I've actually been working on a nonce and forced browsing plugins for a Mach-II app I am working on. They work mostly, but aren't perfect yet. If/when they are ready for prime time I'll try to release them.
-Cameron ----------------- Cameron Childress Sumo Consulting Inc http://www.sumoc.com --- cell: 678.637.5072 aim: cameroncf email: [EMAIL PROTECTED] -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Peter Hardy Sent: Tuesday, August 23, 2005 12:43 PM To: [email protected] Subject: Re: [CFCDev] OT: ColdFusion Security : oWasp Top Ten Hi Cameron, Thank you very much indeed. The plan is take try and encapsulate some security best practice into a small model-glue app (possibly using Tartan). I have a lot of other things competing for my time right now but once complete I'll release it to the community for feedback. Again, many thanks, Cheers, Pete (aka lad4bear) On 23/08/05, Cameron Childress <[EMAIL PROTECTED]> wrote: Peter, I've also found a huge gap in security advice on developing ColdFusion applications. There are alot of poor programming practices out there when it comes to security and alot of people are surely doing it the wrong way every day simply because no-one ever told them why they should do it another way. I gave a presentation to the San Diego ColdFusion User Group on security/ColdFusion a few months ago (just after attending a 3 day Software Security Summit conference). I think it touches on most issues but most of the in depth stuff was verbal in the preso. Let me see if I can find the PPT and I'll send it to you offlist. I would also very highly recommend downloading Dean Saxe's PPT from the July 2004 ACFUG meeting "Web Application Security: Applying the Principals of Defense in Depth in Your Applications" (http://www.acfug.org/index.cfm?fa=meetings.meetingdetail&EventID=52). His PPT is a bit more complete than mine with very good notes on each slide, but I think it's a little less CF specific. Dean's an old school CF guy and currently works as a Senior Consultant at Foundstone, a Security Consulting company. -Cameron ----------------- Cameron Childress Sumo Consulting Inc http://www.sumoc.com --- cell: 678.637.5072 aim: cameroncf email: [EMAIL PROTECTED] -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Peter Hardy Sent: Monday, August 22, 2005 5:54 PM To: [email protected] Subject: [CFCDev] OT: ColdFusion Security : oWasp Top Ten Hi Guyz, This one is off topic but any advice or links to good docs appreciated. As part of my job I've been asked to look at two seperate areas, frameworks and security. The frameworks side of things is going pretty well but the Security side not so well. I want to (at least) ensure I've covered the oWasp Top 10. I figured I'd review the list and then start hunting for documentation on each. Unfortunately, Coldfusion security docs seem to be a thin on the ground. I've included a link to the oWasp site below and would be keen to hear how people are implementing security and any tips / sample code you might have for each point mentioned. http://www.owasp.org/documentation/topten.html I'm specially interested in hearing from people implementing security in model-glue apps. Cheers, Pete (aka lad4bear) ---------------------------------------------------------- You are subscribed to cfcdev. To unsubscribe, send an email to [email protected] with the words 'unsubscribe cfcdev' as the subject of the email. CFCDev is run by CFCZone (www.cfczone.org) and supported by CFXHosting (www.cfxhosting.com). CFCDev is supported by New Atlanta, makers of BlueDragon http://www.newatlanta.com/products/bluedragon/index.cfm An archive of the CFCDev list is available at www.mail-archive.com/[email protected] ---------------------------------------------------------- You are subscribed to cfcdev. To unsubscribe, send an email to [email protected] with the words 'unsubscribe cfcdev' as the subject of the email. CFCDev is run by CFCZone ( www.cfczone.org) and supported by CFXHosting (www.cfxhosting.com). CFCDev is supported by New Atlanta, makers of BlueDragon http://www.newatlanta.com/products/bluedragon/index.cfm An archive of the CFCDev list is available at www.mail-archive.com/[email protected] ---------------------------------------------------------- You are subscribed to cfcdev. To unsubscribe, send an email to [email protected] with the words 'unsubscribe cfcdev' as the subject of the email. CFCDev is run by CFCZone (www.cfczone.org) and supported by CFXHosting (www.cfxhosting.com). CFCDev is supported by New Atlanta, makers of BlueDragon http://www.newatlanta.com/products/bluedragon/index.cfm An archive of the CFCDev list is available at www.mail-archive.com/[email protected] ---------------------------------------------------------- You are subscribed to cfcdev. To unsubscribe, send an email to [email protected] with the words 'unsubscribe cfcdev' as the subject of the email. CFCDev is run by CFCZone (www.cfczone.org) and supported by CFXHosting (www.cfxhosting.com). CFCDev is supported by New Atlanta, makers of BlueDragon http://www.newatlanta.com/products/bluedragon/index.cfm An archive of the CFCDev list is available at www.mail-archive.com/[email protected]
