for security in their web applications. The next step after acknowledging
that security is needed is to determine how much security is needed. We
don't want to protect 10c of assets using security worth $1000. Once we know
how much we can spend on securing our assets we proceed to security
planning.
In cf talk discussion thus we should look at easy and cheap to implement
security vis more expensive security implementations. After all, if we have
unlimited budget we could do something silly like hiring someone to watch
every request our website is about to process.
TK
-----Original Message-----
From: Kwang Suh [mailto:[EMAIL PROTECTED]
Sent: Tuesday, March 23, 2004 2:12 PM
To: CF-Talk
Subject: Re: RE: Securing CF Apps.
> 1. If your properly encrypting the url your going to change your
> seed (key)
> every request. That way it is different every time
What possible value does this bring?
>
> 2. By using plain text variable names your going to give the potential
> intruder a decent insight into your application design, and this
> will give
> them the ability to make educated guesses as to your other circuit
> names.
So?
> 3. The objection to using cfquery is multifaceted. There is the
> risk of SQL
> injection if your not doing the correct validation. If your
> errors are not
> being handled correctly you can give away table and column names
> in the
> error message.
So don't you think it's more important to handle errors properly than say
"don't ever use <cfquery>"?
Also should someone gain access to your file
> system they can
> build a pretty complete picture of your database from the queries.
> You
> can't do this when all you are using is Stored Procedures,
> especially if
> your variable names don't match your column names. Throw in views
> and you
> can obscure it even more.
You've got bigger problems should someone gain access to your file system.
[Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
