Yeah , wlll in these cases he should just not say anything, if he isn't knowledgable in the business.
We use ColdFusion and we have ratified it secure; and our business, like your expert works with DoD (and intelligence) on both sides of the pond. We HAVE to be secure. Your expert again is misguided, ColdFusion itself is NOT open source (the product), apps can be yes but that is not the duty of MM to protect. An application is only as secure as you buld it. Just because someone is experienced doesn't de facto make them knowledgable. All software is flawed/ships with bugs, ColdFusion is no exception but I do know that security is paramount when they build it. "This e-mail is from Reed Exhibitions (Oriel House, 26 The Quadrant, Richmond, Surrey, TW9 1DL, United Kingdom), a division of Reed Business, Registered in England, Number 678540. It contains information which is confidential and may also be privileged. It is for the exclusive use of the intended recipient(s). If you are not the intended recipient(s) please note that any form of distribution, copying or use of this communication or the information in it is strictly prohibited and may be unlawful. If you have received this communication in error please return it to the sender or call our switchboard on +44 (0) 20 89107910. The opinions expressed within this communication are not necessarily those expressed by Reed Exhibitions." Visit our website at http://www.reedexpo.com -----Original Message----- From: Jennifer Larkin <[EMAIL PROTECTED]> To: CF-Server <[email protected]> Sent: Sun Oct 09 10:23:15 2005 Subject: Re: ColdFusion Security Holes - Best Practices He's a CISSP with about 15 years of experience who gives encryption lectures at 2600 conventions and used to work for the department of defense, so amatuer isn't an accurate assessment. :) He isn't an expert with ColdFusion, which he freely admits, but this is because he has no desire to be an expert in ColdFusion. He only works on it because he's compelled to by his main client. Our little talk did make him less opposed to the language and he agreed to reassess his position. He does give CF some benefit of the doubt because I use it and he knows he's focused my paranoia for me. And he doesn't do Windows, only *nix, BSD, Mac OS, and OSX. He hates closed-source software (except Mac OS). His problem with CF is actually the result of a logical fallacy that a lot of fans of open source software make. They confuse being unable to prove that something is secure with something being insecure. Because they can open the source code and see exactly what something does, they can detect flaws that would be harder to detect in closed-source software. While that may be true, that doesn't mean that closed source software is by its nature insecure; it only means that they don't know what all of the insecurities are in advance. Not that they tend to actually open the source and examine it in the first place. They probably consider it a professional necessesity to assume that if they can not prove that it is secure, that it must be insecure. From a security standpoint, that's a good policy, but it's not an excuse to advise against a piece of software that you are deliberately ignorant about. It would be more accurate and more professional to state the problem as they see it instead of making ignorant blanket statements backed up with bad examples. The reason that I brought it up is that my friend isn't the only security professional who has this bias against closed-source software. I have gotten similar reactions from at least one *extremely* well-known security expert and a member of an infamous hacker lab. (I live in San Francisco. I meet people. They tend to be guys who like smart girls. They say "I hear you're a geek. What do you do?" And when I tell them, they cringe. Occasionally, I call them on it.) It seems to be fairly common in the security industry to make this assumption, fallicious as it is. This may be part of the bias that the security consultant in question has against CF, but it doesn't in itself explain this consultant's example. The example leads me to believe that the security consultant is biassed against ColdFusion and perhaps against all closed-source software, and therefore has not learned enough about CF to have any better examples to give. There are better examples, but it requires research to find out what they are. It seems like he read a single article a couple of years back or maybe attended an intro lecture on PHP and only remembers the simplest example given. You can create security holes with bad programming or bad configuration in any language. I've seen multi-million dollar "enterprise" Java applications with unencrypted text files that say "Database:[database name];Username:[username]; Password:[password]" and do not let you change the default username or password, which they don't give you. (They refused to give me the database schema and I really needed it! What's a girl to do? *whistle*) The language that an application is written in is not nearly as important as the way that the application is written. That is crucial to the assumption that closed-source software is by its nature insecure. (It's insecure because they can't see how it is written.) However, in this case we are talking about an application that is written by a major software company that has to security test their server products before release. It's far more likely for security holes to be in the code written by the web developer, especially with a language like ColdFusion where many developers are never trained to care about security. That's why this security consultant friend of mine talked to me about cross-site scripting and SQL injection attacks in my first months as a web developer. :) On 10/8/05, Robertson-Ravo, Neil (RX) <[EMAIL PROTECTED]> wrote: > Well. Like this other security consultant, yours is an amateur. > > You cannot make statements that ColdFusion (or any application for that > server) is insecure without proper justification. > > Only worked on 4.5? Erm, it's 2005! 4.5 is more than 6 or 7 years old - glad > to see this consultant is up to date on all this technology, maybe he still > does network security audits for Windows 3.1. -- "I must remember to honor the power of the off switch." Omi of Xiaolin Showdown Now blogging.... http://www.blivit.org/blog/index.cfm http://www.blivit.org/mr_urc/index.cfm ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Purchase RoboHelp from House of Fusion, a Macromedia Authorized Affiliate and support the CF community. http://www.houseoffusion.com/banners/view.cfm?bannerid=59 Message: http://www.houseoffusion.com/lists.cfm/link=i:10:5588 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/10 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:10 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.10 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
