Wednesday, August 29, 2018

The More The Merrier

I just wanted to put a quick acknowledgement out there about a recent blog article that I encountered about a company putting ColdFusion to use for their products.  More specifically, they're using the Lucee Server CFML engine.  Check it out and read about the benefits they get out of a professional development environment that quickly helps users master their finances.  You can read the article at

Monday, August 27, 2018

Is ColdFusion a Secure Option for My Startup?

ColdFusion has been around the block a time or two.  It's seen ups and it's seen downs when it comes to implementation.  From version to version, ease of use versus security has always been an important consideration.  From the early days of the web when security was important, but not the primary factor, ColdFusion implemented security components. Some made you feel good, but didn't offer what you hoped.  Other security tools were there, but developers didn't use them properly. Unfortunately, hackers have been poking at CF since the beginning. The fortunate news is that Adobe and the CF community has been listening and responding. As of today, ColdFusion is at the top of its game when it comes to security, so your startup should be ready to take another look at the advantages of rapid application development balanced with modern security methods.

The Past

When ColdFusion was first developed in the early days of the web, it was the wild west of things.  As long as you knew some HTML and how to upload a few pages to a host server, you were considered programmer material.  Adobe ColdFusion (or rather the original developers, Allaire) saw the advantages of offering a fast environment for developing web pages that easily interacted with databases and processed forms. This was embraced by a world that was moving quickly. Unfortunately, with great power came great responsibility, and many early developers didn't have the advantages of security training that are available today.

As a consequence of a lack of security standards and methods, ColdFusion was vulnerable to a number of attacks that made headlines.  The smallest efforts, such as sanitizing their database inputs or locking down a port or two were often overlooked, and ColdFusion was blamed.  Sometimes justifiably, though certainly developers who didn't know what they were doing had more than their share as well.

When ColdFusion eventually became a part of Adobe, a company focused on web marketing tools, the focus on security of a full web environment suffered as well...for a while. Bad PR led many to look to other options.  ColdFusion was the easiest target to blame for many hacker attacks.  Some were due to a fault in the architecture, but lessons were learned.  From those lessons came a stronger platform for web development and security.

The Present

Today, ColdFusion is as viable an option for developing your company's web based tools as any, even more so than some. With years of experience in developing the ColdFusion product and related products, modern CF hasn't had any headline grabbing issues in years.  The newest option, open source CF engine Lucee, also has the advantage of being designed with security from the start. All that being said, it is still on the application development team to do their due diligence and make sure they're following best practices and avoid the complacency that often accompanies a product that works so well.

Points to remember:

  • Stay up-to-date with your product if any new updates are released for your version.  Support for a version from Adobe has a shelf life of around 6-7 years for the most part.  Not too bad.
  • Keep up to date with your hotfixes.  A patched and tested web service is something you'll always need to have, no matter the platform.
  • Use server monitoring tools.  Today's world offers more web services that monitor, analyze and threat detect than ever before, so supplement your CF.
  • Use HTTPS.  Today, it's pretty much the standard thanks to Google, but make sure your applications that aren't indexed are just as well using SSL or TLS.
  • Remove the factory setting for admin access.  ColdFusion has a great administrative interface, but it's something you want to make sure only you can access.  Whether that means blocking access by IP or disallowing access from your web server, do it.
  • Intrusion detection.  That may not necessarily be at the CF level, but prevention is worth an ounce of cure.
  • Sanitize all your CF form inputs and verify any database arguments before they can even reach your DB code.
  • The latest edition of ColdFusion (CF2018) has handy new performance monitoring tools that accompany standard and enterprise editions of the software.  Use it to watch for any unusual spikes of activity and keep notifications on.
  • Continuous deployment.  This is probably more directly tied to your code than ColdFusion, but security is everyone's responsibility.
  • Finally, test, test and test again.  In today's world, you don't rely on one or two technologies to be a great web service.  From ColdFusion to Javascript, CSS, cloud hosts, application servers, web servers, downloaded Docker containers and more, much more, you need to make sure everything works together on a daily basis.  

The Future

Obviously, technology is an ever changing thing.  What is relevant today may be a minor point tomorrow.  What is a virtually insignificant factor today may become the Achilles heel of your company. So, keep up on what's going on in the tech environment related to your startup.  Maybe the temptation is to pass that off to your tech people and focus solely on your executive strategy.  As the one in charge, that is your right, but do so at your own peril.  Even if you're a pizza artist who only takes orders online and has pizzas delivered by UberEats, you're still in the tech business, too.  While pizza artists may not be coding their own web GPS displays in ColdFusion, just like that pizza guy, you want to know your technology for your startup.  ColdFusion is just one option, but it's a pretty good one that can securely take you into the future.

