I realize that all developers have a role in application security (cfqueryparam, etc.). So, there definitely are things I have to pay attention to in building an application.
But for server-level administration and security issues, I would personally like to stay away as much as I can! While debugging my database connection problem the other day, I discovered that the host has cfexecute enabled. It is CF Enterprise, but I don't know if sandbox security really helps this problem. Please let me know your ideas for how serious a problem this is. I wish there was an independent group that evaluated and certified hosting providers -- It's really hard to know who's good and who's not! --------- I found this on the web at http://jochem.vandieten.net/2008/12/09/cf-shared-hosting-security-java-cfexe cute-com-net-and-java-again/ So the hoster is left with a hard choice: disable CFEXECUTE, CFOBJECT, CreateObject(.NET), CreateObject(COM) and CreateObject(JAVA) or accept that there is no security whatsoever in the shared hosting configuration. If you disable these tags a lot of applications and frameworks won't work anymore. For instance Transfer ORM needs Java access, so any application build on top of it will not work in a secured shared hosting environment. --------- My application is the front end to a shopping cart (like a product configurator). The actual transaction with credit card information happens on a totally different server. The data I'm actually keeping wouldn't be very interesting for a hacker. My philosophy on security is that it's all about striking the right balance. You can lock things down so tightly that using the system becomes difficult and expensive. Or, you can be too open. I'm having a hard time figuring out the right balance. Thanks for your comments! Clarke ------------------------------------------------------------- To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserform For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by http://www.fusionlink.com -------------------------------------------------------------
