Mike Brunt talks about “Stopping API security hacks cold (using ColdFusion API Manager)” in this episode of the ColdFusion Alive Podcast with host Michaela Light.
“We're going to be talking about API security and ColdFusion, which you may not have considered. This is a whole other attack service surface that your apps can be hacked by.”
Contents
Show notes
-
Why does CF API security matter?
- Remote API calls: False assumption that APIs your app calls are secure – but they may not be
- Local API – is it secure?
- Are they still open but not used
-
API use
- “APIs are extremely popular these days, with an average organization leveraging 15,564 APIs in total, up 201% year-on-year.” From this article in TechRadar, from April 2022.
- API use is increasing exponentially, which can expose serious security issues.
-
Common API use
- Legacy database
- Other company’s data eg USP shipping tracking
- Blockchain
- ChatGPT
- Amazon AWS features
- And many more
-
What is API
- A portal into the middle of your code functionality and data
- Sends and returns XML and JSON
-
CF API Security attacks
- Credential Stuffing: Malicious actors using stolen credentials to gain unauthorized access to API endpoints. Pay close attention to the origin, rate and frequency of authorization requests.
- Cross-Site-Scripting XSS: As we can see, many of these attacks already exist in the website world. Here malicious actors try to insert subversive scripts (often JavaScript) which can be executed. In this case, validate all input using character escaping and filtering.
- Distributed Denial of Service Attacks DdoS: Impose limits on the amount and frequency of data inputs and outputs.
- Injection Attacks akin to SQL Injection: Check, sanitize and validate all the data inputs passed via API requests. In addition ensure that data delivered via the API does not expose any possible vulnerabilities.
- Man-in-the-Middle Attacks: Ensure that all transmitted data is fully encrypted.
-
Actions to protect your CF app APIs
- Inventory All Existing API Endpoints
- – This should be a first step in determining what the attack surface could be. This audit should show the actual requirement of each API endpoint and any vulnerabilities shown in the table above.
- Both remote API calls and
- Your own APIs
- Look at API Manager monitoring
- Scan code for CFHTTP calls and CFCs that expose API
- Build API Security For New Applications/Features At The Planning Stage
- – As with the applications themselves, any security concerns should be in the very early planning stages of any new apps or features using API endpoints.
- Use Strong Authentication And Authorization On All API Endpoints
- – Ideally, there should be no API endpoints that are not strongly secured, if so, these will be captured by the inventory-audit.
- Encrypt All Traffic Via TLS
- – Ideally all traffic passing inward and outward should be encrypted and preferably via TLS.
- Use A Minimal Set Of Privileges
- – Ensure that users, systems, devices, processes etc, only have the minimum amount of privileges needed to operate. Again, this should become apparent during the inventory/audit.
- Avoid using the database SA/System Administrator user in APIs
- Expose Only The Very Necessary Data
- – the task of what data is exposed and passed should be determined via the API endpoint and not any application code. Again allow only totally necessary information.
- Validate All Input
- – Validate all data passing in and out of an API endpoint; for instance, if the endpoint only needs integers, there should be no text passing through.
- Create And Enforce Rate Limiting
- – Set limits which will reject excess transactions if they are exceeded. For instance 6,000 requests per day, per account; any requests which exceed this number will be rejected. Of course, this should be based on application needs.
- Use the API manager throttling features
- Audit All API’s Before Deploying To Production
- – This is to make sure that all necessary code/controls required for development/testing is not still in place when an app is deployed to production.
- Use A Web Application Firewall
- – Always a good idea
- FuseGuard
- API Manager notifications
- Performance monitoring
- Inventory All Existing API Endpoints
-
Useful ColdFusion features
- From my experience in ColdFusion and Blockchains these can items be very relevant.
- cfajaximport – Controls the JavaScript files that are imported for use on pages that use ColdFusion AJAX
- cfajaxproxy – Creates a JavaScript proxy for a ColdFusion component, for use in an AJAX client.
- cfclient – Part of the CF11 mobile features for client side (JS) development. Enables output of CFcode to JS.
- cfdbinfo – (For oracles, off blockchain data) Lets you retrieve information about a data source, including details about the database, tables, queries, procedures, foreign keys, indexes, and version information about the database, driver, and JDBC.
- cfdump – (Classic for error-handling) Outputs the contents of a variable of any type for debugging purposes.
- cfhtmlbody – The cfhtmlbody tag can be useful for embedding JavaScript code, or placing other HTML tags that should go at the bottom of the page just before the closing body tag.
- cfhtmlhead – Writes text to the head section of a generated HTML page. It is useful for embedding JavaScript code.
- cfhttp – Generates an HTTP request and parses the response from the server into a structure.
- cfinclude – Includes the content from the referenced file (template).
- cflog – A particularly important utility which writes a message to a log file.
- cfquery – Classic for interactions with oracles with off blockchain
- cfsprydataset – Creates a Spry data set; can use bind parameters to get data from ColdFusion AJAX controls to populate the data set.
- cfstoredproc – Another oracles related item) Executes a stored procedure in a server database. Itspecifies database connection information and identifies the stored procedure.
- cfthread – The cfthread tag enables multithreaded programming in ColdFusion.
