- Adobe ColdFusion Security: Second to None
- What makes Adobe ColdFusion so special?
- Join the CF Alive revolution
It is considered best practice to write ColdFusion Components and all business logic in CFScript and to use CFML only in .cfm files amongst HTML.
The CFScript syntax provides a way of writing CFML code without using tags, and it can either be in a script based component (CFC) or inside the cfscript tag. CF tags are pretty much what makes our syntax so much better than other languages. And ColdFusion has no shortage of unique built-in tags. In fact, there are damn near 100 completely unique tags each with their own individual function.
Syntax performs processing in CFScript. It uses ColdFusion functions, expressions, and operators. You can read and write ColdFusion variables within this tag. For a detailed description of the CFScript scripting language, including documentation of CFScript statements and the CFScript equivalents of CFML tags, see Extending ColdFusion Pages with CFML Scripting.
You can use this tag to enclose a series of assignment statements that would otherwise require cfset statements.
<cfscript> xParam = 115; yParam = 200; color = 'FFCC99'; </cfscript>
ColdFusion Components (CFCs)
Adobe ColdFusion also has the unique ability to interact with objects and Object-Oriented programming with the use of ColdFusion Components.
Think of CFCs as the objects of ColdFusion. At their core, they are essentially just a bundle of functions wrapped up neatly to represent a single entity–let’s say your group of employees. This could be a neat little packet of programming you use to regulate your employees' records.
Because for each CFC, you can assign different functions. Remember functions are what CFCs are at their core. So, you can assign functions to list, create, update, or even delete employee records.
Now, most of you CF vets out there are probably thinking… “Yeah, yeah. I could’ve done all that with the use of <cfinclude>.” And you wouldn’t be wrong. But there are so many more benefits to using CFCs than just a convenient ball of functions.
Benefits of CFCs
- Simply put, CFCs are faster. And there’s a good reason for that. They’re already compiled. After the first time you use them anyway. Because after that, it remains precompiled. And this lasts until you update the component. (In which, it compiles once and then remains until the next update.)
Reusable and Transferrable
- You can code your components to become a stable piece of code that you can move freely without breaking it. This means you can effectively copy and paste your components from one part of your code to another.
- Your CFCs are self-documenting. This means that they produce their own comments. Well, barring that you use the “Hint” attribute of course.
- ColdFusion components are more secure than the average object. You can actually restrict access to both CFCs and their associated functions.
- One would assume that CFCs can share methods with other CFCs. And that would be true. But did you know that you could also extend those properties to non-ColdFusion entities such as SOAP or URL calls?
Adobe ColdFusion Security: Second to None
As much as it pains me to say it… There are many out there who just hate ColdFusion. Search anywhere and you will find some kind of report about how unsecure ColdFusion “actually” is. But here’s the thing. Nobody hates on the guy at the bottom of the pack. They’re already there. It’s too easy. But if you got genuine “haters”, you must be doing something right.
And well, when it comes to security, Adobe ColdFusion 2018 is second to none.
Every platform will say it’s the most secure. That they are the top of the line. But most of that’s just a bunch of rhetoric. Where’s the proof? Where’s the data?
How about this… Let me share some data with you.
According to CVE Details (the ultimate resource for security vulnerabilities), ColdFusion has only a mere fraction of the security vulnerabilities that other programming languages have.
Let that sink in. And if you don’t believe me… Here’s the link. Go ahead and check it out. I’ll wait.
And you know what’s even better for us CF’ers… That graph and analysis goes back to 2006. SO, for over a decade, ColdFusion has consistently been the most secure web development platform out there. Say what you want. The numbers don’t lie.
There’s good reason for this. Adobe cares about your security. They are constantly providing new security updates and patches to keep us as CF’ers one step ahead. And for that we have to thank Adobe.
ColdFusion Auto Security Lockdown
In the release of Adobe ColdFusion 2018, a very powerful tool was introduced to further our security capabilities.
The Auto Lockdown feature.
Every developer worth their salt understands the importance of properly securing their system. It can be the difference between life and death (of your ColdFusion web apps that is). So it’s awesome that Adobe released this feature.
It automatically scans and searches your application code for any existing security vulnerabilities and any potential security breaches. It determines the exact vulnerable code, type of vulnerability, and severity level. After all of that, the analyzer presents you with the option of removing and repairing the problem via recommended means.
But we also need to give thanks to our community. Adobe isn’t the only one looking out for us. Members of our very own community are developing third-party applications to turn our platform into something bigger and better. And when it comes to security… one company comes to mind.
Related: Top 5 Security Issues Solved with Adobe ColdFusion 2018
Foundeo Inc.: CF’s Guardian Angel
Foundeo Inc is an independent organization dedicated to raising the security of your ColdFusion platform. And they have some serious credentials. You see, the founder of the company is none other than Pete Freitag. CF’s most-recognized security guru. He even helped to construct ColdFusion’s lockdown guides.
And he’s constructed a couple of third-party tools to even further champion our security–most notably FuseGuard.
FuseGuard is a ColdFusion specific Web Application Firewall (WAF) that protects against common hacker exploits.
According to the FuseGuard ColdFusion Web Application Firewall Documentation, this is how FuseGuard works.
- A request comes in and is sent to the firewall via your Application.cfm or Application.cfc file.
- The firewall runs each filter that you have configured, and the filter returns a threat level of 0-10 (10 being the most dangerous).
- If a filter returns a threat level greater than or equal to your configured block level, the request is blocked, and remaining filters are not executed.
- If a filter returns a threat level greater than or equal to your configured log level, the request is logged.
- You can write your own custom logger or use one of the loggers included with the product.
