Unless you're a true security expert (reading a few articles doesn't count), your ColdFusion, Railo, or OpenBD website probably has security holes that you're not even aware of. Hardware firewalls, O/S patches, and best pratice web server configurations don't necessarily keep your web application safe.
You really need to know how to sanitize or block every bit of data that comes from the CGI, URL, Form, and Cookie scopes. Do you really know how to block all types of hacks on your system? Dictionary attacks, Cross-site scripting (ACF does not go far enough with their built-in security here), Malicious File uploads, and CLRF Injection anyone? I've worked on large-scale ColdFusion websites that have been hacked. Writing database scripts to undo major data deletion in the middle of the night is not fun --> not to mention losing hours worth of data.
Especially if your site is public-facing, you need application level security, from a veteran web security expert: Pete Freitag.
Pete is a CFML & J2EE security expert: http://foundeo.com/consulting/coldfusion/
But is FuseGuard hard to set up & install?
Absolutely not! I'm the sole developer at my web startup, and was able to get FuseGuard running on my multi-server installation of ColdFusion 9 Enterprise within minutes. The default options are safe for most applications. Of course, fully regression test your app after installation, and you may want to customize the settings based on your requirements. After my regressions tests, I was able to push the FuseGuard to production quickly and easily.
The only problem I had was a minor "false positive" on a CGI variable check that FuseGuard does. I emailed Pete, he fixed the issue and send me the patch within hours. I tested it, put it in production, and have not had the issue since!
The price seems kind of high.
That's what I thought, too, at first. But then if you calculate the time it would take your development team to create a comparable application firewall that thwarts so many different kinds of attacks, logs each incedent, has a web interface, and emails you issues... well, then FuseGuard obviously quite inexpensive.
So, what are you waiting for? ;-)
Try FuseGuard here
