Just recently, I talked with Pete Freitag from Foundeo about ColdFusion security issues and solutions. For those of you that don't already know this, Pete is one of the best CF security experts out there. And, modernizing ColdFusion is just that! Making it more secure, and alive. #ModernizeOrDie was the main moto at Into The Box 2019.
What is Fixinator?
Fixinator is a CFML security code scanner. What it does, is it basically you give it a directory of code, or even just a single file. It will go through it and will look for security issues. The type of things it finds could be anything from
- SQL injection vulnerabilities,
- remote code execution,
For the ones that it finds vulnerabilities, it will automatically fix them. Here's an example:
You have an SQL injection vulnerability in a CF query tag and you run Fixinator- you can say it has a feature called Auto Fix; auto fix=auto and that just fixes it for you without asking you anything. There's a prompt mode too if you want to have more control.
The second feature is that it looks for all known vulnerabilities so if you are using an old version of SDK editor that has a file upload ability, it will be able to detect those types of things.
It will also provide a full report on all problems and issues in HTML od PDF format, or even JSON file if you want to manipulate it. Additionally, it supports JUnit format as well.
You are also able to integrate Fixinator into a continuous innovation pipeline, eg. Gitlab repository, so that anytime you want to commit your code it will run the scan automatically. After you output this report file in JUnit format it will provide you with a nice overview of all the things it found. This way, it will stop the thing putting into production, because you have a full pipeline of deployment setup.
Continuous security for your CFML code with Fixinator Webinar with Pete Freitag
In this webinar Pete explained how to scan a code base, produce reports, and let Fixinator fix some of the issues it finds. Another takeaway was on how to setup Fixinator in a continuous integration workflow, so it runs every time you commit code to the repository, giving you instant, automatic, continuous feedback.
Here are the slides from Pete's presentation.
Pete Freitag has well over a dozen years of experience building web applications with ColdFusion. In 2006 he started Foundeo Inc (foundeo.com), a ColdFusion consulting and products company. Pete helps clients develop and architect custom ColdFusion applications, as well as review an improve the performance and security of existing applications. He has also built several products and services for ColdFusion including a Web Application Firewall for ColdFusion called FuseGuard (fuseguard.com) and a ColdFusion server security scanning service called HackMyCF (hackmycf.com). Pete holds a BS in Software Engineering from Clarkson University.
Join the CF Alive revolutionDiscover how we can all make CF more alive, modern and secure this year. Join other ColdFusion developers and managers in the CF Alive Inner Circle today.
- Get early access to the CF Alive book and videos
- Be part of a new movement for improving CF's perception in the world.
- Contribute to the CF Alive revolution
- Connect with other CF developers and managers
- There is no cost to membership.