:49:00 -0500

The other day in #coldfusion on DALnet IRC chat, several of us got to talking about passwords and about the simple password strength function that I had made some time ago. We worked on improving the regex and making is a better function. But then we go to talking about whitespace. One of the people I was talking to asked "Why don't you allow spaces in password?". He saw that my password strength checker did not allow white space in it. This is something I asked myself a while ago, but I never really spent any time thinking about it. Unfortunately, the only answer I could offer was "I dunno, I thought passwords weren't supposed to have spaces". [More]

cf.Objective Preconference Training Opportunities

Wed, 20 Jan 2010 15:17:00 -0500

I hope everyone is aware of the cf.Objective() conference that takes place in Minneapolis/St. Paul every year. In case you are not, you should know that it is an absolutely AMAZING event. cf.Objective() is touted as "The World's Only Enterprise Engineering Conference for ColdFusion Developers". I have been to two cf.Objective() conferences so far, and this year will be my third. I am very excited about it. Two years ago, there was a two-day pre-conference training session held on the Mach-II framework. It was a very successful training (I believe they sold out every seat), but beyond that, it was a fantastic training. I attended it, and I loved it. I learned a lot. Last year they had ColdBox training prior to the conference. I did not attend that one, but I hear it was also great. This year, the organizers of cf.Objective() are trying the pre-conference training again, but with more training sessions. This year there will be six! [More]

Insecure Direct Object Reference - Security Series #15

Tue, 19 Jan 2010 09:07:00 -0500

The first time I looked at the OWASP Top Ten web vulnerabilities, they all made sense to me, save for one. That one was A4 - Insecure Direct Object Reference. At the time I was still pretty new to object-oriented programming and so the first thing I thought was that it was referring to those kinds of objects. But that is not what they are talking about. The are talking about any direct reference to an "implementation object". Meaning objects like files, folders, database records, or other types of "keys". [More]

The Winners of the Fusion Authority Quarterly Update giveaway.

Fri, 08 Jan 2010 12:22:00 -0500

I just closed the comments of my last post announcing the release of the new Fusion Authority Quarterly Update. Now it is time to announce the winners. But first. [More]

The new Fusion Authority Quarterly Update is out

Tue, 05 Jan 2010 16:00:00 -0500

NOTE: I have closed the comments on this post. The contest is over. I will post the winners soon. It seems like not many people are talking about the new Fusion Authority Quarterly Update. It has been out for about 3 weeks, I think, and it seems that there is very little buzz about it. So I thought I would generate some. This is a little self-serving, as I have two articles in the newest version, but I don't mind :) My two articles are in a new "Let's Talk Security" column. They are "Application Security Primer" and "SQL Injection: A Persistent Threat". I was very excited to be asked to start writing for FAQU and I hope to be able to contribute more. In addition to my two articles, there is some amazing content from authors like Todd Sharp, Ray Camden, Terry Ryan, Mark Kruger, Mike Brunt, Mike Henke, Charlie Arehart, S. Isaac Dealey, Pete Ruckelshaus, Adrian J. Moreno and Mark Phillips. And I am especially looking forward to reading Dave Konopka's "SOA for the rest of us" To help bring attention to the new Quarterly Update and to generate some buzz, I am going to have a little giveaway. I like to do giveaways once in a while. It is fun. Judith and Michael at House of Fusion have graciously offered two 1-year subscriptions of the Fusion Authority Quarterly Update for me to giveaway. So on Friday of this week (only three days from now) I am going to give away two 1-year subscriptions to the Fusion Authority Quarterly Update. [More]

URL Session Tokens easily compromised - Security Series #6.4

Fri, 18 Dec 2009 10:16:00 -0500

I have said on several occasions that catering to users who insist on disabling cookies is a bad idea. I have blogged a couple times on the reasons. So why am I suddenly bringing this topic up again? Well I recently read (I cannot recall where, it was probably on the OWASP site) about a way that session tokens in URLs can be easily compromised. I am a little embarrassed that I never realized that this vulnerability existed before. It is pretty simple. [More]