Read the show notes and download the full episode here.
Michaela Light 0:02
Welcome back to the show. I'm here with Mike Brandt. And we're going to be talking about API security and ColdFusion, which you may not have considered. This is a whole other attack service surface that your apps can be hacked by. Mike has been doing cold fusion for basically forever since version 1.5 25 years ago or there abouts. And he used to work for a company called OLED, which some of you may remember were the people who created the original ColdFusion. Then he worked for Macromedia. I don't if you actually work for Adobe, Mike or not. But he used to fly around the country fixing people's slow ColdFusion servers and did a lot of work for Fortune 1000 companies in the United States, maybe or in other countries, too. He's a Java JVM expert blockchain expert does a lot of troubleshooting kind of stuff. So in addition, he is a composer and musician, and has published 11 albums and painted 100 paintings. And also, he's got a heavy interest in permaculture and self sustainable foods. Rene science man, I would say, Welcome, Mike.
Mike Brunt 1:20
Thank you. That was a rather lovely introduction, man. I appreciate that. Yeah.
Michaela Light 1:25
So you're welcome. What? What does? Why is it so important to look at security of your API's in your ColdFusion apps?
Mike Brunt 1:35
Well, you know, my experience has been a huge threat and said, I've been to many places over many years, you know, in terms of helping people and I've seen the increase in the use of API's. And they, let's look at two ends if we can. So let's look at remote API. So somebody's giving us a client, an API that we can connect to. Most most people that I've seen, and I'm this is not a criticism that they assume that the end the endpoint, that the person offering the API security. It's sort of a given assumption. And what typically happens in that case is the API gets dropped into the code. And it's like, you know, that's it, it's like there. So there's not really an again, I'm not being critical, it's not really a lot of attention paid to securing remote API's. The other end of things, which is obviously, if we're offering API's, again, you know, we're sort of relying on the, you know, development team. And again, not these aren't critical statements at all. But again, you know, we're relying on ourselves, securing the API that we're offering. And both of those different types of API's, both remote down API Interfaces, we may be offering, or open to security attacks, you know, not just from inside our code, but from, you know, anything that may be out there. So it's almost a bit like it, you know, to use a term, in my experience, it's like, set and forget, you know, API's get interspersed in the code. And then often, and this is a classic with cold anyway, often, they can get left left open when they're not needed anymore. You know, and, you know, and I've seen that, too. So there's various articles from people like Gartner, and so on about the increasing use of API's, and the increase in security threats that that brings. So that's been my experience with them, you know, we need we really need something that's, that's easy to use to talk like security, and it's not the security. The one thing about me mentioning it ColdFusion API Manager is that allows all sorts of fine grained control of API's, both external and internal, things like adding roles to only certain items can use that API, for instance.
Michaela Light 4:15
We'll let we'll get into that in a bit more detail on the show and talk about some of the potential attacks that you've seen out there. But just to mention that statistic that you pulled up from tech radar, that was a 200% increase year on year in API use, and that the average organization is using over 15,000 API's in all their apps organization wide. So this is an enormous attack surface that's out there and people just may not have been paying attention to it on either side of it either for the API's they call in their apps or API's they provide so really appreciate you coming on the shoulder highlight This and talk about what the issue is and how you can protect yourself. What are some of the common just for people who are like, well, I don't use API's? What are some common uses of API's that you see?
Mike Brunt 5:16
Well, wherever there's a need to use external data, you know that that's not part of our application stack. It gave an example, which has really accelerated the use of it. And it relates to a presentation I've given in the past, blockchain technology, for instance, in, you know, blockchain technology in its in its day to day operation, whatever it may be doing, often needs data that resides in legacy databases. You know, I mean, blockchains, still a fairly new technology. So in all those cases, there's a need to call out to external data sources to get the data that the blockchain technology needs. That's an example. But there's so I mean, so many, really, to put it in a nutshell, any any application that needs data doesn't reside within that company or that application, stack it typically using an API to get that information and vice versa. If you want to share information with others out there that they don't have in their application state that you do, then that's the other the other end of using an API.
Michaela Light 6:32
Yeah, so for example, if you had an ecommerce app, you might want to track where you know the package, or you might want to create a shipping label. And that would be an API call to FedEx is API or UPS API. Yeah, that's what you're using for shipping. You know, if you have an ERP system that might be API access to their data, a new one that's just come out is that whole artificial intelligence with the chat GPT and open AI, API. Oh, there's too many A's and eyes in that sentence. And then, of course, anyone who uses Amazon, AWS, they have about 40 different feature areas like image processing, or video processing, or you know, s3 buckets, all of that is available through API's.
