Re: Security Questions
Hey folks, I just wanted to report back that my client who was all worried about ColdFusion, and was considering shutting down the entire project and re-writing it in Java (on the recommendation of their in-house Java Developers) has seen the light (thanks, in no small part, to you guys). I really appreciate the volume and quality of the responses from both CFTalk and my local CFUG. It looks like we'll get to keep this client after all! :o) +1 for ColdFusion!!! -Chris On 9/26/07, Andy <[EMAIL PROTECTED]> wrote: > > Thanks. Are there any programs out there that can check for some of these > vulnerabilities? > > -Original Message- > From: gary gilbert [mailto:[EMAIL PROTECTED] > Sent: Wednesday, September 26, 2007 7:32 AM > To: CF-Talk > Subject: Re: Security Questions > > Andy, > > XXS means cross-site-scripting. You should check out this > http://de.wikipedia.org/wiki/Cross-Site_Scripting entry in > wikipedia. There > are a number of cf functions floating around that have been written to > help > prevent this exploit as well as coding practices. > > > -- > Gary Gilbert > http://www.garyrgilbert.com/blog > > > > > ~| Download the latest ColdFusion 8 utilities including Report Builder, plug-ins for Eclipse and Dreamweaver updates. http;//www.adobe.com/cfusion/entitlement/index.cfm?e=labs%5adobecf8%5Fbeta Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:289530 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: Security Questions
Thanks. Are there any programs out there that can check for some of these vulnerabilities? -Original Message- From: gary gilbert [mailto:[EMAIL PROTECTED] Sent: Wednesday, September 26, 2007 7:32 AM To: CF-Talk Subject: Re: Security Questions Andy, XXS means cross-site-scripting. You should check out this http://de.wikipedia.org/wiki/Cross-Site_Scripting entry in wikipedia. There are a number of cf functions floating around that have been written to help prevent this exploit as well as coding practices. -- Gary Gilbert http://www.garyrgilbert.com/blog ~| Get the answers you are looking for on the ColdFusion Labs Forum direct from active programmers and developers. http://www.adobe.com/cfusion/webforums/forum/categories.cfm?forumid-72&catid=648 Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:289522 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: Security Questions
>What is XSS? > You should probably read this amusing account of a myspace hack: http://namb.la/popular/ and the technical explanation of how he did it! http://namb.la/popular/tech.html Andrew. ~| Get the answers you are looking for on the ColdFusion Labs Forum direct from active programmers and developers. http://www.adobe.com/cfusion/webforums/forum/categories.cfm?forumid-72&catid=648 Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:289512 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: Security Questions
Damn keyboard!!!XSS On 9/26/07, gary gilbert <[EMAIL PROTECTED]> wrote: > > > Andy, > > XXS means cross-site-scripting. You should check out this > http://de.wikipedia.org/wiki/Cross-Site_Scripting entry in wikipedia. > There are a number of cf functions floating around that have been written to > help prevent this exploit as well as coding practices. > > > -- > Gary Gilbert > http://www.garyrgilbert.com/blog ~| ColdFusion is delivering applications solutions at at top companies around the world in government. Find out how and where now http://www.adobe.com/cfusion/showcase/index.cfm?event=finder&productID=1522&loc=en_us Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:289492 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: Security Questions
Andy, XXS means cross-site-scripting. You should check out this http://de.wikipedia.org/wiki/Cross-Site_Scripting entry in wikipedia. There are a number of cf functions floating around that have been written to help prevent this exploit as well as coding practices. -- Gary Gilbert http://www.garyrgilbert.com/blog ~| ColdFusion is delivering applications solutions at at top companies around the world in government. Find out how and where now http://www.adobe.com/cfusion/showcase/index.cfm?event=finder&productID=1522&loc=en_us Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:289491 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: Security Questions
What is XSS? Cross Scripting ttacks. Where the bad people in the world uses vulnerabilities in your site to insert undesirable scripts into your code to be run in future viewings of the site. ~| Check out the new features and enhancements in the latest product release - download the "What's New PDF" now http://download.macromedia.com/pub/labs/coldfusion/cf8_beta_whatsnew_052907.pdf Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:289423 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: Security Questions
Cross Site Scripting. Bruce Andy wrote: > What is XSS? > > > > ~| Enterprise web applications, build robust, secure scalable apps today - Try it now ColdFusion Today ColdFusion 8 beta - Build next generation apps Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:289422 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: Security Questions