- cfwebsocket – Includes the required JavaScript files in your CFM template and creates a global JavaScript reference to the WebSocket Object on the client-side.
- All of this information came from
Mentioned in this episode
- Mike episode on CF and blockchain CFA pod ___
- Other CFA pod API manager
- Adobe API Manager podcast
- API Manager download
- http://{IP Address}:9000/admin/login.html
- https://helpx.adobe.com/coldfusion/api-manager/api-manager-publisher.html
- Getting started with API manager
Listen to the Audio
Podcast: Play in new window | Download | Embed
Subscribe: RSS
Bio
Mike Brunt was born in Northern England in 1948. It was a time of austerity for the British people who had rationing in place due to the effects of the Second World War. He pursued a management career in transportation equipment, becoming Director of Excess Stock at British Leyland Truck and Bus. He moved to the USA in 1989 and eventually took up a career path in technology, coinciding with the emergence of the World Wide Web. Mike then became involved in Teleradiology, working alongside Kodak, Lucent Technologies and GTE. Mike is still deeply involved in technology, being a specialist in capacity planning and tuning for Java systems. He is becoming ever more involved with Blockchain and peer-to-peer-based infrastructure.
Specialties: Java server engineer, Blockchain infrastructure engineer, ColdFusion, networking, database design, server troubleshooting, teleradiology, and web infrastructures.
In addition to his career path, Mike is a composer and musician, having been involved in creating 11 electronic music albums. Mike also paints with well over 100 paintings located in Los Angeles, New Zealand and Eugene, Oregon. Lastly, Mike is a Permaculture Certified Designer and lives on a 5-acre farm in the Eugene area of Oregon.
Mike Brunt is also known as CF Whisperer.
Links
Interview transcript
Michaela Light 0:02
Welcome back to the show. I'm here with Mike Brandt. And we're going to be talking about API security and ColdFusion, which you may not have considered. This is a whole other attack service surface that your apps can be hacked by. Mike has been doing cold fusion for basically forever since version 1.5 25 years ago or there abouts. And he used to work for a company called OLED, which some of you may remember were the people who created the original ColdFusion. Then he worked for Macromedia. I don't if you actually work for Adobe, Mike or not. But he used to fly around the country fixing people's slow ColdFusion servers and did a lot of work for Fortune 1000 companies in the United States, maybe or in other countries, too. He's a Java JVM expert blockchain expert does a lot of troubleshooting kind of stuff. So in addition, he is a composer and musician, and has published 11 albums and painted 100 paintings. And also, he's got a heavy interest in permaculture and self sustainable foods. Rene science man, I would say, Welcome, Mike.
Mike Brunt 1:20
Thank you. That was a rather lovely introduction, man. I appreciate that. Yeah.
Michaela Light 1:25
So you're welcome. What? What does? Why is it so important to look at security of your API's in your ColdFusion apps?
Mike Brunt 1:35
Well, you know, my experience has been a huge threat and said, I've been to many places over many years, you know, in terms of helping people and I've seen the increase in the use of API's. And they, let's look at two ends if we can. So let's look at remote API. So somebody's giving us a client, an API that we can connect to. Most most people that I've seen, and I'm this is not a criticism that they assume that the end the endpoint, that the person offering the API security. It's sort of a given assumption. And what typically happens in that case is the API gets dropped into the code. And it's like, you know, that's it, it's like there. So there's not really an again, I'm not being critical, it's not really a lot of attention paid to securing remote API's. The other end of things, which is obviously, if we're offering API's, again, you know, we're sort of relying on the, you know, development team. And again, not these aren't critical statements at all. But again, you know, we're relying on ourselves, securing the API that we're offering. And both of those different types of API's, both remote down API Interfaces, we may be offering, or open to security attacks, you know, not just from inside our code, but from, you know, anything that may be out there. So it's almost a bit like it, you know, to use a term, in my experience, it's like, set and forget, you know, API's get interspersed in the code. And then often, and this is a classic with cold anyway, often, they can get left left open when they're not needed anymore. You know, and, you know, and I've seen that, too. So there's various articles from people like Gartner, and so on about the increasing use of API's, and the increase in security threats that that brings. So that's been my experience with them, you know, we need we really need something that's, that's easy to use to talk like security, and it's not the security. The one thing about me mentioning it ColdFusion API Manager is that allows all sorts of fine grained control of API's, both external and internal, things like adding roles to only certain items can use that API, for instance.
Read more
Michaela Light is the host of the CF Alive Podcast and has interviewed more than 100 ColdFusion experts. In each interview, she asks "What Would It Take to make CF more alive this year?" The answers still inspire her to continue to write and interview new speakers.
Michaela has been programming in ColdFusion for more than 20 years. She founded TeraTech in 1989. The company specializes in ColdFusion application development, security and optimization. She has also founded the CFUnited Conference and runs the annual State of the CF Union Survey.
Join the CF Alive revolution
Discover how we can all make CF more alive, modern and secure this year. Join other ColdFusion developers and managers in the CF Alive Inner Circle today.- Get early access to the CF Alive book and videos
- Be part of a new movement for improving CF's perception in the world.
- Contribute to the CF Alive revolution
- Connect with other CF developers and managers
- There is no cost to membership.