Mike Brunt 7:28
Absolutely. I'd like to give a little insight, my view of the evolution of that, I thought that my work is stress testing and capacity planning and load testing. And in order to do that, what you typically do is you go to a URL, and you record what what comes back from both the request response to the URL, see, but you know, as an example, you browsing a website to create a load testing script. When I used to do that, I could pretty much use those scripts. But once I'd finished browsing around, I could pretty much use those scripts immediately. Nowadays, it 50% of the time, and getting that to work is commenting out API calls, because it because for instance, if we want to do a load test with old retired virtual users, we don't want to be waiting, you know, some Google for instance, or Facebook, or whatever it may be, because then you send us a dt, DD or s attack. So the reason I use that illustration is I've seen the proliferation of outcalls, particularly via API's, mushroom, you know, in over the years.
Michaela Light 8:46
Well, hopefully the mushrooms are growing on healthy soil and not some Shi T stuff that many mushrooms are grown on.
Mike Brunt 8:54
Well, that's a good fertilizer anyway.
Michaela Light 8:57
There you go. So what what kind of attack methods Have you have you seen out there in the wild and ColdFusion? Land?
Mike Brunt 9:08
Well, anything that any problem that can apply to a URL, or typical, you know, website URL can apply to an API. So all the typical man in the middle fishing, anything that you can add, I actually made it, I think you put some in the show notes for me, fella, but actually, you know, reveal pretty much more or most of them when not all of them. It's basically the same because what an API is, in essence, and being simplistic here is a URL with a board assignment, you know. But the point I want to make, which I think is important, is, you know, what dance that is, is that this is from a remote API perspective. So we're calling a remote API and called for some reason or another. And often that may change and but often the The the API call gets left in the code even though it's not being used anymore. And if you think it all API's, whether remote or local, or doorways, or portals into an eighth of an application, and that's always, you know, whichever way we're doing that that's always a potential security. And I'm sort of doing a bit of marketing here. But that's why ever since to API Manager ColdFusion, API Manager came out with ColdFusion, 2016. I think it got it got hardly any mention from I think that'd be it was Adobe in time, he got hardly any mention. And immediately, because of my experience out in the field testing, I realized that it was a really amazing product and something that we should be using, but it just sort of laid fallow, it's still available with ColdFusion 2021, by the way, but I haven't found a lot of usage of it yet.
Michaela Light 10:59
No, we I mean, I interviewed Brian zappy, a few years ago when it came out. And I'll put the link to that in the show notes. And also Alicia forearc, who was an evangelist to the API Manager a few years ago on the business case for and I think you're right, not so many people, they don't even realize they've got it. I think it ships with it, when it first came out. It was with enterprise ColdFusion. I'm not sure if that if it's only enterprise. Now, if you can get it with standard. I'm a little confused on that. But maybe we can figure that out and update the show notes, Tara tech.com. With the correct info, because I just tried to Google that before the interview, and I couldn't find a clear answer, right, or any answer on that. So but it's a great tool, it's a separate install from the ColdFusion install it come comes with ColdFusion. And, you know, I think really, most people are either calling API's or exposing stuff and and really, the API is like you say, it's a doorway, it's a back, let's use a security room. It's like a backdoor into your app, and you've got to secure your backdoors because it's exposing functionality. You know, even if it's not a secure, I mean, it can be a security issue, they could start doing things to your app, or that you don't want to happen, right? But even if they just call it a whole bunch of time, and it uses up a lot of database resources and CPU resources, it could cause you problems. So API Manager lets you throttle down on how many requests are allowed from any particular person. And like you said earlier, they can have roles and can render credentials through it. So it's a very find fine. Control. I can't think of the right word Fine, fine. tooth? No, that's the wrong word. Gives you a lot of luck. lot of control over API use both ways. The ones you call on the one the ones you expose.
Mike Brunt 13:07
Exactly. And, you know, it's and we see some of the horror stories of I'm not saying API exploit, but he could have been I mean, a little while ago now, but the fuel systems on the East Coast got disrupted by a security attack, and almost rolled for the states to a standstill, you know? Sorry.
Michaela Light 13:30
Go ahead.
Mike Brunt 13:32
I got an enthusiastic, know what I'd like to make a really overall point which, you know, one of my sidelines, you could say another one is, he's writing things, poetry and form. But anyway, I'm right. I'm writing a science fiction short story at the moment that talks about not API's, but he talks about AI and the one of the main points I make in that is it pretty much everything everywhere, need software to do things. You know, even in even in sadly, poor countries, you know, often cell phones are used, or, you know, daily part of life. So one thing that is easy to forget, I mean, we work in software, so we know those things, but pretty much everything we depend on, it depends on software. That's really the nub of a short story. That's changed dramatically mine in my lifetime. It's nonsense. You know, the change is monumental. But the point I'm making is, that means that everything we depend on, you know, these are all be statements as a potential security problem, which could be devastating if it were exploited. So it's really important that we pay attention to these things, particularly when we're dealing with remote, all offering remote capabilities.