What is XSS? -Original Message- From: Dave Watts [mailto:[EMAIL PROTECTED] Sent: Tuesday, September 25, 2007 12:32 AM To: CF-Talk Subject: RE: Security Questions > I've always thought this was more for load distribution though than > security. No, it's for security. This model is used in high-security configurations to remove all executable functionality, so that if (when?) the web server is compromised, no scripts or programs can be created or modified. It can be done with CF directly using "distributed mode", in which the CF web server integration module is configured to connect to a remote server instead of localhost, or it can be done using a web server configured as a reverse proxy to an internal web server running CF. While this is very effective as a protection against vulnerabilities in your public web server and its OS, this doesn't do anything to protect against application server vulnerabilities such as SQL injection and XSS, which in my opinion are more common, and perhaps more serious. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~| ColdFusion is delivering applications solutions at at top companies around the world in government. Find out how and where now http://www.adobe.com/cfusion/showcase/index.cfm?event=finder&productID=1522&loc=en_us Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:289421 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: Security Questions
> I've always thought this was more for load distribution > though than security. No, it's for security. This model is used in high-security configurations to remove all executable functionality, so that if (when?) the web server is compromised, no scripts or programs can be created or modified. It can be done with CF directly using "distributed mode", in which the CF web server integration module is configured to connect to a remote server instead of localhost, or it can be done using a web server configured as a reverse proxy to an internal web server running CF. While this is very effective as a protection against vulnerabilities in your public web server and its OS, this doesn't do anything to protect against application server vulnerabilities such as SQL injection and XSS, which in my opinion are more common, and perhaps more serious. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~| Enterprise web applications, build robust, secure scalable apps today - Try it now ColdFusion Today ColdFusion 8 beta - Build next generation apps Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:289390 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: Security Questions
My boss always tells me we need to "stand on their necks". Well, in honesty he tells me that anytime we're trying to interface with anyone who's not being helpful... I think that applies here! Calm down Java developers... I'm only kiddin' you're necks are safe around me! ;o) Chris On 9/24/07, Michael E. Carluen <[EMAIL PROTECTED]> wrote: > > > and the "evil" Java Developers (j/k ;o) > > You just gotta love them purists and elitists- and their will to resists > anything but...! > > > > > -Original Message- > > From: Christopher Jordan [mailto:[EMAIL PROTECTED] > > Sent: Monday, September 24, 2007 12:33 PM > > To: CF-Talk > > Subject: Re: Security Questions > > > > You guys are all just awesome. With your responses and the ones from my > > CFUG, I'm much more at ease with this issue (or at least I will be after > I > > do my homework on the concepts you guys have given me!) > > > > @Jochem: > > > > I really wish I was going to MAX, and maybe if my boss sees all this > he'll > > find it of value and send me ;o) Some day I'll make it out to one of > these > > blasted events and put faces to some of the names I see so often on the > > lists! > > > > Cheers everyone! And I'll keep you posted as to what happens with this > > client and the "evil" Java Developers (j/k ;o) > > > > Chris > > > > > ~| Enterprise web applications, build robust, secure scalable apps today - Try it now ColdFusion Today ColdFusion 8 beta - Build next generation apps Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:289363 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: Security Questions
> and the "evil" Java Developers (j/k ;o) You just gotta love them purists and elitists- and their will to resists anything but...! > -Original Message- > From: Christopher Jordan [mailto:[EMAIL PROTECTED] > Sent: Monday, September 24, 2007 12:33 PM > To: CF-Talk > Subject: Re: Security Questions > > You guys are all just awesome. With your responses and the ones from my > CFUG, I'm much more at ease with this issue (or at least I will be after I > do my homework on the concepts you guys have given me!) > > @Jochem: > > I really wish I was going to MAX, and maybe if my boss sees all this he'll > find it of value and send me ;o) Some day I'll make it out to one of these > blasted events and put faces to some of the names I see so often on the > lists! > > Cheers everyone! And I'll keep you posted as to what happens with this > client and the "evil" Java Developers (j/k ;o) > > Chris > ~| Enterprise web applications, build robust, secure scalable apps today - Try it now ColdFusion Today ColdFusion 8 beta - Build next generation apps Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:289361 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: Security Questions
Rick Root wrote: > That's not really what a "three tiered security" model is though I > thought it referred to having the web server and coldfusion engine on > separate hosts, so that the web server passes requests for coldfusion > processing to the server running coldfusion... which processes the > CFML and hands the result back to the web server. > > I've always thought this was more for load distribution though than security. Let's for a second assume that your first tier has been compromised, for instance through an exploit in your webserver (even though that is already much harder because if the server only has static data it has naturally been configured with a completely read-only filesystem). How is the attacker going to jump to the second tier? The only communication the second tier accepts from the first tier is forwarded HTTP requests on one specific port. And on that specific port there is different software from your webserver, so they can't use the same exploit. And only when they have compromised your second tier can they start messing with queries and getting access to the data in the third tier. Jochem ~| Get involved in the latest ColdFusion discussions, product development sharing, and articles on the Adobe Labs wiki. http://labs/adobe.com/wiki/index.php/ColdFusion_8 Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:289354 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: Security Questions
