Secure ColdFusion (17 Tools + Best Practices)
Overview of CF Security
ColdFusion leads the web dev language pack when it comes to security.
- It has the lowest number of security issues of any web language (according to CVE security data).
- Adobe even has a full time security czar in charge of making the language even more secure.
- All the developers on Adobe’s CF creation team are trained in writing secure code.
- And the Adobe ColdFusion General Manager stays in the loop on any security issues that are found.
- With the release of ColdFusion 2018 came a new wave of security improvements (details on use below).
- Which have been improved even more in CF 2021!
With hacking at an all time high this year, security is an important part of any programming language, ColdFusion included. No platform is 100% secure. We look at CF tools and best practices out there to help you be as secure as you can be!
Keeping a tight grip on security measures is pivotal to keeping CF Alive. Nobody wants to use an insecure development platform. And top security is a key reason for CIOs to pick CF.
Adobe ColdFusion Security Tools
The new auto lockdown feature is one of the cool security features in CF 2021 (and 2018). This is a great for those with security concerns but without years of CF security experience under their belt. The days of having to manually lock down your server are in the past.
With auto lockdown, you can implement secure lockdown of your production server with one click. Full lockdown procedures will be systemically applied making sure all security measures are fail-safe and within compliance. After the lockdown, all systems are continuously monitored for breaches and potential security threats.
- What is Server Auto-Lockdown?
- How does Server Auto-Lockdown keep your app secure?
- How to get the most out of Server Auto-Lockdown.
Let’s talk about it!
What is Server Auto-Lockdown?
This feature was introduced with ColdFusion 2018. Developers and ColdFusion fanatics like myself welcomed the tool, using it so often it became essential for network security.
The server auto-lockdown feature offers several advantages:
- Ease of use
- A quick return to normal functioning
The Auto-Lockdown automates what used to be a painstaking, 50-step process that often took so long, hackers got whatever they wanted without a problem. The process lasted hours and required nerves of steel.
While developers dutifully followed the lockdown checklist, hackers had free reign to whatever parts weren’t shut — and there were many. Hackers tend to be precise, and don’t rummage around too much. So the overall effectiveness of the lockdown was minimal.
The problem was the lockdown’s intensive checklist process. In order to become familiar, you needed to run a lockdown several times. In other words: you either had a lot of hacks, or you wasted a lot of time.
The Auto-Lockdown does what it’s name implies: it automates that 50 step process, sparing a developer the headache of running through a Cold War-style checklist. It lets users lockdown the entire server with just one click.
Besides keeping your data safe, the lockdown also has rollback support so operations can get back to normal quickly. It essentially undoes itself as quickly as it is launched.
Now with the tired old habit of performing a system-wide checklist, your team can instead spend time finding the weakness the hacker exploited.
How does Auto-Lockdown work?
You may wonder how something that removes virtually everyone’s access to your computer can be effective if the person’s already snooping around. Sometimes, being reactionary is your only option.
Auto-Lockdown’s a crafty little tool. It creates virtual ramparts, a fortress, a moat, and a blockade of soldiers around your server. How?
The lockdown, when initiated, limits access to all designated parts of the server, giving you instant ability to control who can access what. This is absolutely critical for an in-progress hack.
By controlling access, it protects your company’s data from someone with unauthorized access. Quite often, these hackers gain entry via common tools such as an SQL injection.
(Ideally, you’d have used ColdFusion’s laundry list of security tools and third-party add-ons to prevent the hack in the first place.)
By stopping a hacker cold in his or her tracks, the lockdown limits the damage they can do.
It could even be preventative if, for example, you’re concerned a recently-fired developer is feeling a bit vengeful. I’ve seen stranger things happen in my years as a ColdFusion consultant.
How to get the most out of Server Auto-Lockdown
The reactionary nature of using the Auto-Lockdown may make it seem like a tool you’ll hopefully never need. But don’t be so hopeful. Make sure you and your team are familiar with it before you ever need it.