Michaela Light 14:52
Yes, unless you lock your servers up and don't give them internet access, you are going to have some kind of security concern. So No, and I do agree with you there most Orgonite companies, you know, and other organizations do depend on software. And you know, the the internal IT, and programming is critical to their business success. Exactly. We often forget, you know, some ways, you know, like a, an automobile manufacturer, like Ford or Tesla or whatever, really, they're a software company that is selling cars on top, but a lot of modern products and services really are, you know, there's a lot of software involved in there. And then that's a whole security issue, and you really don't want your manufacturing plant to be brought to a standstill because it got hacked. Or you or your product to be misused, you know, by someone hacking into the software.
Mike Brunt 15:53
Yeah, no, it's a constant. And, unfortunately, never ending issue. And that's a really good point you make, I mean, even just to amplify that a little, you know, the fact that Tesla is really a software company, for instance, even standard manufacturers still producing gasoline or diesel vehicles, that's still that's just up the road, lots and lots of chips in the new vehicles, basically.
Michaela Light 16:21
Yes, and in them in their manufacturing plant. I mean, I almost, you know, though, we get lots of cool features in modern products, whether they're cars or airplanes or whatever. From having software in there, in some ways, I kind of like having a, you know, a car that I actually could do the reflects myself, you know, because I modern cars, you can't do that, you know, because unless you have the computer software gizmos that you plug into them, and I think they they don't let you do that home. But it used to be you could just, you know, repair anything on a refrigerator or a car. I mean, even even refrigerators often have software in them now, it's like, Absolutely, yeah. And I understand the benefit of that, you know, maybe it kind of saves energy, or maybe it reminds you to buy milk, you know, on your cell phone, because it tracks how much goes in and out of the fridge. So
Mike Brunt 17:20
I have a friend who is interested in chart too. So I have a friend and that that son has a phone, a cell phone. And there's an app that now that runs on his cell phone and probably the parent cell phone to the tracks where he is. And also even things like the battery's running low. In other words, it reports on the cell phone of the channel, basically in this case. But I did have another insight to I slipped before I've worked in technology actually worked in the vehicle business, I worked with British Leyland, I'm sure you micarta you know, you know and for people in other places, things like Jaguar Land Rover, and many and so on. They were all British Leyland province products. And yeah, I mean, just to amplify what you said about repairing things. I've repaired many vehicles in my life, you know, typically, it's hard, hard to do that nowadays. But yeah, this is just amplifying how, how immersive our lives are in the software world, you know, we were completely immersed in them. And again, all of that depends on a lot of it anyway, or most of it depends on API calls. So I'm just emphasizing things that I've emphasized before, I suppose.
Michaela Light 18:37
Yeah. Now, fundamentally, you know, an API is you send it some XML and it sends back some other XML. And XML is just text for is formatted text. So you can sort of imagine that naughty things a hacker could get up to by manipulating X flows in XML packets. Absolutely, absolutely. On both ends, if they could mess up the data you get back. But also, you can do SQL injection attacks, or any of the other standard hacking, things that probably many listeners are familiar with you no denial of service, or cross site scripting. Sorry. And the issue is that the API call just goes into the middle of someone else's app, or it goes into the middle of your app. And you may not be thinking about protecting it as much as you would if it was a regular web form. Where you know, to use, you know, CF rm and all the other things you do to get the amp amp up your security. So
Mike Brunt 19:44
yeah, and another point that I was going to make is there's also when he's when data is in transmission, in other words, you call that the iron has some data coming back often that can be in plain text, you know, unless you Oh, yeah. Oh, Shumaker just like a non HTTPS score going back, you know, so that's another, that's another level, which API Manager can help with to make sure that everything was mated and received this in encrypted, you know?
Michaela Light 20:16
Yeah, no, I think that's important. So let's talk about sorry, you have quite a lot of ideas here on how you can protect your API's in ColdFusion. Obviously, first thing is install API Manager. But what are the other things you think are important, Mike?