You guys are all just awesome. With your responses and the ones from my CFUG, I'm much more at ease with this issue (or at least I will be after I do my homework on the concepts you guys have given me!) @Jochem: I really wish I was going to MAX, and maybe if my boss sees all this he'll find it of value and send me ;o) Some day I'll make it out to one of these blasted events and put faces to some of the names I see so often on the lists! Cheers everyone! And I'll keep you posted as to what happens with this client and the "evil" Java Developers (j/k ;o) Chris On 9/24/07, Rick Root <[EMAIL PROTECTED]> wrote: > > On 9/24/07, Ian Skinner <[EMAIL PROTECTED]> wrote: > > > > My assumption is that the thinking is that one can expose only a static > site with no dynamic capability to the whole wide world. Then your > application server is c > > That's not really what a "three tiered security" model is though I > thought it referred to having the web server and coldfusion engine on > separate hosts, so that the web server passes requests for coldfusion > processing to the server running coldfusion... which processes the > CFML and hands the result back to the web server. > > I've always thought this was more for load distribution though than > security. > > It's something that my boss has asked about in the past and I've > convinced him we don't need to do it. > > -- > Rick Root > Check out CFMBB, BlogCFM, ImageCFC, ImapCFC, CFFM, and more at > www.opensourcecf.com > > ~| Create robust enterprise, web RIAs. Upgrade to ColdFusion 8 and integrate with Adobe Flex http://www.adobe.com/products/coldfusion/flex2/?sdid=RVJP Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:289353 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: Security Questions
>From WikiPedia Some designs are more sophisticated and consist of three different kinds of nodes: clients, application servers which process data for the clients, and database servers which store data for the application servers. This configuration is called a three-tier architecture, and is the most commonly used type of client-server architecture. Designs that contain more than two tiers are referred to as multi-tiered or n-tiered. This implies nothing more that separating the CFserver from the DB server. Robert B. Harrison Director of Interactive services Austin & Williams 125 Kennedy Drive, Suite 100 Hauppauge NY 11788 T : 631.231.6600 Ext. 119 F : 631.434.7022 www.austin-williams.com Great advertising can't be either/or... It must be &. ~| Get involved in the latest ColdFusion discussions, product development sharing, and articles on the Adobe Labs wiki. http://labs/adobe.com/wiki/index.php/ColdFusion_8 Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:289352 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: Security Questions
"I've always thought this was more for load distribution though than security." My assumption it could server either or both purposes. ~| Enterprise web applications, build robust, secure scalable apps today - Try it now ColdFusion Today ColdFusion 8 beta - Build next generation apps Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:289351 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: Security Questions
On 9/24/07, Ian Skinner <[EMAIL PROTECTED]> wrote: > > My assumption is that the thinking is that one can expose only a static site > with no dynamic capability to the whole wide world. Then your application > server is c That's not really what a "three tiered security" model is though I thought it referred to having the web server and coldfusion engine on separate hosts, so that the web server passes requests for coldfusion processing to the server running coldfusion... which processes the CFML and hands the result back to the web server. I've always thought this was more for load distribution though than security. It's something that my boss has asked about in the past and I've convinced him we don't need to do it. -- Rick Root Check out CFMBB, BlogCFM, ImageCFC, ImapCFC, CFFM, and more at www.opensourcecf.com ~| Get involved in the latest ColdFusion discussions, product development sharing, and articles on the Adobe Labs wiki. http://labs/adobe.com/wiki/index.php/ColdFusion_8 Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:289349 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: Security Questions
Christopher Jordan wrote: > they're whispering in the ear of the decision makers that Cold Fusion won't > do "Three Tiered Security". > Their idea of the three tiered > security model is that there's a web server, an application server, and a > database server. The web server contains no code, no passwords, and can only > communicate to the application server by virtue of the web server's IP > address, and because the web server is the only machine that knows where the > application server is. Sounds a bit like "security through obscurity" to me, > but what do I know? The value of running a 'Three Tiered model' is not in the obscurity of where the server for the application tier is: as soon as the webserver is compromised the attacker will know that. The value lies in layering, minimization of privileges and especially a separation between writable and executable content. >* Are these developer's right? No. > Is CF not capable of running this Three Tiered model, and are we less safe > for it? CF can run in this 