- If a filter returns a threat level greater than or equal to your configured filter level the request is filtered, meaning we attempt to escape or strip malicious characters. Not all filters support this operation.
- If the request makes it through all filters successfully the request is allowed to continue to your Application.
Simple facts why ColdFusion is the most secure web language
Hey CFers, I am working on proving that ColdFusion is (was and still is…) the most secure Vs. other programming languages. Here's something I found recently
CVE details specify the number of critical vulnerabilities. In comparison with other languages.
- 5 Reasons Why Adobe ColdFusion is Better Than C#
Learn more: Free programming books
What makes Adobe ColdFusion so special?
After 23 years and hundreds–if not thousands–of active programming languages why is Adobe ColdFusion still Alive and thriving?
The secret to that lies hidden within the official language itself and its syntax.
CFML is a tag-based language unlike any other. Its ease of use and wide array of functionality make it a top contender for any developer.
And in today’s modern age, ColdFusion does something better than any other language out there.
When compared to other programming languages, Adobe ColdFusion comes across as a veritable digital fortress. With amazing built-in security capabilities and experts such as Pete Freitag leading the charge, Adobe ColdFusion 2018 (with 2020 to be out this year) will continue to remain second-to-none in this area.
Join me as we take a look into the roots of ColdFusion and venture forth into what makes it so special.
“I love the language. It was the first language I learned…my friend said, ‘Well, you know there's this language called ColdFusion that has a cfquery tag, a cfoutput tag, and a cfmail tag,' and I was in love. That's the truth. I have worked in other languages over the years and although I do like all of them, when I need to get a real quick idea out, ColdFusion just seems to make it really simple to do.”
-Giancarlo Gomez, Owner of CrossTrackr, Inc and Fuse Developments, Inc / Senior Web App Developer at Duty-Free Americas
The Evolution of ColdFusion
Times were simpler then.
Windows 95 had just been released taking us from the era of “true” Windows in 3.1. The DVD burst on to the scene ready to take on the world and more importantly VHS. And Michael Jordan came out of retirement to lead the Bulls to another 3 championships.
But most importantly, two brothers sat down to develop an easier way to conquer the World Wide Web. One was an ambitious CEO ready to develop and the other a budding software engineer with seemingly limitless potential. These were the Allaire brothers.
Jeremy owned a web development consulting firm and had many great ideas on how to build web services. But he found the current tech too cumbersome and difficult to work with. This is where his brother’s expertise came into play. JJ knew he could solve Jeremy’s difficulties. He just needed to develop his own system. One that not only his brother could use but something everybody could.
And thus… The first version of ColdFusion was born.
*Fun Fact #1: Did you know that ColdFusion wasn’t the first choice for the name? Previous contenders were Horizon, WebDB, and Prometheus. Prometheus being the frontrunner with its logo consisting of a hand and lightning bolt.
Prior to ColdFusion 6.0, CF was written in Microsoft Visual C++. This made it almost exclusively available to Windows users. But during the 3.1 update, Allaire was able to successfully port ColdFusion over to Sun Solaris further increasing the accessibility to its users.
In 2001 Jeremy help broker the merger between Allaire and media giant Macromedia. He eventually became the CTO of Macromedia and helped to spearhead its Flash program. But that doesn’t mean ColdFusion went by the wayside. In fact, they took ColdFusion to the next level.
During the production of ColdFusion 6.0, Macromedia made a drastic change. 6.0 had been completely rewritten in Java and supported its own runtime. And with 6.1 came one of the biggest changes for ColdFusion. It enabled its users to debug and code Shockwave Flash.
Macromedia did wonders for the platform developing ColdFusion into a real contender in the world of web development. However, a rival company was slowly dominating the industry. In late 2005, Adobe Systems acquired Macromedia and ColdFusion along with it. Instead of dismissing the platform, Adobe focused time and resources into it. As of now, Adobe ColdFusion is one of the most user-friendly and efficient programming arenas available. The latest version is Adobe ColdFusion 2018.
CFML: A Developer’s Language
Perhaps the strongest element to ColdFusion lies within the language itself.
It stands for Cold Fusion Markup Language and leads us into our next fun fact…
*Fun Fact #2: Did you know that by definition CFML isn’t a true markup language. It’s actually more of a scripting language! But more so… Some consider ColdFusion to be kind of a “glue language”–a subset of scripting languages that helps to connect various software components.
But that’s not to say CFML and markup languages don’t have their similarities.
Adobe ColdFusion in a Nutshell
What started as a simple solution to a brother’s conundrum evolved into a superior web development platform used around the world. Its ease of use as a tag based scripting language makes it ideal for any developer, novice or veteran. Not only that but you won’t find another language as secure.
These are just a few reasons why ColdFusion is the best around. Later, we’ll explore some direct comparisons between ColdFusion and some other programming languages so we can hammer home this point.
But the thing is… Nothing’s perfect. Despite Adobe’s best efforts, they haven’t created a perfect product. But this is why they constantly improve the platform. And guess how they get most of their ideas?
They listen to the community. (Big shoutout to Adobe for that, BTW) They take our ideas and turn them into a reality. So if you could change one thing about Adobe ColdFusion, what would it be? Let us know in the comments below. Or better yet… Voice them over at the Adobe forums or the CF Slack channel.
Let’s all come together and do our part to help keep CF Vibrant, Modern, and ALIVE!!!
Join the CF Alive revolutionDiscover how we can all make CF more alive, modern and secure this year. Join other ColdFusion developers and managers in the CF Alive Inner Circle today.
- Get early access to the CF Alive book and videos
- Be part of a new movement for improving CF's perception in the world.
- Contribute to the CF Alive revolution
- Connect with other CF developers and managers
- There is no cost to membership.