Mike Brunt 20:35
You mean, beyond API Manager? Or within? You know, what,
Michaela Light 20:38
what are the steps you suggest listeners take to make sure their API usage is secure? Well,
Mike Brunt 20:45
that's a really great question. Even without API management, one of the things I definitely advise clients to do is do it, do an inventory of the API is using both both again, both remote called out and your and what you're offering. Often, like I said, API's getting lost in the code, and they get forgotten about. And I've actually had not ColdFusion clients, but I've actually had a client do, who got hightlight, that there was some API's left expose that weren't needed anymore. Some remote attacker found them and exploit that. So step number one really critical whether you're going to use API Manager or not do an inventory of the API's using. That's really, that's the first critical step.
Michaela Light 21:29
Because it just API Manager help with that. If you've got an app where you haven't you don't remember what you've got. And
Mike Brunt 21:36
you know, actually what question. Okay,
Michaela Light 21:38
I think it monitors all API use, doesn't it or
Mike Brunt 21:43
No, no, you're not wrong. So what I would, I'll also to corroborate that. But what that would involve is some sort of scan of current applications to see what API's are in there, obviously. So I will look at that. I imagine API Manager must have that capability. But I'm not. I'm not used it. If he does, but that's it. I'm sorry, I'm going on about this. But it's a really critical step. Let's first of all, find out what API's are being used. And
Michaela Light 22:16
then in your code, that's probably they're probably being used through CF HTTP.
Mike Brunt 22:22
Cool. Yeah. Yeah. Yes, exactly. That?
Michaela Light 22:26
Sure, there are other ways to do it. But 99.9% of people using API's are using CF HTTP.
Mike Brunt 22:33
Right. Exactly. Yeah. Because I should, I should be fair about that. ColdFusion in its own right, as obviously things that can be done with, you know, with some of the things that I'm talking about. But he's more, you know, it's more refined grains, which is also involved. You mentioned one, which is really important. Makala, which is throttle, you know, throttle the number of goals that can go that can be used with that particular API, you know, because as a class, you get this, like, DDoS attack. If you don't control the amount of let's say, you're, you're offering an API, and you don't control the amount of traffic that can go through that API, then you wind up.
Michaela Light 23:17
Yeah, so one of the things API Manager lets you do is you can, you can have users and roles and authentication. And then some users, you know, maybe they're paying for API access, and they can have a high volume, or that maybe you have a free tier in your plan. And those people are limited, they can only make one call every so many seconds or whatever that restriction is. Yeah. And then also API Manager can report on how much API traffic you're getting from different users. So
Mike Brunt 23:46
yeah, that's, that's a really good, that's a really good point. And I will, I will make more overall point on this because, again, these are things I've seen over the years, logs. So let's say you were a security, I might say that was your job in life, the first thing you're going to do, if somebody gets exploited is you want to look at the logs. You know, most people never did a lot of people and I'm not criticizing it's just how pressured development isn't it gets more pressured as time goes by, because there's more software out there. So most people don't even look at the logs. And, you know, again, I'm, I'm gonna give an example I've used lots of sophisticated tools over the years to monitor things like fusion reactor, see huge and, and etc. But I also always want to see the logs. You know, that's, that's that really. So this is an overall point. Like I said, logs are critical, and they'll call fusion has always had superb logging capabilities. So, you know, I'm just making a general point there. Take a look at the logs, you know, make it a habit to check them regularly. I mean, we had an issue very recently with a client to some or other development environment got hacked. By looking in the logs, we were able to at least identify when it happened. You know, when, you know, so that anyway, I won't go on about that. But log logs are critical. And that's, you know, that's a, you mentioned speaking specifically of ColdFusion. API Manager, there's a very good logging. What would I put what would I call logging analysis component to API Manager? And that's important.
Michaela Light 25:44
Yeah, so review the API logs, make sure all your API's have, you know, have authentication. And so even for internal ones that you're only using between your own apps, it's wise to have authentication on those. So if someone something malicious got into your servers, they couldn't get to those API endpoints without a valid authentication.
