He's a CISSP with about 15 years of experience who gives encryption lectures at 2600 conventions and used to work for the department of defense, so amatuer isn't an accurate assessment. :) He isn't an expert with ColdFusion, which he freely admits, but this is because he has no desire to be an expert in ColdFusion. He only works on it because he's compelled to by his main client. Our little talk did make him less opposed to the language and he agreed to reassess his position. He does give CF some benefit of the doubt because I use it and he knows he's focused my paranoia for me. And he doesn't do Windows, only *nix, BSD, Mac OS, and OSX. He hates closed-source software (except Mac OS).
His problem with CF is actually the result of a logical fallacy that a lot of fans of open source software make. They confuse being unable to prove that something is secure with something being insecure. Because they can open the source code and see exactly what something does, they can detect flaws that would be harder to detect in closed-source software. While that may be true, that doesn't mean that closed source software is by its nature insecure; it only means that they don't know what all of the insecurities are in advance. Not that they tend to actually open the source and examine it in the first place. They probably consider it a professional necessesity to assume that if they can not prove that it is secure, that it must be insecure. From a security standpoint, that's a good policy, but it's not an excuse to advise against a piece of software that you are deliberately ignorant about. It would be more accurate and more professional to state the problem as they see it instead of making ignorant blanket statements backed up with bad examples. The reason that I brought it up is that my friend isn't the only security professional who has this bias against closed-source software. I have gotten similar reactions from at least one *extremely* well-known security expert and a member of an infamous hacker lab. (I live in San Francisco. I meet people. They tend to be guys who like smart girls. They say "I hear you're a geek. What do you do?" And when I tell them, they cringe. Occasionally, I call them on it.) It seems to be fairly common in the security industry to make this assumption, fallicious as it is. This may be part of the bias that the security consultant in question has against CF, but it doesn't in itself explain this consultant's example. The example leads me to believe that the security consultant is biassed against ColdFusion and perhaps against all closed-source software, and therefore has not learned enough about CF to have any better examples to give. There are better examples, but it requires research to find out what they are. It seems like he read a single article a couple of years back or maybe attended an intro lecture on PHP and only remembers the simplest example given. You can create security holes with bad programming or bad configuration in any language. I've seen multi-million dollar "enterprise" Java applications with unencrypted text files that say "Database:[database name];Username:[username]; Password:[password]" and do not let you change the default username or password, which they don't give you. (They refused to give me the database schema and I really needed it! What's a girl to do? *whistle*) The language that an application is written in is not nearly as important as the way that the application is written. That is crucial to the assumption that closed-source software is by its nature insecure. (It's insecure because they can't see how it is written.) However, in this case we are talking about an application that is written by a major software company that has to security test their server products before release. It's far more likely for security holes to be in the code written by the web developer, especially with a language like ColdFusion where many developers are never trained to care about security. That's why this security consultant friend of mine talked to me about cross-site scripting and SQL injection attacks in my first months as a web developer. :) On 10/8/05, Robertson-Ravo, Neil (RX) <[EMAIL PROTECTED]> wrote: > Well. Like this other security consultant, yours is an amateur. > > You cannot make statements that ColdFusion (or any application for that > server) is insecure without proper justification. > > Only worked on 4.5? Erm, it's 2005! 4.5 is more than 6 or 7 years old - glad > to see this consultant is up to date on all this technology, maybe he still > does network security audits for Windows 3.1. -- "I must remember to honor the power of the off switch." Omi of Xiaolin Showdown Now blogging.... http://www.blivit.org/blog/index.cfm http://www.blivit.org/mr_urc/index.cfm ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Stay Ahead of Hackers - Download ZoneAlarm Pro http://www.houseoffusion.com/banners/view.cfm?bannerid=65 Message: http://www.houseoffusion.com/lists.cfm/link=i:10:5587 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/10 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:10 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.10 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