'Three Tiered model' and if you have the hardware for it it is a good idea to use it. >* If in fact, CF *can* run in this Three Tiered model, will we need to > upgrade to CF Enterprise to do it? Not necessarily. In its simplest form you put webserver in front of the CF server and proxy the requests for .cfm to the next server. The officially supported form is called 'distributed mode' and is available with Enterprise Edition. I suspect you can rig standard edition to support distributed mode as well, but I never tried and I am not sure what the EULA has to say about that. >* What arguments can we make to our client on this subject? Get the client to express his concern. Then turn the argument around: tell the client it is a valid concern (remember: the client is always right), but that he has been misinformed as to why it is a valid concern. Then explain that it isn't about obfuscating IP addresses, but about well understood principles of layering, write-or-execute permissions and minimal privileges. Give the client the appropriate links to wikipedia explaining the principles and seal the argument by saying that of course you can deliver the same and you don't need to rewrite the entire system, you just need some sysadmin time and hardware. >* Can anyone point me to any articles or other materials online > concerning this topic specific to CF? Are you going to the MAX? There is a session on CF security (I think by by Steve Drucker, or else by Dave Watts) that I expect to cover this issue. Else find me :) Jochem ~| Get the answers you are looking for on the ColdFusion Labs Forum direct from active programmers and developers. http://www.adobe.com/cfusion/webforums/forum/categories.cfm?forumid-72&catid=648 Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:289348 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: Security Questions
While I am not sure I buy into the assumption that this is more secure, it will do exactly what they want. So, yes, CF can do, and has done it for years. --- Ben My assumption is that the thinking is that one can expose only a static site with no dynamic capability to the whole wide world. Then your application server is configure in a more secure DMZ or something and restricted to accept direct requests only from the web server. Thus limiting the exposure of the system that potentially has more capability to do more damage. How true this assumption is in either theory and|or practice I can not speak. ~| Check out the new features and enhancements in the latest product release - download the "What's New PDF" now http://download.macromedia.com/pub/labs/coldfusion/cf8_beta_whatsnew_052907.pdf Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:289347 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: Security Questions
I think Chris needs to give these "Java developers" the smackdown. Don't you love it when people who have no idea what they are talking about start spouting complete BS as if it were completely true? It never ceases to amaze me. Go read any post involving CF on Slashdot or Digg and have your mind blown as people who clearly have never used ColdFusion spout utterly false nonsense. Apparently, if you phrase a complete lie in such a way that it sounds like you know what you are talking about, everyone else believes it. There's probably a PhD thesis in there somewhere. On 9/24/07, Ben Forta <[EMAIL PROTECTED]> wrote: > > If what they want is to separate ColdFusion from the web server, then > sure, > it is called "distributed mode". While I am not sure I buy into the > assumption that this is more secure, it will do exactly what they want. > So, > yes, CF can do, and has done it for years. > > --- Ben > > > -Original Message- > From: Christopher Jordan [mailto:[EMAIL PROTECTED] > Sent: Monday, September 24, 2007 1:57 PM > To: CF-Talk > Subject: Security Questions > > Hi folks, > > I need some advice. One of our bigger clients has a handful of Java > developers working for them who don't particularly like ColdFusion. While > their initial complaints were that it wasn't open source and that you're > tied to one particular company (thoughts which I quickly squashed), now > they're whispering in the ear of the decision makers that Cold Fusion > won't > do "Three Tiered Security". > > I just now think I remember asking the group about this once before, but > it's probably worth talking about again. Their idea of the three tiered > security model is that there's a web server, an application server, and a > database server. The web server contains no code, no passwords, and can > only > communicate to the application server by virtue of the web server's IP > address, and because the web server is the only machine that knows where > the > application server is. Sounds a bit like "security through obscurity" to > me, > but what do I know? > > Anyway, these Java developers are telling the decision makers at this > client > that ColdFusion just isn't secure because it can't do this three tiered > security stuff, but Java can. So they're saying, "why don't you just let > us > rewrite everything in Java for you?" > > Well, while my little company has never run CF as anything but a windows > service, using CF Standard. We figure that it's written in Java so we > ought > to be able to make CF run in this sort of three tiered environment too. > > So my questions are: > >* Are these developer's right? Is CF not capable of running this Three > Tiered model, and are we less safe for it? >* If in fact, CF *can* run in this Three Tiered model, will we need to > upgrade to CF Enterprise to do it? >* Lots of our code is proceedural, though we've been switching to using > CFCs slowly (not really OO, but rather storing related queries, and > functions in CFCs) >* What arguments can we make to our client on this subject? >* Can anyone point me to any articles or other materials online > concerning this topic specific to CF? > > Thanks for any help guys and gals. I'm going to cross-this to CF-Talk, so > I > apologize in advance for any duplication I may cause. > > Chris > > -- > http://cjordan.us > > > > > ~| Create robust enterprise, web RIAs. Upgrade to ColdFusion 8 and integrate with Adobe Flex http://www.adobe.com/products/coldfusion/flex2/?sdid=RVJP Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:289346 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: Security Questions