Mike Brunt 26:12
Yeah. Please, you continue
Michaela Light 26:16
on, are you? Well, also, you know, encrypting the traffic with Ts, l. So people can't snoop on what's going backwards and forwards across the internet. We're going to say about, about authentication and encryption,
Mike Brunt 26:33
where it's a bit of a joke. I mean, literally, so there's two security engineers talking about security, you know, one's full of himself, you know, bragging and so on. He says, My, my, the security of my home is so good. I can't even get in anymore. Right, you know, so everything's a balance. But you know, we do tend to be, and I want to go, I want to just mention something, because it's important, because I've said some things that saying critical, critical of others not critical as a critical problem. The issue generally, within technology is, you know, this is a general comment, an obvious one really, since software's everywhere, you know, I often think the worst software failure in history is a Boeing 737. Max, that was purely a someone problem that's on the side. You know, it's one dimension. And that is a classic example of what happens to developers, the developers of software, from what I've read, were pressured into releasing something that wasn't properly functional. So I just wanted to make this as a general statement, the pressure on development teams to get things out of the door, as quickly as possible is still there. And if anything, is more intense than it was. So things like API Manager, you know, ColdFusion API Manager can help. I mean, using API Manager, in my experience is a lot, you know, to achieve required levels of securities is a lot easier than than just trying to do it by standard ColdFusion code or any other. You know, it's not just ColdFusion. I mean, obviously, there's other software languages out there. And of course, the other thing about it is it can be it's a standalone product. So it doesn't need to be you could you know, a PHP shop could be using API Manager, for instance, you know, in Java,
Michaela Light 28:38
I do know, some people who use it with other app, you know, other languages for that reason. Yeah. Let's talk about some of the other things folks listening can do to protect their API. So what about the privilege level? On, you know, on these exposed pieces of functionality through API?
Mike Brunt 29:03
Yeah, well, are we talking just as a general comment here or specific to API Manager?
Michaela Light 29:10
Well, either way, either way.
Mike Brunt 29:13
Yeah. So basically, I mean, we're all familiar with the authors of the Northern English ism. Those of us in a software world are obviously, you know, aware of roles and, you know, and permissions and so there was a years ago for those of us who've been around in ColdFusion for a while there was a with spectral was a product that came out color, which was CMS, if I remember that, right, a pretty good one actually at that, but it eventually, I think it was Macromedia decided to, you know, kill development of it. But there was a thing in there called advanced security, which was LDAP based and That was a classic, fine grained mechanism where you could control roles and permissions, and so on and so forth. So that's, that's a very important part of any application. And you know that events usually went away, probably the same damage spectra. But the principles that we use inside of API Manager are those same sort of principles. So you can apply very fine. This is just the API, though, you can apply it, you can apply very fine grain access permissions to all sorts of things, you know, directories. You know, and that's, again, just speaking API's because we are using API Manager makes it a lot easier to apply. And, you know, quicker to apply those sorts of controls on API code. And everything from you know, because it's not just the API that gets exploited, the API is just a doorway. It is one, what access is allowed from that all the things inside the application stack and the environment, you know,
Michaela Light 31:11
makes sense. So if you're exposing parts of your app, you might want to only give the privileges needed for that piece of database access. So not yes, the admin user for talking about exposing things. You know, what are your thoughts on what data gets exposed through API's?
Mike Brunt 31:37
I mean, largely speaking, in my experience, it's rd, RD, relational database management system, dead or it could be no sequel, one or other of those to a couple of things, I just had a little smile, then when you mentioned administrator, so I still find, you know, don't token SQL survey, I still find clients using sa as a user, which is like, it's like every door in the house and every window. And the classic these are decide to see select star, you know, it's still get used widely heavy, even in sample code, example claw. But anyway, those are the signs. So a lot, a lot of it is database, you know, back end database data. That's the majority of it. And I will amplify something else that was subject to maildir. Another presentation I made in the blockchain world, and blockchain is expanding in use, you know, constantly, most of the data that's needed in those in blockchain based applications is still knock it outside in some relational database system or no SQL. So, you know, again, it's another reason why the use of API's is exploded, and I'm repeating myself here. And as you've said, also, Makayla, AI is going to be that slightly different type of data, you could say. But all we're not, you know, API use is not not going anywhere. So you know, it's not going to reduce, it's not going to, you know, again, repetition here for me.
Michaela Light 33:20
Now, it's definitely increasing, you know, allows different systems to talk to each other, effectively, hopefully, in a secure way. I mean, that's what we're talking about how to keep it secure. So, you know, I only see expanding and then, you know, if you architecting, using a microservice architecture, you've got all kinds of API calls going on, and you're exposing, you know, with a monolith application, you're not using all the internal functionalities hidden, but when you do a microservice, architecture, you know, your internal data and functionalities exposed, and you want to make sure you've secure that. So coming back to the data, I think it makes sense only, you know, share any API, your API's than the data required, don't just dump back out all the data you have, it's not needed. It's just a security, you know, risk to do that. Yeah. Now, what about validation, you know, API's get lots of parameters. What are your thoughts on the input? Validation?
