Ray Camden gave a presentation to the Tulsa CFUG on ColdFusion Security last night. We got off to a late start due to my own ineptitude in setting up Adobe Connect. After that, however, the presentation was great.
I was actually a bit surprised by how well everyone in the group was doing on security (if they are all to be believed). Not you, of course, dear reader. You, I knew, would do well. ;-)
The biggest thing that most of us didn't do as well as we could have is checking incoming parameters. We actually all checked them well enough to prevent errors, but not to prevent blank pages from being returned to the user (for example) or other usability issues.
Ray did a quick hack attempt on two sites volunteered by the group. The site volunteered by my friend, Drew Harris, did flawlessly (and is a nice looking site which uses a nifty .htaccess rewrite). The site I volunteered, however, displayed a small flaw.
Fortunately, the flaw wasn't a security problem. A page just displayed without any content if an invalid value was passed in the URL (since fixed, of course).
For me, this presentation complemented the security presentation I attended at cf.Objective by Dean Saxe. That presentation discussed security procedures, where Ray Camden discussed ColdFusion syntax.
All in all, this was a really great presentation. I look forward to having Ray present to our group in the future (at which time I will be sure to have Connect set up correctly).
The recording of the meeting is available as well:
Ray also has the ColdFusion Security Checklist itself available online.
Some other security resources:
- Adobe ColdFusion Security articles
- Code Securely blog
- Pete Frietag's ColdFusion Security Presentation slides
- Hack Proofing ColdFusion 5.0 book (still one of my favorite CF books)
Thanks for taking the time to present to us Ray!