If what they want is to separate ColdFusion from the web server, then sure, it is called "distributed mode". While I am not sure I buy into the assumption that this is more secure, it will do exactly what they want. So, yes, CF can do, and has done it for years. --- Ben -Original Message- From: Christopher Jordan [mailto:[EMAIL PROTECTED] Sent: Monday, September 24, 2007 1:57 PM To: CF-Talk Subject: Security Questions Hi folks, I need some advice. One of our bigger clients has a handful of Java developers working for them who don't particularly like ColdFusion. While their initial complaints were that it wasn't open source and that you're tied to one particular company (thoughts which I quickly squashed), now they're whispering in the ear of the decision makers that Cold Fusion won't do "Three Tiered Security". I just now think I remember asking the group about this once before, but it's probably worth talking about again. Their idea of the three tiered security model is that there's a web server, an application server, and a database server. The web server contains no code, no passwords, and can only communicate to the application server by virtue of the web server's IP address, and because the web server is the only machine that knows where the application server is. Sounds a bit like "security through obscurity" to me, but what do I know? Anyway, these Java developers are telling the decision makers at this client that ColdFusion just isn't secure because it can't do this three tiered security stuff, but Java can. So they're saying, "why don't you just let us rewrite everything in Java for you?" Well, while my little company has never run CF as anything but a windows service, using CF Standard. We figure that it's written in Java so we ought to be able to make CF run in this sort of three tiered environment too. So my questions are: * Are these developer's right? Is CF not capable of running this Three Tiered model, and are we less safe for it? * If in fact, CF *can* run in this Three Tiered model, will we need to upgrade to CF Enterprise to do it? * Lots of our code is proceedural, though we've been switching to using CFCs slowly (not really OO, but rather storing related queries, and functions in CFCs) * What arguments can we make to our client on this subject? * Can anyone point me to any articles or other materials online concerning this topic specific to CF? Thanks for any help guys and gals. I'm going to cross-this to CF-Talk, so I apologize in advance for any duplication I may cause. Chris -- http://cjordan.us ~| Download the latest ColdFusion 8 utilities including Report Builder, plug-ins for Eclipse and Dreamweaver updates. http;//www.adobe.com/cfusion/entitlement/index.cfm?e=labs%5adobecf8%5Fbeta Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:289345 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: Security Questions
Yes have those Java guys start setting up YOUR Coldfusion server for their "Three Tiered Security" LoL Travis Haley Haley Computer Solutions -Original Message- From: Ian Skinner [mailto:[EMAIL PROTECTED] Sent: Monday, September 24, 2007 12:16 PM To: CF-Talk Subject: Re: Security Questions I am by no means an export on these topics, and may not have a clear understanding of all the concepts you are discussing. But CF by no means HAS to be running on the same machine as the web server. It is quite possible, and sometime done for scalability reasons, to have one or more web server machines talking to one or more ColdFusion machines. Configuring these machines so that only the web server(s) "know" where the CF machine(s) are is more of a network question then a server question. But it think the biggest point here is since that ColdFusion is now built on Java one is going to have a hard time coming up with anything that can be done in Java and can't be done with ColdFusion and Java. ~| Create robust enterprise, web RIAs. Upgrade to ColdFusion 8 and integrate with Adobe Flex http://www.adobe.com/products/coldfusion/flex2/?sdid=RVJP Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:289341 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: Security Questions
I am by no means an export on these topics, and may not have a clear understanding of all the concepts you are discussing. But CF by no means HAS to be running on the same machine as the web server. It is quite possible, and sometime done for scalability reasons, to have one or more web server machines talking to one or more ColdFusion machines. Configuring these machines so that only the web server(s) "know" where the CF machine(s) are is more of a network question then a server question. But it think the biggest point here is since that ColdFusion is now built on Java one is going to have a hard time coming up with anything that can be done in Java and can't be done with ColdFusion and Java. ~| Check out the new features and enhancements in the latest product release - download the "What's New PDF" now http://download.macromedia.com/pub/labs/coldfusion/cf8_beta_whatsnew_052907.pdf Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:289337 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4