Mike Brunt 34:28
Well, that's great, critical, you know, because it's another another form of control, you know, you you know, if you're expecting, for instance, if you're expecting a particular type of data, then you should be making sure that that's what you're getting, you know, you know, which the simplistic way of saying it, and I will, I will mention another thing here, which I haven't really said, which is sort of obvious, but maybe not one at one of the another key reason for the explosion was then used to API, it allows cross language software language communication. So you can call out from ColdFusion, to a PHP application or an sp application or Java or you know, etc, etc. So that's another reason that API's have got so popular too, you can cross software languages. Because what you're doing you is not the right set of words, but I'll use them anyway, you sort of dumbing down the data. So that is, you know, you mentioned one, which is XML, you produce a universal JSON or another. You provide providing, you know, providing formats that are readable across different software languages. But to go back to your point, you definitely want to make sure that it's a remote API that you're getting back what you're expecting, what you're expecting to get back. Very important.
Michaela Light 35:57
No, may make sense, yeah. Because if you don't validate your inputs and outputs, people, you know, hackers can sneak in, start funding, if you're using it, that data further in your app, for example, you're using it in a SQL query, they could definitely be causing problems with SQL injection or other tricks. So I think people forget this, they think they're just exposing an API for themselves for their, you know, internal use, and they forget other malicious actors might get ahold of that endpoint somehow, and start making calls to it. So a suspicious attitude here. Because basically, if you think about it with a legacy app, you kind of have a set, you know, you have a house with just one front door, and it's secured. But with an A with API's, you're opening up all kinds of extra back backdoors into your app. And you've got it now you've got now potentially hundreds or 1000s of endpoints in your applications.
Mike Brunt 37:02
I mean, in the classic, then this happens with every every software language out there, legacy code gets left in there, you know, that's not used anymore. It wasn't domination anymore. And that's why I say that API, you know, the, what's the word, I'm looking for you the audit, the audit of API use is really critical, even if you're not there. And I think I said it, but I'm gonna repeat it. Even if you're not using ColdFusion API Manager, you need to you need to audit what API's you've got. And whether there's still, you know,
Michaela Light 37:40
yeah. So let's talk a bit about denial of service attacks, because that's another way to cause problems. What how would you suggest people deal with denial of service on their API's that someone's hammering away on that particular API deliberately to try and crash your app?
Mike Brunt 38:02
Yeah, well, there's a couple of things. So if you're using if you're using API Manager and ColdFusion, API Manager, which I strongly recommend, then you can you can apply controls, we've mentioned them already, you know, many times can this API be called in a in a time period, for instance? The other the other classic, you know, which I've talked about, if you don't have API Manager in youth, logs, you know, because everything the wonder of ColdFusion, I can't state this, you know, is that the logs from the beginning for as long as I can remember, the login job has been super, you know, the only downside of it is, there's a lot of, there's different logs. That will be a you know, to be honest, make Allah that, unless you've done it already, that'd be another good podcast, you know, as a separate thing about the logs. Just boil that down a bit, I'll just give a couple that are important. And this is answering your question about the denial of service attack, because you'll get all these things in the logs. So that you know, the best catch all logging cold fusion, it's called Cold Fusion out dot log. That's, that's where you're going to get most information, which is overall of overall use to the next. The next blog that I like to look at in these these are sort of general recommendations is the application log which has been around for the beginning of the cold fusion, I was going to spend a drink little water, cold fusion out log came it came about when cold fusion went to Java, which was coffees and section 61. It's in essence a Java log. Out log is a Java log, but it's a good log to look An application log will show you things that are going wrong in the application from a code level basically.
Michaela Light 40:10
No great, great to look at the look at logs. On the APM, API Manager throttling and rate limiting, you know, you've got pretty fine, fine tuned control of it, you know, limiting how many how many accesses each user can have, you know, a user is someone who's authenticated to your API. And then you can limit how many accesses they can have per, per second, per minute, per day. And you can either send notifications if they exceed it, or you can block them out if they if they are accessing it more than they're supposed to.
Mike Brunt 40:49
Yeah, so those are really powerful features not activate.
Michaela Light 40:55
Yeah, so I'll put a link in the show notes to that documentation thing that's very important to turn that on. For any API, you don't want people hammering your service, you know, millions of times an hour or whatever with a distributed denial of service attack. What are the things steps you think people should do to make our API is more secure?
Mike Brunt 41:24
Again, if they're not using API Manager, we, you know, we can call who's an API Manager? We can. There's obviously security, best practices that can be, you know, don't in ColdFusion itself, you know, I mean, no doubt about that. Again, I'm repeating myself again, but this is really important. Step one is, let's figure out what API's were using and what API's were offering. Now, let's look at the code and see, do we still need those? And if we do, then what control does is again, outside of API Manager, what controls can we apply within golf agents capabilities itself in it, you know, again, as I said, flogging, flogging a dead horse. That audit is really important.
