Dave, Thanks for the insight. I have a couple questions. When you say "roles" do you mean roles at the DB end? We use Oracle, so roles mean something specific. Or "roles" as in user rights as determined by the application (for example, a "front end" user and a "back end" user).
Encryption would happen at the webserver end, not necessarily ColdFusion, correct? As a general example, let's take a CFC that has a simple query that returns a records of a location's sales. We would want to make that code resuable for various pages, so our DSN can't be something specific like FRONTEND_DSN or BACKEND_DSN. Or do you mean to imply that two different queries would have to be used (using, literally, the same SQL) where one uses the FRONTEND_DSN and another as BACKEND_DSN. I'll look into the concurrent login as an example and am pretty sure that's applicable. A lot of the issue I seem to be having is the way things like "user" or "roles" are being used and its scope (OS level, DB level, application). > > Yeah, that's as far as I got also. For reference, here are a few > links I found. I apologize if I am not knowledgeable > > in this, because I'm not. Hence the reason I'm asking. > > > > http://iase.disa.mil/stigs/ - Official (to the extent that it's the > first result on Google not about TopGear and has a > >.mil domain). "The STIGs contain technical guidance to "lock down" > information systems/software that might > > otherwise be vulnerable to a malicious computer attack." > > > > http://www.stigviewer.com/ - Is supposed to be the guidelines in a > searchable format. It's fairly recent (as of January 2014). > > > > I don't see anything relating to ColdFusion directly, which makes me > question as to whether it's A) applicable or B) > > under some other naming / category. > > I haven't looked at the second link, but the first one is correct. > There's a zip file you can download from there that has STIGs for > application servers. The zip file contains another zip file, which in > turn contains an XML doc and an XSL stylesheet. If you extract both > to > a directory and open the XML file, your browser should be able to > display it properly. > > There's plenty of stuff in there that applies to CF, although it's > not > specific to CF at all. It directly targets J2EE application servers. > > There isn't that much there that you should need to do that you're > not > already doing. If I recall correctly, there are items about: > - limiting concurrent logins from a single user, > - encrypting everything in transit, including database connections > (you might not be doing that), > - using roles to limit user actions, > - reviewing mobile code (in other words, JavaScript) to prevent XSS, > etc. > > You don't have to have different database user accounts to comply > with > the DoD STIGs, but you should separate administrative access from > regular user access wherever possible according to the STIGs, and > using different user accounts (and therefore datasources) is a good > thing to do to make that happen. > > Dave Watts, CTO, Fig Leaf Software > 1-202-527-9569 > http://www.figleaf.com/ > http://training.figleaf.com/ > > Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on > GSA Schedule, and provides the highest caliber vendor-authorized > instruction at our training centers, online, or onsite. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357906 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
