With the 2018 CF Summit in Las Vegas being a huge success, we can now turn our eyes to the upcoming CF Camp in Munich. As the only major CF conference in Europe, you can bet there will be many great sessions coming up. Alexander Reelsen of Elasticsearch will be providing one of those. He will discuss at length Java security management and what Elasticsearch can do regarding. To prepare for this, let’s take a look at what Java Security Management means and what Elasticsearch is.
“We think we're going to be especially strong in the platform where we have our two platform brands: our database brand is the Oracle Database 12c, and our programming language brand is this thing called Java.” -Larry Ellison
What You Need to Know as CIO
What do Java and Java security have to do with your Adobe ColdFusion based operations? The answer is simple. Everything. One of CF’s greatest strengths is that underneath all of its layers lies Java. That’s right. Adobe ColdFusion utilizes the JVM or Java Virtual Machine. All of your .cfm and .cfc files are actually compiled to standard Java files. This allows you to natively utilize the vast array of Java libraries available. However, this also means that any change in the Java directly impacts your ColdFusion.
For instance, when Java 1.8 was released, ColdFusion had to be optimized to account for Java 1.8.
The duality of Java and ColdFusion has a dark side to it as well. Any malicious attack (whether intentional or not) to your ColdFusion’s Java core will directly affect your CF.
This reason is why maintaining security to your Java and JVM’s security is pivotal to both your ColdFusion platform and your business’s operations. In Susan Perschke’s article “7 Steps to Securing Java” for CIO.com, she defines 7 key steps to securing your Java. Let’s take an in-depth look at these.
#1. Impact Analysis
How can you begin to improve your Java security if you don’t even know where to start? Performing an impact analysis can give you a good idea of where you stand with your Java inside and out. The most important part of this process is identifying exactly which of your apps use Java. In the case of ColdFusion, you will find that almost every single one of your apps does. You should use this knowledge to build a criticality scale. Which apps are the most critical for your business? In order to mitigate risk, you must first understand the full scope of Java in your workplace.
#2. Patches and Updates
This may seem like a no-brainer, but… You would be surprised at how outdated some companies’ platforms are. DO NOT BE THAT PERSON. It is of absolute importance that you stay up to date on all your platforms.
Updates and patches come with security fixes and attack prevention measures.
Do not become vulnerable by refusing to update your platform.
When doing this, be sure to take the necessary precautions such as:
- Install your new Java updates and patches directly from Oracle. This reduces the risk of code injection.
- Manually uninstall older versions of Java. When you install a new version of Java, the older version is not necessarily uninstalled.
- Consider restricting your Java-based apps to a VM that can be powered up only when needed. Subsequently, this should be shut down when not using the apps.
Your Java is not the only thing that needs to be upgraded. Your Java-based app does as well. Outdated apps may break or fail if run on a newer version of Java. Be sure to keep all of your apps up to date to avoid any complications and minimize security risks.
“It's been the language I've used 100% of the time in the last 18 years of my professional life. I love working in ColdFusion, it is both comfortable to work in yet also stretches me as I continually find new things I can do with it in every release. There's been a lot of effort over the years to evolve ColdFusion and keep pace with other languages and modern programming concepts.” – Ed Bartram, Senior Web Developer at Senior Market Sales
From CF Alive episode, “080 Assert Control Over Your Legacy Applications (TestBox Quick Start) with Ed Bartram“
#3. Managing Control Panel Settings
There are many settings on the Java Control Panel that can be tweaked in order to provide optimum performance and maximum security. Luckily for us, ColdFusion exposes most of the JVM settings right in our Administrator. This makes adjustments relatively easy. The general security settings for Java are also found on the control panel. The latest versions of Java 7 and higher have a different level of default security. Prior to these, Java’s security settings were set to MEDIUM whereas now they are set to HIGH. Here you can also manage your automatic updates. For standard clients, Java updates automatically. However, as of now, there is no automatic update for enterprise-level clients to their Java. These must be manually achieved.
#4. Harden Your Web Browsers
Many Java (and subsequently ColdFusion) attacks come through your web browsers. This is why it is so important to take all precautions when it comes to them. Whenever possible, it is recommended that you disable Java in your web browsers. However, we know this can be pretty difficult or next to impossible. Instead, consider disabling remote access to Java applets. Use a proxy server that allows local Java requests and denies remote ones. An even simpler approach is to simply use two separate web browsers. Use one for Java-free operations and the other for actual web browsing. When using this method, change your proxy settings to allow only one to allow Java and the other to not. This can help you prevent accidental exposure of your Java to outside entities.
#5. BYOD Control
BYOD stands for Bring Your Own Device. This practice is becoming more and more common in today’s IT world. Some employers even provide a budget for employees to purchase a device comfortable to the user. Not all of these devices will have proper security installed natively. Many of them won’t. This can be a problem for many reasons. Instead of preventing your employees from using their own devices, ensure proper monitoring. Create a task force to verify that all brought devices are up to your company’s standard of security. BYOD only becomes a problem if you allow it to be. Be proactive about your security concerns.
#6. Review Java Impacts
This area of focus primarily deals with how your customers interact with you and your Java. Some of your customers and clients may be very strict with their own Java security. If your business uses mainly Java applets, your clients may not be able to properly access your information. Some clients even deny JavaScript. Monitor and track your Java impacts by using detection scripts. This will allow you to redirect clients to a more friendly area for their concerns.
#7. Develop Responsibly
This may be the most important step when it comes to developing in Java. DO NOT PRODUCE UNSIGNED OR SELF-SIGNED APPS. In order to maintain your best security, always use a trusted certification authority when developing. Also, adhere to industry best practices in the workspace. Best practices are called best practices for a reason. They can promote the health and welfare of your development environment and your company. Just remember, best practices are prone to change.