Once you modernize to the newest version of ColdFusion 2018, put the Auto-Lockdown on your to-do list. Here’s how:
- Set it up right out of the box. Make it one of the first tools you run through as soon as you install ColdFusion.
- Follow Pete Frietag’s guide to Server Auto-Lockdown from the first to last page, making yourself and your team familiar with the process. These free PDF downloads walk you through the process, step-by-step, and are written by one of the preeminent ColdFusion security experts. Many developers don’t even know these guides exist — and hackers hope you never find them.
(Here is the URL if the hyperlink doesn’t work for you https://www.adobe.com/content/dam/acom/en/products/coldfusion/pdfs/coldfusion-2018-lockdown-guide.pdf
- Keep the manual lockdown process handy as well. Using both at the same time will increase the odds your server stays safe. You can’t be too pedantic when it comes to security.
Official Lockdown Guides
For those who prefer to lockdown their CF server manually, there are still the official ColdFusion Lockdown guides. http://wwwimages.adobe.com/content/dam/acom/en/products/coldfusion/pdfs/coldfusion-2016-lockdown-guide.pdf
A lot of CF developers don’t even know they exist. Or do but don’t use them in detail. They were written with the help of CF Security Guru Pete Freitag. The lockdown guides are free PDF downloads that show step by step procedures on locking down your server for tight security. Complete with screenshots. They cover everything including Apache and IIS. If everybody were to follow the guide, most ColdFusion hacks would not happen in the first place.
Adobe Security Code Analyzer
Adobe also released a new Security Code Analyzer. https://helpx.adobe.com/coldfusion/using/security-enhancements.html
This is another top-of-the-line security update from Adobe. Every CF expert knows the weight that a great security system can carry. This tool pushes levels of security to a new level. It automatically scans and searches your application code for any existing security vulnerabilities and any potential security breaches. It determines the exact vulnerable code, type of vulnerability, and severity level. After all of that, the analyzer presents you with the option of removing and repairing the problem via recommended means. This may be the security tool that we have all been waiting on.
Coding for Security
Maintain Consistent Server Architecture
This may seem like a no-brainer, but you would be surprised how many do not follow this simple best practice. You should maintain consistency throughout the development, testing, and live phases of your project. If you don’t have consistent development, testing, and production environments, you will constantly be fighting an uphill battle. A systemized workflow decreases your cost of time and money. It also increases your security and application performance.
Related Article: 11 Best Practices for a new Adobe ColdFusion Project
Clean up unused deadwood code
Unused old code files and even whole directories of “deadwood” not only create maintenance confusion, they are a security risk. Often older code is less securely written. Or it might be a test version that comments out login checks. In my experience hackers often penetrate a CF server via deadwood code.
The solution? Take the time to clean it up. And even better use a modern development workflow with Git that does not even copy test code to your production server.
Use CF Security Tools
You can increase CF server security even more by using CF security expert Pete Freitag’s tools HackMyCF and FuseGuard products.
HackMyCF scans all your CF servers regularly and emails you a report on any out of date CF or JVM versions. And missing hotfixes. Or configuration security holes. It may scare you the first time you run it when you discover how many server security vulnerabilities that you have. After you have applied all the patches and config changes, you can rerun it to make sure everything is now up to date and secure.
FuseGuard is a ColdFusion specific Web Application Firewall (WAF) that protects against common hacker exploits. It inspects all web requests before your CFML code executes. If it spots a malicious request it can either log it or block continued execution completely. It stops all common CF hacker attacking including:
- Malicious File Uploads
- Remote Code Execution
- Cross Site Scripting (XSS)
- SQL Injection
- Session Hijacking
- Cross Site Request Forgery
- Path Traversal Attacks
- Null Byte Injection
- Password Dictionary Attacks
- CRLF Injection
- Malicious User Agents
- XML Entity Injection
- XML External DTD Injection
This is a godsend if you have old or insecure code that you haven’t had time to fix yet. But don’t rely only on a WAF because hackers are always evolving new exploits. So I recommend you prioritize reviewing your code for security vulnerabilities and remediating them. The new CF 2018 security tools are ideal for this.
