Re: ColdFusion code and STIG (DoD / Navy)
For those of us unfamiliar with STIG compliance, can you give a reference? Thanks! Ben On Mar 10, 2014, at 9:15 AM, Chester Austin chesteraus...@gmail.com wrote: We're in the process of trying to get our Production server STIG compliant. The database and OS end seem pretty straight forward. The application end, however, seems to be more complicated than it needs to be. Is there any resources that point to how to handle web development things in the STIG server requirement? How different is the coding practices for STIG and non-STIG? For example, a simple CFM might have (minus any frameworks) a cfquery on the top of the page and a cfoutput on the bottom of the page. Are there different DSN for various security roles a user might be (a regular user might be one DSN and another user might be another)? Would that be necessary? I can give a more detailed example if necessary, but some guidance on how to design and implement the various requirements would be a good first step. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357902 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: ColdFusion code and STIG (DoD / Navy)
I got as far as this http://en.wikipedia.org/wiki/Security_Technical_Implementation_Guide Then real work called me. Wil Genovese Sr. Web Application Developer/ Systems Administrator CF Webtools www.cfwebtools.com wilg...@trunkful.com www.trunkful.com On Mar 10, 2014, at 11:48 AM, Ben b...@webworldinc.com wrote: For those of us unfamiliar with STIG compliance, can you give a reference? Thanks! Ben On Mar 10, 2014, at 9:15 AM, Chester Austin chesteraus...@gmail.com wrote: We're in the process of trying to get our Production server STIG compliant. The database and OS end seem pretty straight forward. The application end, however, seems to be more complicated than it needs to be. Is there any resources that point to how to handle web development things in the STIG server requirement? How different is the coding practices for STIG and non-STIG? For example, a simple CFM might have (minus any frameworks) a cfquery on the top of the page and a cfoutput on the bottom of the page. Are there different DSN for various security roles a user might be (a regular user might be one DSN and another user might be another)? Would that be necessary? I can give a more detailed example if necessary, but some guidance on how to design and implement the various requirements would be a good first step. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357903 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: ColdFusion code and STIG (DoD / Navy)
Yeah, that's as far as I got also. For reference, here are a few links I found. I apologize if I am not knowledgeable in this, because I'm not. Hence the reason I'm asking. http://iase.disa.mil/stigs/ - Official (to the extent that it's the first result on Google not about TopGear and has a .mil domain). The STIGs contain technical guidance to lock down information systems/software that might otherwise be vulnerable to a malicious computer attack. http://www.stigviewer.com/ - Is supposed to be the guidelines in a searchable format. It's fairly recent (as of January 2014). I don't see anything relating to ColdFusion directly, which makes me question as to whether it's A) applicable or B) under some other naming / category. I got as far as this http://en.wikipedia. org/wiki/Security_Technical_Implementation_Guide Then real work called me. Wil Genovese Sr. Web Application Developer/ Systems Administrator CF Webtools www.cfwebtools.com wilg...@trunkful.com www.trunkful.com On Mar 10, 2014, at 11:48 AM, Ben b...@webworldinc.com wrote: For those of us unfamiliar with STIG compliance, can you give a reference? Thanks! Ben On Mar 10, 2014, at 9:15 AM, Chester Austin chesteraustin@gmail. com wrote: We're in the process of trying to get our Production server STIG compliant. The database and OS end seem pretty straight forward. The application end, however, seems to be more complicated than it needs to be. Is there any resources that point to how to handle web development things in the STIG server requirement? How different is the coding practices for STIG and non-STIG? For example, a simple CFM might have (minus any frameworks) a cfquery on the top of the page and a cfoutput on the bottom of the page. Are there different DSN for various security roles a user might be (a regular user might be one DSN and another user might be another)? Would that be necessary? I can give a more detailed example if necessary, but some guidance on how to design and implement the various requirements would be a good first step. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357904 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: ColdFusion code and STIG (DoD / Navy)
Yeah, that's as far as I got also. For reference, here are a few links I found. I apologize if I am not knowledgeable in this, because I'm not. Hence the reason I'm asking. http://iase.disa.mil/stigs/ - Official (to the extent that it's the first result on Google not about TopGear and has a .mil domain). The STIGs contain technical guidance to lock down information systems/software that might otherwise be vulnerable to a malicious computer attack. http://www.stigviewer.com/ - Is supposed to be the guidelines in a searchable format. It's fairly recent (as of January 2014). I don't see anything relating to ColdFusion directly, which makes me question as to whether it's A) applicable or B) under some other naming / category. I haven't looked at the second link, but the first one is correct. There's a zip file you can download from there that has STIGs for application servers. The zip file contains another zip file, which in turn contains an XML doc and an XSL stylesheet. If you extract both to a directory and open the XML file, your browser should be able to display it properly. There's plenty of stuff in there that applies to CF, although it's not specific to CF at all. It directly targets J2EE application servers. There isn't that much there that you should need to do that you're not already doing. If I recall correctly, there are items about: - limiting concurrent logins from a single user, - encrypting everything in transit, including database connections (you might not be doing that), - using roles to limit user actions, - reviewing mobile code (in other words, JavaScript) to prevent XSS, etc. You don't have to have different database user accounts to comply with the DoD STIGs, but you should separate administrative access from regular user access wherever possible according to the STIGs, and using different user accounts (and therefore datasources) is a good thing to do to make that happen. Dave Watts, CTO, Fig Leaf Software 1-202-527-9569 http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357905 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: ColdFusion code and STIG (DoD / Navy)
