> > > I also once had a client who did this, they were Linux heads who thought > > > that hiding the "sucky insecure windows/cf server" behind a linux server > > > and doing a reverse proxy would make it secure. > > > > There is no such thing as "make it secure", of course. But it is more > > secure. It solves one specific security problem - preventing > > executable code from being directly accessed from an untrusted > > network. > > > > > But of course it didn't as everything still works the same way, the SQL > > > injections still got through, the insecure file upload forms still > > > allowed > > > files to be uploaded, which could then be executed as they had cfexecute > > > and cfregistry enabled. > > > > So what you're saying is that, despite the fact that the environment > > was (more) secure by default, developers accidentally wrote > > exploitable code? > > > > I have the feeling there's some lesson to be drawn from this. I wonder > > what it is? > > A locked door is useless if you leave the windows open.
I think we might be in agreement! But maybe for different reasons. Setting up application servers to be secure is hard. Ensuring that application code doesn't contain vulnerabilities is hard. And you're not going to be able to solve security problems with an installer. People need to know what they're doing. They need to have a base level of competence at their jobs. No installer in the world is going to idiot-proof web applications. Dave Watts, CTO, Fig Leaf Software 1-202-527-9569 http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358229 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