What is Fixinator?
Fixinator is a CFML security code scanner. What it does, is it basically you give it a directory of code, or even just a single file. It will go through it and will look for security issues. The type of things it finds could be anything from SQL injection vulnerabilities to remote code execution.
For the ones that it finds vulnerabilities, it will automatically fix them. Here’s an example:
You have an SQL injection vulnerability in a CF query tag and you run Fixinator- you can say it has a feature called Auto Fix; auto fix=auto and that just fixes it for you without asking you anything. There’s a prompt mode too if you want to have more control.
The second feature is that it looks for all known vulnerabilities so if you are using an old version of SDK editor that has a file upload ability, it will be able to detect those types of issues.
It will also provide a full report on all problems and issues in HTML or PDF format, or even JSON file if you want to manipulate it. Additionally, it supports JUnit format as well.
Security Continuous Integration (CI)
You are also able to integrate Fixinator into a continuous innovation pipeline, eg. Gitlab repository, so that anytime you want to commit your code it will run the scan automatically. After you output this report file in JUnit format it will provide you with a nice overview of all the things it found. This way, it will stop the thing putting into production, because you have a full pipeline of deployment setup.
You can scan a code base, produce reports, and let Fixinator fix some of the issues it finds.
You can also set up Fixinator in a continuous integration workflow, so it runs every time you commit code to the repository, giving you instant, automatic, continuous feedback.
Adobe Security Priority and Severity Ratings
If you are reviewing ACF hotfixes, you need to know what the security problems actually are, we need to understand Adobe’s degrees of importance. Adobe breaks down potential threats and security risks into two separate scales: Priority and Severity.
The priority scale evaluates the risk associated with each vulnerability in question. The priorities are based on a number of factors including types of vulnerabilities, historic attack patterns, and platforms affected. The scale has 3 separate levels with recommended timelines for remedy. Adobe’s scale is as follows:
- Priority 1:
- This update resolves around targeted ColdFusion vulnerabilities, or which have a higher target risk, by exploit(s) in the wild for a given product version and platform. Adobe recommends administrators install the update as soon as possible. (within 72 hours).
- Priority 2:
- This update resolves vulnerabilities in ColdFusion that have historically been at elevated risk. There are currently no known exploits. Based on previous experience, we do not anticipate exploits are imminent. As a best practice, Adobe recommends administrators install the update soon (within 30 days).
- Priority 3:
- This update resolves vulnerabilities in CF that have not historically been a target for attackers. Adobe recommends administrators install the update at their discretion.
The Adobe severity scale helps you determine the security impact of each vulnerability.
CriticalA CF vulnerability, which, if exploited, would allow malicious native-code to execute, without a user being aware.ImportantA CF vulnerability, which, if exploited, would compromise data security. This allows access to confidential data, or could compromise processing resources in a user’s computer.ModerateA CF vulnerability that is limited to a significant degree by factors such as default configuration, auditing, or is difficult to exploit.
TeraTech ColdFusion Security 8 Best Practices
Understand Basic ColdFusion
- This sounds like a no-brainer, but failure to understand your platform can lead to gross amounts of human error. Human error can lead to an obscene degree of improper coding and that carries over to security concerns as well.
Write in Security
- By writing secure code and implementing security in the design, we minimize the number of attacks. However, if the attack does occur, an extra level of cryptography or security will minimize the effects of the attack.
Ensure your Security
- Be careful to maintain proper code design. When coding is complete, be sure to use proper security testing to make sure your system is as secure as you believe it is.
- Along with proper testing, TeraTech experts use security tools that will further hamper malicious attacks on your software. Sometimes, an extra layer of security will do the trick.
Verify Code Compliance
- Compliances are set for a reason. Make sure your codes are up to snuff when publishing to catch easily preventable attacks.
Train Yourself and Your Team
- TeraTech Experts Help to Train Yourself and Your Team. Cybersecurity is an ever-changing battlefield. Stay up-to-date on current threats and the countermeasures for them. Continue to train yourself and your team for the current standards for program developing.
