Monday, August 27, 2018

Is ColdFusion a Secure Option for My Startup?

ColdFusion has been around the block a time or two.  It's seen ups and it's seen downs when it comes to implementation.  From version to version, ease of use versus security has always been an important consideration.  From the early days of the web when security was important, but not the primary factor, ColdFusion implemented security components. Some made you feel good, but didn't offer what you hoped.  Other security tools were there, but developers didn't use them properly. Unfortunately, hackers have been poking at CF since the beginning. The fortunate news is that Adobe and the CF community has been listening and responding. As of today, ColdFusion is at the top of its game when it comes to security, so your startup should be ready to take another look at the advantages of rapid application development balanced with modern security methods.

The Past

When ColdFusion was first developed in the early days of the web, it was the wild west of things.  As long as you knew some HTML and how to upload a few pages to a host server, you were considered programmer material.  Adobe ColdFusion (or rather the original developers, Allaire) saw the advantages of offering a fast environment for developing web pages that easily interacted with databases and processed forms. This was embraced by a world that was moving quickly. Unfortunately, with great power came great responsibility, and many early developers didn't have the advantages of security training that are available today.

As a consequence of a lack of security standards and methods, ColdFusion was vulnerable to a number of attacks that made headlines.  The smallest efforts, such as sanitizing their database inputs or locking down a port or two were often overlooked, and ColdFusion was blamed.  Sometimes justifiably, though certainly developers who didn't know what they were doing had more than their share as well.

When ColdFusion eventually became a part of Adobe, a company focused on web marketing tools, the focus on security of a full web environment suffered as well...for a while. Bad PR led many to look to other options.  ColdFusion was the easiest target to blame for many hacker attacks.  Some were due to a fault in the architecture, but lessons were learned.  From those lessons came a stronger platform for web development and security.

The Present

Today, ColdFusion is as viable an option for developing your company's web based tools as any, even more so than some. With years of experience in developing the ColdFusion product and related products, modern CF hasn't had any headline grabbing issues in years.  The newest option, open source CF engine Lucee, also has the advantage of being designed with security from the start. All that being said, it is still on the application development team to do their due diligence and make sure they're following best practices and avoid the complacency that often accompanies a product that works so well.

Points to remember:

  • Stay up-to-date with your product if any new updates are released for your version.  Support for a version from Adobe has a shelf life of around 6-7 years for the most part.  Not too bad.
  • Keep up to date with your hotfixes.  A patched and tested web service is something you'll always need to have, no matter the platform.
  • Use server monitoring tools.  Today's world offers more web services that monitor, analyze and threat detect than ever before, so supplement your CF.
  • Use HTTPS.  Today, it's pretty much the standard thanks to Google, but make sure your applications that aren't indexed are just as well using SSL or TLS.
  • Remove the factory setting for admin access.  ColdFusion has a great administrative interface, but it's something you want to make sure only you can access.  Whether that means blocking access by IP or disallowing access from your web server, do it.
  • Intrusion detection.  That may not necessarily be at the CF level, but prevention is worth an ounce of cure.
  • Sanitize all your CF form inputs and verify any database arguments before they can even reach your DB code.
  • The latest edition of ColdFusion (CF2018) has handy new performance monitoring tools that accompany standard and enterprise editions of the software.  Use it to watch for any unusual spikes of activity and keep notifications on.
  • Continuous deployment.  This is probably more directly tied to your code than ColdFusion, but security is everyone's responsibility.
  • Finally, test, test and test again.  In today's world, you don't rely on one or two technologies to be a great web service.  From ColdFusion to Javascript, CSS, cloud hosts, application servers, web servers, downloaded Docker containers and more, much more, you need to make sure everything works together on a daily basis.  

The Future

Obviously, technology is an ever changing thing.  What is relevant today may be a minor point tomorrow.  What is a virtually insignificant factor today may become the Achilles heel of your company. So, keep up on what's going on in the tech environment related to your startup.  Maybe the temptation is to pass that off to your tech people and focus solely on your executive strategy.  As the one in charge, that is your right, but do so at your own peril.  Even if you're a pizza artist who only takes orders online and has pizzas delivered by UberEats, you're still in the tech business, too.  While pizza artists may not be coding their own web GPS displays in ColdFusion, just like that pizza guy, you want to know your technology for your startup.  ColdFusion is just one option, but it's a pretty good one that can securely take you into the future.

Keep asking questions of yourself and your company.  What security issues are likely, and what are unlikely.  Then, remind yourself that the unlikely scenarios are actually pretty likely. Adobe ColdFusion has the benefit of a multi-billion dollar software company behind it to respond when security issues affect CF, as they have shown.  Lucee has the agility and open source nature to give you the control over every aspect of your security if you wish.  Evaluate and take advantage of these as you see fit.

In Conclusion

ColdFusion has had a mixed past with security.  Today, if you look online hard enough, you'll find plenty of old news stories of attacks and vulnerabilities related to CF as it has matured through the years, just like most technologies.  Just know that CF has responded to fix issues it has had, just as any responsible company would.  If you want fast, and secure, you get that with CF.  That's not to say you can let your guard down as a startup leader, but it's good to know that you can get ease, speed and security in one great platform.

No comments:

Post a Comment