Keep asking questions of yourself and your company.  What security issues are likely, and what are unlikely.  Then, remind yourself that the unlikely scenarios are actually pretty likely. Adobe ColdFusion has the benefit of a multi-billion dollar software company behind it to respond when security issues affect CF, as they have shown.  Lucee has the agility and open source nature to give you the control over every aspect of your security if you wish.  Evaluate and take advantage of these as you see fit.

In Conclusion

ColdFusion has had a mixed past with security.  Today, if you look online hard enough, you'll find plenty of old news stories of attacks and vulnerabilities related to CF as it has matured through the years, just like most technologies.  Just know that CF has responded to fix issues it has had, just as any responsible company would.  If you want fast, and secure, you get that with CF.  That's not to say you can let your guard down as a startup leader, but it's good to know that you can get ease, speed and security in one great platform.

Monday, August 20, 2018

ColdFusion in the Cloud

Something you need to consider once you've decided you want to use ColdFusion as your platform for building your business is how you'll set it all up. There was a time when it was a pretty straightforward decision because you had limited options.  Basically, you could buy a hardware server and install ColdFusion behind a web server using a license you bought from Adobe.  Otherwise, if you found a reliable CF host, you could go that route and leave the maintenance to someone else. As with any IT solution, there are a lot more details involved, but I'm sure you get the idea.  Your business relied on investing in and maintaining your data center or hoping the host you chose knew what they were doing when trouble came to town.

These days, you have many more options with how to set up your ColdFusion environment for efficient use of resources, reliable up-time and security.  That isn't to say that all of these will come cheap, but what's nice is that you can be in control of the costs as much as you want...down to the second.  While you can still buy your servers and install your own CF apps, it is nice to have choices.  The best option these days for the right balance of price and reliability is the cloud. Microsoft Azure, Amazon Web Services (AWS), Google Platform, Digital Ocean, etc are all options that let you do things like set up a VPS or host Docker containers that have your applications built in.


A VPS is a virtual private server.  It's basically a virtual machine that is segmented for your use from a cloud provider.  It's like a full server, but you don't have to worry about the details of a hardware based machine.  Depending on what sort of managed approach you take, you may still have to be the one who worries about updates, security and data archiving, but at least you're not having to call on some poor, overworked soul at 1am to come in and change a failed hard drive only to find out no one backed it up since three failures ago.

With ColdFusion, you can install it just like it's on your own physical machine.  You can use the Adobe ColdFusion installation package or the Lucee installation option.  Depending on the OS, you can set up CF behind a web server and you're ready to start.  That may mean handling all the configurations, but other than hardware, you have the same level of control as you would get with  your own box.


The latest option for the modern CF enthusiast is using containers.  Usually, this will mean a Docker container with your CF application image built in.  While Docker is pretty much a VM approach as well, it's done in a way that you can put all the components you need into a virtual box (a container) and Docker takes care of letting your application interact with the system on which it's hosted.  It's like putting your fish tank on a shelf.  You supply the fish you care about and put them into a standard fish take and put it on the shelf to be admired.  You don't care about the shelf it sits on because it's the fish that matter.  The same goes for you application.  This means you focus your time where you really want and make sure you can innovate as quickly as you need to.

In Conclusion

These are just two options you can look into that are readily available in the cloud.  With many companies already well established on these platforms, you can be sure that you're not dealing with untested technology.  As a startup, you need to get going and get going quickly.  ColdFusion is just one quick option to get started, but also deploying on to an environment where everything is built as you need and you control the cost is just another quick step toward success.

Thursday, August 16, 2018

Considering your CF Engine

One of the things I've been thinking about as of late is exactly which flavor of ColdFusion I should be using for my startup.  These days, the options are pretty much Adobe ColdFusion or Lucee Server.  There is also the OpenBD CFML engine, but as far as I can tell, development is no longer active on it, which is a shame.  From its start in the BlueDragon days, OpenBD was a pretty reliable alternative when no other existed.

When it comes to deciding on which server will provide the sort of use I'm looking in a business, the following are my major consideration:

  • Price
  • Support
  • Scalability
  • Future Proofing

When it comes to Adobe ColdFusion, price has been a major issue for some time now.  As a developer, many of us look for options that we can practice with and implement on our own.  This is a big reason why open source software is a big draw.  Unfortunately, Adobe ColdFusion has a pricing structure that was never a great incentive to developers who can't look past price when it comes to learning a platform.  From a business standpoint, this is also an issue, but not one that should disqualify ACF right out of the gate.  The two tiers of ACF are the standard edition ($1,499) and the enterprise edition ($8,499).  For a small business that is software focused, the standard edition's price tag is actually not that bad.  Just like many things you buy for a startup, the ACF platform is an investment.  For the price of two usable laptop computers, you have access to rapid app development, a huge library of tools from report generation to .NET integration and more.  The enterprise edition is even better if you have to handle multiple instances.