Michaela Light 42:16
So before deploying your app to production, do an API audit, see what API calls you're making? And are they secure? You know, look at the calls you're exposing? Are they still used? And are they sub secure, and you know, make sure you've got API Manager set up for your production system. And for those who haven't used API Manager, you can either have a single instance, or you can have, if you had a really high volume app, you can have a cluster of API Managers controlling access to and from API's in your app. So and they have a Docker image. Adobe has Docker image or API Manager, if you're doing a cloud kind of deployment. What about what are your thoughts on web application firewalls?
Mike Brunt 43:04
I think, I mean, I think they're an essential item to use, you know, there's quite a lot of I mean, I haven't done any hedge down development for years. But I am constantly seeing called, you know, an application from there daily basis. So web application firewalls are definitely something that I believe are a good thing to use, if they're available, you know.
Michaela Light 43:30
So there are many out there. Fuse guard is a ColdFusion, specific one. And basically what a WAF, or a web application firewall does inspects all the requests being made, whether they're API or other requests, and then looks for for malicious requests being sent, whether they're cross site scripting, or SQL injection, or, or the locate, you know, sometimes use filter out certain countries that, you know, if you don't have any users in North Korea, then maybe you just filter out all the packets coming from that country, or whichever countries you feel are inappropriate. So that's another layer of security on that both protects API access and regular form or URL access to your app. Right. Go ahead. Sorry, you wanted to add something to
Mike Brunt 44:20
No, no, I was just agreeing with you.
Michaela Light 44:23
So the other thing in API Manager is that you've got a whole notification set of things when people do things they shouldn't be doing, whether they're exceeding their throttling limits or doing, you know, naughty things. So we're using a lot of CPU. So
Mike Brunt 44:44
yeah, well, that's another aspect too, because we haven't touched on that, but I'll just touch on it quickly. And that's performance. Because it's not just security, ramifications if somebody's trying to do something they should take and also, you know, slow your application mirror your internal application if something's not controlled properly?
Michaela Light 45:09
No, it makes sense. So any other thoughts on API security or use you want to share?
Mike Brunt 45:19
I think basically, we've gone through a lot of them and the notes that you've kindly made, you know, couple them to be followed up, you know, and just, I mean, generally, go outside of API's, just general security's here and applications is incredibly important. And, you know, again, often due to pressure of work, it's something that I mean, to this device, it's even more, most most applications. And this is, again, multi language. Most applications that get out there and never adequately tested, would your security being part of it, because of the pressure of work, you know, get things out, I think it was, I can't remember who it was it said, this is used by you might have been held held, there was another ColdFusion luminary that 70% of software applications fail. And that doesn't mean they fail completely, it means that they fail. That over the graceful is the right word. But you know, often most applications still to this day, get out there, when they shouldn't be there. And I'll repeat myself, again, the most tragic example that was going on.
Michaela Light 46:33
Yeah, there's all kinds of software issues out there. And some of them can cause you know, people to lose their lifes or, or you know, lose a lot of money. All kinds of things can happen. So, I would say, you know, when you're writing a ColdFusion, Apple, maintaining an app, which we do a lot of terror attack, meaning, you know, maintaining and modernizing other people's ColdFusion apps, it is good to pay attention to security when you're writing the app. If you've inherited an app, then API Manager is a great way to add a layer of security to your API, use and then go back and do all the suggestions you had about looking at the API's. Are they still used? are the inputs validated? You know, are you only sending out the minimal amount of data and using a minimal amount of access to your data that is required? So lots of good things to do there? I'll I'll put the links for you to download the API Manager and the documentation in the shownotes. And I'll put also put a link to your prior episode on the blockchain because I know you're keen on cold fusion or blockchain programming. So
Mike Brunt 47:51
yeah, well, you know, it just isn't overall. And I know you're deeply involved in this magala. But, you know, the good news is called fusions been around a long time. Before it's not the bad news is cold fusion has been around a long time. And it gets gets a bad rap. From that standpoint. I mean, it's been great to me for many years, and it's it, to me, it's a very, very current and significant programming paradigm called Fusion. I'm talking about, you know, you know, I'm gonna make one point, which is probably mildly controversial. I mean, you still, you're just to sort of emphasize how important than a relevant coffee business, people are still buying licenses pouring, you know, PHB, and so on and so forth. You don't need licenses for but if golf isn't isn't still relevant, why are people still buying it? Yeah.