“…it might be a best practice today, but may not have been a best practice five years ago. And it might not be a best practice five years in the future.” -Nolan Erck, Owner and Chief Consultant at South of Shasta Consulting
From CF Alive episode, “047 Best Practices Are Best, Except When They’re Not with Nolan Erck“
Tech Talk
Java Security Managers
One of the core pieces to Java’s security architecture is the Java Security Manager. A security manager is not just a singular program. It can be one of many different classes each designed for a specific or custom purpose.
Any class that descends from java.lang.SecurityManager can be considered a security manager.
Using these security managers allow you to create a custom security build particular to a specific application. When these applications attempt to perform any action that is potentially unsafe, the Java API informs the appropriate security manager. For each potentially unsafe action, there is a method –or check– that defines whether that action will be permitted to execute.
For example:
- checkRead() determines whether or not a specified file can be read
- checkWrite() determines whether or not a specified file can be written
Reading and writing files are not the only tasks that are monitored and checked. The classes of the Java API check with the security manager in order to:
- Accept a socket connection from a specified host and port number
- Modify a thread (change its priority, stop it, and so on)
- Open a socket connection to a specified host and port number
- Create a new class loader
- Delete a specified file
- Create a new process
- Cause the application to exit
- Load a dynamic library that contains native methods
- Wait for a connection on a specific local port number
- Load a class from a specified package (used by class loaders)
- Add a new class to a specified package (used by class loaders)
- Access or modify system properties
- Access a specified system property
- Read from a specified file
- Write to a specified file
When configuring your policy file, you may decide to take one of three paths.
- Black Hat: Everything is allowed but exceptions can be configured to disallow some operations.
- White Hat: Only operations that are explicitly configured are allowed. By default, all operations are disallowed.
- Custom
Taking advantage of Java Security Managers can save you from a bunch of nasty surprises down the road. Keep up-to-date on your security and ensure your Java runs safely.
Elasticsearch
Elasticsearch is a distributed RESTful search and analytics engine. But Elasticsearch is much much more than your standard search engine. Not only does it allow for many types of searches for your data (such as structured, unstructured, geo, and metric), Elasticsearch performs at blazing fast speeds. This is accomplished through many methods primarily its index mechanisms.
It can also provide scalability for your applications. Elasticsearch claims to run the exact same from a single node on your laptop to that of a 300 node cluster. This is due to its unique horizontal scaling.
The major topic Alexander will be covering though is how Elasticsearch can actually help provide stronger security for you and your data. All data that you store within the Elastic Stack is very closely guarded. This can keep your Java (and CFML) safe and your company reassured. Here are some of the ways that Elasticsearch and the Elastic Stack keep your data protected.
- Authentication
- Using Elasticsearch allows you to use all the authentication safeguards the Elastic Stack has to offer. This includes single sign-on (SSO) options like certificates, Kerberbos, and SAML. You also have the option to create a home-grown identity management system.
- Authorization
- Elasticsearch gives you the power to manage your user roles and authorizations. Specify what each of your team members is able to access. For instance, give your marketing team read-only access to marketing data, and deny access to all other indices.
- Encryption
- All of your data stored in the Elastic Stack will be provided with SSL/TLS encryption. This should help to keep both your company and clients’ minds at ease. IP filtering is also provided to prevent unwanted hosts from communicating with your data cluster.
- Audit Logging
- Elasticsearch’s auto audit log feature keeps a complete record of all user and system activity. The audit logging feature allows for you to record all activity or be throttled down to specific items. These logs are then stored within the Stack for ease of access.
These are only a few ways that Elasticsearch can help you and your company stay safe and successful. For more info, be sure to check out Alexander Reelsen’s session at the CF Camp in Munich.
Remember, your ColdFusion is like an onion. It has many layers and at the heart lies Java. You must take care to secure your Java alongside your CFML to ensure maximum security for your code and applications.
Learn more about this interesting topic at the CF Camp in Munich. Alexander Reelsen will have a presentation.
CF Camp 2018: The Only Adobe ColdFusion Conference in Europe
About the Speaker:
Alexander Reelsen, Husband, Dad, Developer for Elasticsearch and its commercial extensions. Backend only developer, productivity fan, likes distributed systems & the new serverless era.
And to continue learning how to make your ColdFusion apps more modern and alive, I encourage you to download our free ColdFusion Alive Best Practices Checklist.
Because… perhaps you are responsible for a mission-critical or revenue-generating CF application that you don’t trust 100%, where implementing new features is a painful ad-hoc process with slow turnaround even for simple requests.
What if you have no contingency plan for a sudden developer departure or a server outage? Perhaps every time a new freelancer works on your site, something breaks. Or your application availability, security, and reliability are poor.
And if you are depending on ColdFusion for your job, then you can’t afford to let your CF development methods die on the vine.
You’re making a high-stakes bet that everything is going to be OK using the same old app creation ways in that one language — forever.
All it would take is for your fellow CF developer to quit or for your CIO to decide to leave the (falsely) perceived sinking ship of CFML and you could lose everything—your project, your hard-won CF skills, and possibly even your job.
Luckily, there are a number of simple, logical steps you can take now to protect yourself from these obvious risks.
No Brainer ColdFusion Best Practices to Ensure You Thrive No Matter What Happens Next
ColdFusion Alive Best Practices Checklist
Modern ColdFusion development best practices that reduce stress, inefficiency, project lifecycle costs while simultaneously increasing project velocity and innovation.
√ Easily create a consistent server architecture across development, testing, and production
√ A modern test environment to prevent bugs from spreading
√ Automated continuous integration tools that work well with CF
√ A portable development environment baked into your codebase… for free!
Learn about these and many more strategies in our free ColdFusion Alive Best Practices Checklist.