Skip to content

Commit

Permalink
Updated security guide
Browse files Browse the repository at this point in the history
various updates
  • Loading branch information
pfreitag authored Sep 20, 2024
1 parent 071144b commit 3a8a1e9
Showing 1 changed file with 13 additions and 13 deletions.
26 changes: 13 additions & 13 deletions guides/en/security.md
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,8 @@ Entire books have been written about server security and will generally include

[ColdFusion 2021 Lockdown Guide (PDF)](https://www.adobe.com/content/dam/cc/us/en/products/coldfusion/pdfs/cf-starter-kits/coldfusion-2021-lockdown-guide-1.1.pdf)

[ColdFusion 2023 Lockdown Guide (PDF)](https://www.adobe.com/content/dam/cc/us/en/products/coldfusion/pdfs/cf-starter-kits/coldfusion-2023-lockdown-guide-1.1.pdf)

There has been some attempt made at putting together a Lucee lockdown guide, but it is incomplete. A Google search for 'Lucee lockdown guide' provides useful links to blog posts and the following start to a guide:

[Lucee Lockdown Guide (HTML)](https://bit.ly/2imMVTF)
Expand All @@ -28,43 +30,41 @@ These lockdown guides will give you an excellent head start on protecting your s

## ColdFusion Version Security

It is important to note that Adobe ColdFusion versions prior to version 10+, and all Railo server versions, have inherent security flaws that are not and will not be addressed. These weaknesses can be, and very often are, primary attack vectors for exploitation of those insecure systems.
It is important to note that end of life versions of Adobe ColdFusion, and all Railo server versions, have inherent security flaws that are not and will not be addressed. These weaknesses can be, and very often are, primary attack vectors for exploitation of those insecure systems.

If you are running Adobe ColdFusion versions prior to 10+ (e.g. v7, v8, v9, etc.), or any version of Railo, then you are currently **at high risk** of being attacked and should consider upgrading your version of Adobe to the latest version, or if you are using Railo to migrate to Railo's replacement server - [Lucee](https://bit.ly/1LWdyrv).
If you are running Adobe ColdFusion versions prior to 2021 (e.g. CF2018, 2016, 11, 10, etc.), or any version of Railo, then you are currently **at high risk** of being attacked and should consider upgrading your version of Adobe to the latest version, or if you are using Railo to migrate to Lucee.

It is also important to note that Adobe, and Lucee, regularly release security patches for those application servers and you should regularly ensure that your server is on the latest security point release to avoid being the target of potential hackers. Likewise, much of the underlying infrastructure of these application servers, including Java, Tomcat, Apache, nginx, etc. also have security releases and it is important to keep these underlying services up to date with the latest security point release.

You can use tools such as [HackMyCF's ColdFusion server security scanner](https://foundeo.com/hack-my-cf/) to continiously monitor the version of ColdFusion, Lucee, Tomcat and Java that you are running to make sure it is up to date with the latest security patches.

## Network Security

Again, entire books exist that go in depth with securing your network. For most CFML DevOps, this usually means ensuring you have hardened your server (using much of the same steps already outlined in the lockdown guides) to include your web server, application server (JRun, Tomcat, Jetty, etc.) and your database. Ensuring these application servers are consistently patched and configured to be the least granting of access is essential.

Layered security approaches work the best for network security, so having both a hardware firewall and intrusion detection system, and using the software based firewall that comes with your operating system is recommended. Limit access from the external network to your server only on the ports that need to be open. This is typically port 80 for http and port 443 for https. All other external ports should be blocked. If you need access to ssh, ftp or rdp ports, then you should secure your network with a VPN and only allow access to those ports to users on the VPN network. If you're a small shop on a small budget, then obviously exceptions will be made here, but understand it does increase the attack vectors by which hackers may attempt to commandeer your server(s).
Layered security approaches work the best for network security, so having both a hardware firewall and intrusion detection system, and using the software based firewall that comes with your operating system is recommended. Limit access from the external network to your server only on the ports that need to be open. This is typically port 80 for http and port 443 for https. All other external ports should be blocked. If you need access to ssh, ftp or rdp ports, then you should use other methods such as IP allow listing, VPNs, etc.

Layering anti-virus, anti-malware and/or intrusion detection software should also be considered and implemented to ensure your systems are not infected or hijacked by rogue viruses and other malware.

## Code Security

Code security is an often overlooked and frequently misunderstood concept for many ColdFusion developers. It has either never come up for many, or they simply ignore possible security threats believing a breach will never happen to them. However, code security really is your first line of defense online – without it your web site or application could be hacked, data could be disclosed or outright destroyed. An attack from a random script kiddie trying to pwn as many systems as he could would be your best case scenario, an actual focused attacker trying to steal your data or use your application to hack further into your operating system, to get at your finance departments data, or your research departments data, etc. as a worst case scenario.

You can use third party tools such as [Fixinator's ColdFusion code security scanner](https://fixinator.app/) to find vulnerabilities in your code or hire a [ColdFusion security consultant](https://foundeo.com/consulting/coldfusion/) to conduct a review of your code.

### Web Application Firewalls

Also known as WAF's a _Web Application Firewall_ can provide a basic level of protection from several vulnerabilities without requiring any code changes. A WAF can be especially useful in legacy applications that take a long time to find and fix security issues in.

Here are some popular WAFs for use with CFML:

[FuseGuard by Foundeo](https://foundeo.com/security/) - commercial product, written in CFML, runs from your `Application.cfc`

[dotDefender by Applicure](http://www.applicure.com/Products/dotdefender) - commercial product, runs at the web server (IIS) level.
- [FuseGuard by Foundeo](https://foundeo.com/security/) - commercial product, written in CFML, runs from your `Application.cfc`
- dotDefender by Applicure - commercial product, runs at the web server (IIS) level.
- CloudFlare

### OWASP

The [Online Web Application Security Project](https://bit.ly/1devYyR) is the go-to resource for all things related to web application security - from threat assessments to tools, tips and techniques on how to avoid security pitfalls, this is the place to be and should be on your reference list. [OWASP Top 10 Security Threats](https://bit.ly/1bJUzsy) is an excellent place to start exploring.

### Obfuscation

Obfuscation is the art of hiding things in plain sight, and using obfuscation in our application designs can significantly improve application security.

[Click Here](/security-obfuscation) to learn how obscuring data will help protect you from parameter tampering.
The [Online Web Application Security Project](https://owasp.org/) is the go-to resource for all things related to web application security - from threat assessments to tools, tips and techniques on how to avoid security pitfalls, this is the place to be and should be on your reference list. [OWASP Top 10 Security Threats](https://owasp.org/www-project-top-ten/) is an excellent place to start exploring. OWASP also publishes cheat sheets on a wide variety of web application security topics.

### Encryption

Expand Down

0 comments on commit 3a8a1e9

Please sign in to comment.