Contents
With the recent British Airways data breach losing 380,000 credit card details, our age old adage has been proven. No system is 100% secure.
This is why the team here at TeraTech has dubbed November as “No-Nonsense November”. We will be diverting our attentions to making sure that your ColdFusion systems are secure as they can be. Furthermore, I will be giving you some tips from industry security leaders to better secure your servers.
Everyday, new security vulnerabilities are found in all of our favorite programming languages. CFML is no exception. This is why both Adobe and Lucee release regular hotfixes to address them. Not upgrading your platform can be just downright foolish. Check to make sure all your servers are up-to-date! Sometimes, security issues get reported that could have easily been avoided by staying updated.
DON’T BE THAT GUY.
Speaking of new updates to security…
Adobe ColdFusion 2018 Security Improvements
The release of CF 2018 pushes levels of security to a whole new level. Now, you can automatically scan and search your application code for any existing security vulnerabilities and any potential security breaches. ColdFusion will then determine the exact vulnerable code, type of vulnerability, and severity level. Finally, the improved analyzer presents you with the option of removing and repairing the problem via recommended means. Automated security? Sign me up.
On top of that, ColdFusion 2018 offers an automated server lockdown feature. No more fumbling through disorganized manuals and procedures to secure your servers. With the simple click of a button, Adobe does it all for you.
To learn more about what Adobe ColdFusion 2018 has to offer, check out this article: Adobe ColdFusion 2018: Step into the Aether.
But, why is security just so important?
Funny you should ask that. But for those of you who still don’t grasp the magnitude of this nature…
These are some of the problems you can experience with an insecure ColdFusion server:
- After a breach, personnel job security goes into rapid decline.
- If you are datanapped, monetary demands may be excessively high.
- Your customer’s sensitive data could be posted in the Darknet for scamming purposes.
- If news of the breach goes public, company PR will be damaged.
- The scope of the problem may be far greater than one particular system.
- Your CF site slows/crashes due to hackers using the server for spam email sending.
This is just the tip of the iceberg. There are literally hundreds–if not thousands–of reasons why you should maintain maximum security for your CFML platform.
Related: How One Company Improved Their ColdFusion Security (From Datanapped to Safe)
Legacy Code: Old Paths or Open Gateways?
“So my system is outdated, and it runs on legacy code… What’s the big deal? Nobody wants to access my system anyway.”
Sigh. You may be the biggest target out there.
Unused old code and even whole directories of deadwood not only create maintenance confusion, but they are also a major security risk. Often, the older code is less securely written.
In my experience, hackers often penetrate a CF server via deadwood code. Solution?
Clear up your CF deadwood code. Just check out some of the advantages of doing so.
- Easier Maintenance – Simple and clean code structures help make everyday tasks a breeze.
- Rapid Deployment – Everyone wants to deploy changes and make future requirement changes to your application quickly and easily. When your code is solid, nothing is keeping you from making quick work of your tasks.
- Fewer Bugs – Finding and fixing bugs will be much easier. You’ll think you found your virtual can of insect spray!
- Modern, Responsive Front-End- Your app can now work on both mobile and desktop browsers seamlessly.
But how do you move from that legacy hell to a heaven of modern CFML with easier maintenance and deployment, fewer bugs, and streamlined code?
Join Nolan Erck and I as we dive into that answer on the CF Alive podcast: 059 Migrating legacy CFML to MVC (Model View Controller) with Nolan Erck
What else can I do?
I recommend learning from one of the Security Gurus of today’s modern ColdFusion. One individual, in particular, is great for such reasons.
Pete Freitag.
As Creator of Foundeo.com, he has developed several programs designed specifically for maximizing protection for your CFML. I have had the golden opportunity to interview him on multiple occasions about security topics.
Related: Secrets of High-Security ColdFusion Code with Pete Freitag, to get the scoop on all things CFML security.
Hire a ColdFusion Expert to Protect your Valuables
Hiring a professional is always THE BEST THING to do if you don’t have one in-house.
Be sure to check out this article on the blog to help you make the right decisions when it comes to your hiring.
Related: How to Hire a ColdFusion Software Development Company without Freaking Out (9 best practices)
In conclusion, your CFML security is nothing to joke around about. You should strive for maximum security and coverage of your servers, applications, and platform. Don’t be the one who gets attacked and comes asking why. I’d hate to say “I told you so.”
And to continue learning how to make your ColdFusion apps more modern and alive, I encourage you to download our free ColdFusion Alive Best Practices Checklist.
Because… perhaps you are responsible for a mission-critical or revenue-generating CF application that you don’t trust 100%, where implementing new features is a painful ad-hoc process with slow turnaround even for simple requests.
What if you have no contingency plan for a sudden developer departure or a server outage? Perhaps every time a new freelancer works on your site, something breaks. Or your application availability, security, and reliability are poor.
And if you are depending on ColdFusion for your job, then you can’t afford to let your CF development methods die on the vine.
You’re making a high-stakes bet that everything is going to be OK using the same old app creation ways in that one language — forever.
All it would take is for your fellow CF developer to quit or for your CIO to decide to leave the (falsely) perceived sinking ship of CFML and you could lose everything—your project, your hard-won CF skills, and possibly even your job.
Luckily, there are a number of simple, logical steps you can take now to protect yourself from these obvious risks.
No Brainer ColdFusion Best Practices to Ensure You Thrive No Matter What Happens Next
ColdFusion Alive Best Practices Checklist
Modern ColdFusion development best practices that reduce stress, inefficiency, project lifecycle costs while simultaneously increasing project velocity and innovation.
√ Easily create a consistent server architecture across development, testing, and production
√ A modern test environment to prevent bugs from spreading
√ Automated continuous integration tools that work well with CF
√ A portable development environment baked into your codebase… for free!
Learn about these and many more strategies in our free ColdFusion Alive Best Practices Checklist.