Dave, Thanks for the insight. I have a couple questions. When you say roles do you mean roles at the DB end? We use Oracle, so roles mean something specific. Or roles as in user rights as determined by the application (for example, a front end user and a back end user). Encryption would happen at the webserver end, not necessarily ColdFusion, correct? As a general example, let's take a CFC that has a simple query that returns a records of a location's sales. We would want to make that code resuable for various pages, so our DSN can't be something specific like FRONTEND_DSN or BACKEND_DSN. Or do you mean to imply that two different queries would have to be used (using, literally, the same SQL) where one uses the FRONTEND_DSN and another as BACKEND_DSN. I'll look into the concurrent login as an example and am pretty sure that's applicable. A lot of the issue I seem to be having is the way things like user or roles are being used and its scope (OS level, DB level, application). Yeah, that's as far as I got also. For reference, here are a few links I found. I apologize if I am not knowledgeable in this, because I'm not. Hence the reason I'm asking. http://iase.disa.mil/stigs/ - Official (to the extent that it's the first result on Google not about TopGear and has a .mil domain). The STIGs contain technical guidance to lock down information systems/software that might otherwise be vulnerable to a malicious computer attack. http://www.stigviewer.com/ - Is supposed to be the guidelines in a searchable format. It's fairly recent (as of January 2014). I don't see anything relating to ColdFusion directly, which makes me question as to whether it's A) applicable or B) under some other naming / category. I haven't looked at the second link, but the first one is correct. There's a zip file you can download from there that has STIGs for application servers. The zip file contains another zip file, which in turn contains an XML doc and an XSL stylesheet. If you extract both to a directory and open the XML file, your browser should be able to display it properly. There's plenty of stuff in there that applies to CF, although it's not specific to CF at all. It directly targets J2EE application servers. There isn't that much there that you should need to do that you're not already doing. If I recall correctly, there are items about: - limiting concurrent logins from a single user, - encrypting everything in transit, including database connections (you might not be doing that), - using roles to limit user actions, - reviewing mobile code (in other words, JavaScript) to prevent XSS, etc. You don't have to have different database user accounts to comply with the DoD STIGs, but you should separate administrative access from regular user access wherever possible according to the STIGs, and using different user accounts (and therefore datasources) is a good thing to do to make that happen. Dave Watts, CTO, Fig Leaf Software 1-202-527-9569 http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357906 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: ColdFusion code and STIG (DoD / Navy)
Thanks for the insight. I have a couple questions. When you say roles do you mean roles at the DB end? We use Oracle, so roles mean something specific. Or roles as in user rights as determined by the application (for example, a front end user and a back end user). The latter, although if you were using different datasources you could perhaps associate Oracle DB roles with these roles. I wouldn't recommend that approach, though. Encryption would happen at the webserver end, not necessarily ColdFusion, correct? Mostly, but not necessarily all of it. For example, you might want to encrypt files at rest - you'd do that in CF. As a general example, let's take a CFC that has a simple query that returns a records of a location's sales. We would want to make that code resuable for various pages, so our DSN can't be something specific like FRONTEND_DSN or BACKEND_DSN. Or do you mean to imply that two different queries would have to be used (using, literally, the same SQL) where one uses the FRONTEND_DSN and another as BACKEND_DSN. I don't think there's a hard-and-fast rule here, but it seems to me like you'd be ok if you simply handled queries that perform admin-specific tasks with a separate datasource. Queries that are used by both administrators and users could be handled by either datasource. Dave Watts, CTO, Fig Leaf Software 1-202-527-9569 http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357908 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: ColdFusion code and STIG (DoD / Navy)
Makes sense. As a general rule, if you're following general best practices (code modularity, separation of data and views) it shouldn't contradict STIG guidelines, correct? Or, put in another way, STIG wouldn't say you have put all of your information into various, independent tables (for security reasons) which would negate the purpose of a relational database. STIG should be fairly common sense, correct? Thanks for the insight. I have a couple questions. When you say roles do you mean roles at the DB end? We use Oracle, so roles mean something specific. Or roles as in user rights as determined by the application (for example, a front end user and a back end user). The latter, although if you were using different datasources you could perhaps associate Oracle DB roles with these roles. I wouldn't recommend that approach, though. Encryption would happen at the webserver end, not necessarily ColdFusion, correct? Mostly, but not necessarily all of it. For example, you might want to encrypt files at rest - you'd do that in CF. As a general example, let's take a CFC that has a simple query that returns a records of a location's sales. We would want to make that code resuable for various pages, so our DSN can't be something specific like FRONTEND_DSN or BACKEND_DSN. Or do you mean to imply that two different queries would have to be used (using, literally, the same SQL) where one uses the FRONTEND_DSN and another as BACKEND_DSN. I don't think there's a hard-and-fast rule here, but it seems to me like you'd be ok if you simply handled queries that perform admin-specific tasks with a separate datasource. Queries that are used by both administrators and users could be handled by either datasource. Dave Watts, CTO, Fig Leaf Software 1-202-527-9569 http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357911 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: ColdFusion code and STIG (DoD / Navy)
Makes sense. As a general rule, if you're following general best practices (code modularity, separation of data and views) it shouldn't contradict STIG guidelines, correct? Or, put in another way, STIG wouldn't say you have put all of your information into various, independent tables (for security reasons) which would negate the purpose of a relational database. STIG should be fairly common sense, correct? Yes, for the most part. That said, I'd spend the couple of hours to read through all of the guidelines carefully. Most of these security guidelines are fairly vague, and are not really that testable as a result. Dave Watts, CTO, Fig Leaf Software 1-202-527-9569 http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357912 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