Lucee server is an option that is much nicer to the pocket book, at least on the face of it.  Lucee is an open source CFML engine, and a very good one at that.  As an fork of the Railo CFML engine, it has been actively developed for a number of years and has grown a knowledgeable community who not only embrace the open source software approach, but who seek to move the applications forward into the realm of modern development practices in a way that a  larger corporation can take time to do.  Also, as an open source project, you're able to adjust the software as needed if it came down to that, but thankfully the development is on-going and I've seen new features come up with each version that make Lucee very attractive.


Adobe ColdFusion is, obviously, an Adobe product.  This is one of the big draws that have helped it over the years when it comes down to selecting a product partner.  With each new version, which have a release cycle of about two year per, a generous support period of around 7 years is not unusual.  This is great news for a startup, especially since it means that there will be someone to call on and active patching and updates to accommodate growth.

Lucee does have a level of support as well, though it is not as formal as ACF.  With tons of group posts and slack channels to engage with current developers, answers and help with Lucee and realted issues are usually pretty close by.  From a developer perspective, that's great, though from a startup perspective, the unpredictable nature of support can be a turn off.  In the end, though, a good CF developer can find the solution at a cost of additional time.  Then again, support from a major corporation is no guarantee that you'll get your product up and running more quickly either.


When it comes to scalability, I'd have to say that Adobe ColdFusion and Lucee Server are on similar levels for a startup.  If you use ACF standard edition, you get the engine and integration with the Apache Tomcat app server right out of the box.  With Lucee, you get the engine and a host of available open source options for the application server at your disposal.  From Apache Tomcat to Wildfly to JBoss, there are plenty of scalable Java app servers you can choose from.  All you have to do is deploy your Lucee WAR file onto your application server and you're good to go.

Future Proofing

As a startup, one of the things you should consider is how your software platform will be working years from now.  One thing to remembers is that changing your platform after it has been doing its job for a couple years is no small task.  If you choose a software solution, particularly a custom solution, you'll need to remember that the cost to switch is far more involved than the cost of the software.  From development time to possible customer disruption, you'll encounter a lot more than you can actually plan for right out of the gate.  So, making sure your software is going to stick around a while is important.  As mentioned before, Adobe ColdFusion has had a release cycle of a couple years, and with that comes support.  At this time, Adobe CF hasn't slowed development of their platform, though they have plenty of room to grow to keep up with the latest developer architecture and buzzwords.  From a startup standpoint, ACF is pretty future proof, at least for the foreseeable future.

Lucee Server, is an open source project.  Unfortunately, Lucee came about as a forked project due to a number of issues with Railo.  For all intents and purposes, Railo is dead, so if you had started with that brand, you'll have had to change to Lucee.  The good news is that Lucee was all Railo under the hood, so transitioning wasn't too bad at all.  The only reason I bring this up is that it may give pause to think that this line of CFML engine was once in trouble.  Today, from a startup standpoint, I don't believe it's on any sort of similar course that should prevent the use of Lucee, but as with any open source project, it'll be something to consider.

In Conclusion

These issues are all ones that have been rattling around in my mind as I consider the options available for my startup.  Both servers have made great strides in the last couple of years to change CFML from the "dying" language is was to a modern platform that is not only comparable to stacks like .net or node.js, but can beat them in many areas, especially as a mature technology. Personally, I've had experience enough with both technologies to know that great effort has been put forward to keep them very compatible, but there are differences that you'll have to test for if you plan to start on one platform and move to the other.  Consequently, that is my startup plan at this point.  Startup with Lucee and move on to the powerful REST and containerization options that Adobe is cooking up for this version and the future ones. 

Saturday, August 4, 2018

Welcome to the CFStartup Project!

What's all this about?  Well, it's my attempt to break away from the 9-to-5 and start up my own business.  The details of the business will develop over time, but I do know it'll have a significant development component.  What do I want to use for my development environment?  As you may have guessed, I'm using the ColdFusion platform.  This blog is all about my attempt to show that ColdFusion still has a place among the modern developer toolset.

Today, there are at least a couple flavors of CF that a startup can choose from.  Along with the decision whether to use Adobe ColdFusion or Lucee server, there are a number of development styles, cloud services, and frameworks to choose from.  As my new business venture launches, I'll describe what works for me and why.

So why go through this?  Well, CF hasn't had the greatest public relations lately, but it still has its place along side the more popular web application platforms.  It's not a perfect solution, but nothing is.  It is at least a mature technology that has made great strides over the last few years to simplify MVC, microservices, REST APIs, and more.

If you haven't used CF in a while, now is a great time to take another look at this great addition to the developer toolbox.  With the rapid development capabilities CF has always had, along with the latest modern development tools, a startup can go pretty far. Time to put my money where my blog is.