Michaela Light 48:50
Oh, no, it's still still very relevant. We do an annual Cove state of the cold fusion union survey, and we get a lot of feedback on there, you know, it's still a widely used language, it's hard to get a grip on exactly how many uses there are. I'm gonna guess, around 100,000. Out there, that part of the issue is that from research I've done, you know, for every one site and on the public Internet, there are three sites that are inside internets that are private, or extranet, where you know, you have to have credentials get in and they just don't get pick up, picked up by these, you know, what language is being used. And then with modern ColdFusion apps, you don't expose the file extensions TFM on the website, so you can't tell what language is being written in. And a lot of these signs sites that you know, claim to sail this journey in Java or ColdFusion or.net They just get it wrong. I mean, we looked I looked with Brad wood deeply into this Well, one of those sites, I better leave it nameless because it made such a dog's dinner of doing it. But we fed it, you know, you could feed it a URL, and it would tell you what technology was used. And we fed it a ColdFusion. sidedness it Oh, yeah, this was written in dotnet. And it's like, no, it wasn't it, maybe running IIS underneath ColdFusion. Maybe that's why you think it was written using dotnet. But it's actually using Adobe ColdFusion. Or another case, it was using Lucy. And, and we did try to communicate with tech support, but didn't get anywhere. With
Mike Brunt 50:37
a classic example. It's a bit like, you know, I always get suspicious of things like surveys when, you know, send 8 billion people did that. That's 8 billion people. Yeah, we will make another point, though, which is sort of off topic, but important during a lot of people think that, you know, cold, cold fusion has lost some momentum BHB are probably the main, you know, entity responsible. But it's more than that. The largest single attack surface in web technologies WordPress?
Michaela Light 51:16
Well, it's very popular content management system. I did, we did look, I think it was was it's, I'm trying to remember who it was, I think it was seen at data anyway, with someone who had analyzed the number of hacking attacks on different languages. And ColdFusion, I think, was the second most secure language out there. And I know for a fact that Adobe put an enormous amount of effort into making ColdFusion secure, not just with this API Manager that they released in 2016, but also in the ColdFusion language, and, you know, they they're all over any, you know, security issue and ColdFusion, they actually have a full time. person, I think it's called the ColdFusion security SAR, I forget her exact title, but and they take it very seriously, because a lot of people, a lot of organizations use ColdFusion security is incredibly important to them. And that's one of the reasons they keep using it. And then the other point I just want to make for API's is ColdFusion is really good at both consuming and generating API's or exposing API's and makes it very, I mean, many most modern languages let you do that. But the point is ColdFusion makes it very easy and code to both consume and expose API's. So it's a great glue language for doing blockchain or AI or AWS staff. Because of that, and with the API Manager, you can do it in a secure way. So Right. Yeah. Well, I really appreciate coming on the show and talking about API security and API Manager and all the other topics we covered, Mike, if folks want to reach you online, what are some good ways for them to find you?
Mike Brunt 53:02
So the main website I'm running at the moment is called JVM whisperer.com. So it's like Chef whisperer, who you know, is one of my other alter egos. But I focus there on you know, certainly ColdFusion things in there and Java generally, the JVM in particular so that's that's my my, my main website in terms of the software world nowadays. I'm pretty active on Facebook and Twitter, and I think CF whisper is my Twitter handle. I'm on GitHub to a CF whisper. LinkedIn, I can't remember LinkedIn, from for the numeric appendage, which I can't recall. Me I'm pretty much active on all and and, you know, obviously, technology is a big part of your life. You mentioned also, permaculture. Mikaila, which is basically regenerative agriculture on a smaller scale, and music yet, I mean, I'm on SoundCloud. That one's Coopera. I can note all these down anyway. But yeah, there's a few different versions.
Michaela Light 54:13
Yeah, we'll put all of those in the show notes. So the ones that the CF whisperer one is the easiest way to find you. For people to remember, a whisper is I guess, a horse whisperer or someone who can heal horses. Listen to them healing. So a CF whisperer, you kind of listen to ColdFusion servers and can find out what's wrong with them. Yeah.
Mike Brunt 54:37
I'll give you a quick video just quick. So that all came about because I was working with a wonderful team in Los Angeles, actually. And this was a long time job, not a one off task. Anyway, the point is this lady that she you know, she watched me for a while and then she said, you know, you should you should call yourself CF whisperer. So that's where it came from. was not a nice compliment because I do you know, I do have a did what is Valentine's Day so I can say this. I do have an intimate relationship with ColdFusion service.
Michaela Light 55:14
Well, hopefully it's very loving. So, appreciate you coming on the show, Mike and good luck with all your projects.
Mike Brunt 55:22
Thank you Miguel. I really appreciate the opportunity and wish all the ColdFusion errs. They're all the best