As a consequence of a lack of security standards and methods, ColdFusion was vulnerable to a number of attacks that made headlines. The smallest efforts, such as sanitizing their database inputs or locking down a port or two were often overlooked, and ColdFusion was blamed. Sometimes justifiably, though certainly developers who didn't know what they were doing had more than their share as well.
When ColdFusion eventually became a part of Adobe, a company focused on web marketing tools, the focus on security of a full web environment suffered as well...for a while. Bad PR led many to look to other options. ColdFusion was the easiest target to blame for many hacker attacks. Some were due to a fault in the architecture, but lessons were learned. From those lessons came a stronger platform for web development and security.
Points to remember:
- Stay up-to-date with your product if any new updates are released for your version. Support for a version from Adobe has a shelf life of around 6-7 years for the most part. Not too bad.
- Keep up to date with your hotfixes. A patched and tested web service is something you'll always need to have, no matter the platform.
- Use server monitoring tools. Today's world offers more web services that monitor, analyze and threat detect than ever before, so supplement your CF.
- Use HTTPS. Today, it's pretty much the standard thanks to Google, but make sure your applications that aren't indexed are just as well using SSL or TLS.
- Remove the factory setting for admin access. ColdFusion has a great administrative interface, but it's something you want to make sure only you can access. Whether that means blocking access by IP or disallowing access from your web server, do it.
- Intrusion detection. That may not necessarily be at the CF level, but prevention is worth an ounce of cure.
- Sanitize all your CF form inputs and verify any database arguments before they can even reach your DB code.
- The latest edition of ColdFusion (CF2018) has handy new performance monitoring tools that accompany standard and enterprise editions of the software. Use it to watch for any unusual spikes of activity and keep notifications on.
- Continuous deployment. This is probably more directly tied to your code than ColdFusion, but security is everyone's responsibility.
Keep asking questions of yourself and your company. What security issues are likely, and what are unlikely. Then, remind yourself that the unlikely scenarios are actually pretty likely. Adobe ColdFusion has the benefit of a multi-billion dollar software company behind it to respond when security issues affect CF, as they have shown. Lucee has the agility and open source nature to give you the control over every aspect of your security if you wish. Evaluate and take advantage of these as you see fit.
ColdFusion has had a mixed past with security. Today, if you look online hard enough, you'll find plenty of old news stories of attacks and vulnerabilities related to CF as it has matured through the years, just like most technologies. Just know that CF has responded to fix issues it has had, just as any responsible company would. If you want fast, and secure, you get that with CF. That's not to say you can let your guard down as a startup leader, but it's good to know that you can get ease, speed and security in one great platform.