Update your ColdFusion
- When ColdFusion releases new security updates…we recommend doing the UPDATE. Many web app attacks are easily prevented by keeping your platform updated. No need to undergo full security troubleshooting due to simple complacency. Stay vigilant with your security updates.
CF 8 is no longer secure due to lack of hotfixes since like forever (or at least 7/31/2014)!
- We make sure to perform regular backups of your OS and Databases.
The big part of TeraTech maintenance and prevention tactics is to help you stay updated with all ColdFusion updates and new releases. The more updated and secure your ColdFusion platform is, the more secure your code will be. Maintaining security is the right thing to do for your web apps, clients, and code. If ever you should experience any unlisted security issues with ColdFusion, TeraTech experts will make sure that the problem is addressed immediately in order to secure your application.
This may seem obvious, but preventive care is usually the best way to avoid any security hangups. Your best bet is to not find yourself in a position to be hacked in the first place.
We’ve also guided a clients through a lockdown after a hacking event, while thinking “This could have been avoided.”
- Use proactive measures like routinely scanning for security flaws with Security Code Analyzer and HackMyCF. These tools dig up many of the same security lapses that hackers exploit. You want to find them before the hackers do.
- Set limits on database access — the fewer people allowed into your server, the lower the odds of a hack. You’ll want to leave access for whoever is tasked with running the lockdown. This is often one of your most dependable and least-absent developers, or yourself.
- Make sure your developers write secure code. Duh. This makes your app and servers less vulnerable to hacks and SQL injections which can lead to datanapping and ransom requests, among other hacker tricks.
- Use a web application firewall (WAF) as the first line of defense. (FuseGuard works well).
Most security measures are preventative. But sometimes, hackers get through. What then? It’s imperative you stop them before they wreak havoc on all your company’s data. That’s Server Auto-Lockdown’s main task: to prevent a brief hack from turning into a worst-case-scenario.
May all your CF apps be secure!
Michaela Light is the host of the CF Alive Podcast and has interviewed more than 100 ColdFusion experts. In each interview, she asks “What Would It Take to make CF more alive this year?” The answers still inspire her to continue to write and interview new speakers. Michaela has been programming in ColdFusion for more than 20 years. She founded TeraTech in 1989. The company specializes in ColdFusion application development, security and optimization. She has also founded the CFUnited Conference and runs the annual State of the CF Union Survey.
And to continue learning how to make your ColdFusion apps more modern and alive, I encourage you to download our free ColdFusion Alive Best Practices Checklist.
Because… perhaps you are responsible for a mission-critical or revenue-generating CF application that you don’t trust 100%, where implementing new features is a painful ad-hoc process with slow turnaround even for simple requests.
What if you have no contingency plan for a sudden developer departure or a server outage? Perhaps every time a new freelancer works on your site, something breaks. Or your application availability, security, and reliability are poor.
And if you are depending on ColdFusion for your job, then you can’t afford to let your CF development methods die on the vine.
You’re making a high-stakes bet that everything is going to be OK using the same old app creation ways in that one language — forever.
All it would take is for your fellow CF developer to quit or for your CIO to decide to leave the (falsely) perceived sinking ship of CFML and you could lose everything — your project, your hard-won CF skills, and possibly even your job.
Luckily, there are a number of simple, logical steps you can take now to protect yourself from these obvious risks.
No Brainer ColdFusion Best Practices to Ensure You Thrive No Matter What Happens Next
ColdFusion Alive Best Practices Checklist
Modern ColdFusion development best practices that reduce stress, inefficiency, project lifecycle costs while simultaneously increasing project velocity and innovation.
√ Easily create a consistent server architecture across development, testing, and production
√ A modern test environment to prevent bugs from spreading
√ Automated continuous integration tools that work well with CF
√ A portable development environment baked into your codebase… for free!
Learn about these and many more strategies in our free ColdFusion Alive Best Practices Checklist.
Originally published at www.teratech.com