No-Nonsense November: ColdFusion Security Breakdown

Note this article was written when Adobe ColdFusion 2018 version was out. Currently, there is a new version- Adobe ColdFusion 2021, and it is the game-changing release for the next decade. To learn more about CF 2021 listen to the CF Alive podcast episode with Rakshith Naresh.

ColdFusion Security Breakdown

With the recent British Airways data breach losing 380,000 credit card details, our age old adage has been proven. No system is 100% secure.

This is why the team here at TeraTech has dubbed November as “No-Nonsense November”. We will be diverting our attentions to making sure that your ColdFusion systems are secure as they can be. Furthermore, I will be giving you some tips from industry security leaders to better secure your servers.  

Everyday, new security vulnerabilities are found in all of our favorite programming languages. CFML is no exception. This is why both Adobe and Lucee release regular hotfixes to address them. Not upgrading your platform can be just downright foolish. Check to make sure all your servers are up-to-date! Sometimes, security issues get reported that could have easily been avoided by staying updated.

DON’T BE THAT GUY.

Speaking of new updates to security…

Adobe ColdFusion 2018 Security Improvements

The release of CF 2018 pushes levels of security to a whole new level. Now, you can automatically scan and search your application code for any existing security vulnerabilities and any potential security breaches. ColdFusion will then determine the exact vulnerable code, type of vulnerability, and severity level. Finally, the improved analyzer presents you with the option of removing and repairing the problem via recommended means. Automated security? Sign me up.

On top of that, ColdFusion 2018 offers an automated server lockdown feature. No more fumbling through disorganized manuals and procedures to secure your servers. With the simple click of a button, Adobe does it all for you.

To learn more about what Adobe ColdFusion 2018 has to offer, check out this article: Adobe ColdFusion 2018: Step into the Aether.

But, why is security just so important?

Funny you should ask that. But for those of you who still don’t grasp the magnitude of this nature…

These are some of the problems you can experience with an insecure ColdFusion server:

• After a breach, personnel job security goes into rapid decline.
• If you are datanapped, monetary demands may be excessively high.
• Your customer’s sensitive data could be posted in the Darknet for scamming purposes.
• If news of the breach goes public, company PR will be damaged.
• The scope of the problem may be far greater than one particular system.
• Your CF site slows/crashes due to hackers using the server for spam email sending.

This is just the tip of the iceberg. There are literally hundreds–if not thousands–of reasons why you should maintain maximum security for your CFML platform.

Related: How One Company Improved Their ColdFusion Security (From Datanapped to Safe)

Legacy Code: Old Paths or Open Gateways?

“So my system is outdated, and it runs on legacy code… What’s the big deal? Nobody wants to access my system anyway.”

Sigh. You may be the biggest target out there.

Unused old code and even whole directories of deadwood not only create maintenance confusion, but they are also a major security risk. Often, the older code is less securely written.

In my experience, hackers often penetrate a CF server via deadwood code. Solution?

Clear up your CF deadwood code. Just check out some of the advantages of doing so.

• Easier Maintenance – Simple and clean code structures help make everyday tasks a breeze.
• Rapid Deployment – Everyone wants to deploy changes and make future requirement changes to your application quickly and easily. When your code is solid, nothing is keeping you from making quick work of your tasks.
• Fewer Bugs – Finding and fixing bugs will be much easier. You’ll think you found your virtual can of insect spray!
• Modern, Responsive Front-End- Your app can now work on both mobile and desktop browsers seamlessly.

But how do you move from that legacy hell to a heaven of modern CFML with easier maintenance and deployment, fewer bugs, and streamlined code?

Join Nolan Erck and I as we dive into that answer on the CF Alive podcast: 059 Migrating legacy CFML to MVC (Model View Controller) with Nolan Erck

What else can I do?

I recommend learning from one of the Security Gurus of today’s modern ColdFusion. One individual, in particular, is great for such reasons.

Pete Freitag.

As Creator of Foundeo.com, he has developed several programs designed specifically for maximizing protection for your CFML. I have had the golden opportunity to interview him on multiple occasions about security topics.

Related: Secrets of High-Security ColdFusion Code with Pete Freitag, to get the scoop on all things CFML security.

Hire a ColdFusion Expert to Protect your Valuables

Hiring a professional is always THE BEST THING to do if you don’t have one in-house.

Be sure to check out this article on the blog to help you make the right decisions when it comes to your hiring.

Related: How to Hire a ColdFusion Software Development Company without Freaking Out (9 best practices)

In conclusion, your CFML security is nothing to joke around about. You should strive for maximum security and coverage of your servers, applications, and platform. Don’t be the one who gets attacked and comes asking why. I’d hate to say “I told you so.”

 

Michaela Light is the host of the CF Alive Podcast and has interviewed more than 100 ColdFusion experts. In each interview, she asks "What Would It Take to make CF more alive this year?" The answers still inspire her to continue to write and interview new speakers.

Michaela has been programming in ColdFusion for more than 20 years. She founded TeraTech in 1989. The company specializes in ColdFusion application development, security and optimization. She has also founded the CFUnited Conference and runs the annual State of the CF Union Survey.