Solo Web Startup

4 31 Mar 2011

Is your ColdFusion site secure? FuseGuard it, if you hesitated

Unless you're a true security expert (reading a few articles doesn't count), your ColdFusion, Railo, or OpenBD website probably has security holes that you're not even aware of. Hardware firewalls, O/S patches, and best pratice web server configurations don't necessarily keep your web application safe.

You really need to know how to sanitize or block every bit of data that comes from the CGI, URL, Form, and Cookie scopes. Do you really know how to block all types of hacks on your system? Dictionary attacks, Cross-site scripting (ACF does not go far enough with their built-in security here), Malicious File uploads, and CLRF Injection anyone? I've worked on large-scale ColdFusion websites that have been hacked. Writing database scripts to undo major data deletion in the middle of the night is not fun --> not to mention losing hours worth of data.

Especially if your site is public-facing, you need application level security, from a veteran web security expert: Pete Freitag.

Pete is a CFML & J2EE security expert: http://foundeo.com/consulting/coldfusion/

But is FuseGuard hard to set up & install?

Absolutely not! I'm the sole developer at my web startup, and was able to get FuseGuard running on my multi-server installation of ColdFusion 9 Enterprise within minutes. The default options are safe for most applications. Of course, fully regression test your app after installation, and you may want to customize the settings based on your requirements. After my regressions tests, I was able to push the FuseGuard to production quickly and easily.

The only problem I had was a minor "false positive" on a CGI variable check that FuseGuard does. I emailed Pete, he fixed the issue and send me the patch within hours. I tested it, put it in production, and have not had the issue since!

The price seems kind of high.

That's what I thought, too, at first. But then if you calculate the time it would take your development team to create a comparable application firewall that thwarts so many different kinds of attacks, logs each incedent, has a web interface, and emails you issues... well, then FuseGuard obviously quite inexpensive.

So, what are you waiting for? ;-)

Try FuseGuard here

0 29 Dec 2010

Regex to find cfquery missing cfqueryparam

This is a regex within CFEclipse of ColdFusion Builder I've used in the past to clean up legacy code that's missing CFQueryParam's:

\s+(where|set)\s+[a-z_\.]+\s+(like|\=)\s+'?%?#[a-z"_'\.\(\)\+\/]+#%?'?

A CF-based solution is also http://qpscanner.riaforge.org/

Aaron Longnion
http://refynr.com

10 28 Apr 2010

Making the best of legacy CF code: Part 4

To play catch-up, see the first 3 parts of this series:

http://aqlong.posterous.com/making-the-best-of-legacy-cf-code-part-1

http://aqlong.posterous.com/making-the-best-of-legacy-cf-code-part-2

http://aqlong.posterous.com/making-the-best-of-legacy-cf-code-part-3

As promised in Part 3, I will talk about security and automated testing in this post:

Automated Testing:
- Unit Testing: a while back there was CFUnit and CFCUnit, but the development of each is not current like MXUnit.org, which includes many features such as an Eclipse plugin, Method-level testing, Debug output, ANT tasks, and Test Stub generation.
  But to decide if your team should use this, in my experience it depends on your company's tolerance for bugs and poor quality, if your developers know how to unit test, and if the leadership of your team is in favor of unit testing.
  Your company may be fine with spending about 5-10 business days after every major release fixing bugs and other issues that probably would've been caught with good unit & functional tests. If this is the case, you don't really have a chance in hell in implementing Unit Testing as part of your Development process. Your customers may also have experienced so many bugs with the system over the last 10 years that they come to expect it, so you're going to be hard-pressed to convince your boss to change if no one really has a problem with the "status quo". Or maybe you're a better salesman than me...? :D
  If no one on your team has experience or training with unit testing, I've also found that it is a very long uphill battle to get a team of even just a few developers to adopt unit testing. Yes, I've put together my own company presentations and trainings, and many developers just don't see how unit testing is going to make their lives easier - they just see it as extra work.
  If the Project Manager, Architect, and/or Lead Developer are in favor of Unit Testing, you may have a fighting chance. These leaders can make it a requirement that all CFC, functions, UDFs, and in some cases Custom Tags or include files *must* have Unit Tests to go with all code that is committed to source control. Once Unit Testing is a requirement, within a few weeks everyone will see the benefit, and it even become fun!
  Even if you can't get approval to make Unit Testing a requirement, go download MXUnit and try your hand at writing some simple Unit Tests. It's a great learning experience, and seeing dozens of tests that your wrote "pass" and turn green can be quite euphoric to nerds like us ;-)
- Functional Testing: ideally, there should be at least one professional Quality Assurance (QA) Tester for your system, if not a small team. This should not be just one of your developers. Yes, each developer should thoroughly test all possible functionality (Use Cases) of new features and changes made to your code while programming, but it should not be their responsibility to say whether or not it is ready to go live to Production.
  A QA specialists knows how to really test web applications properly. They will write all sorts of automated scripts with Selenium or Watir (or other), can promote your code from development to your Staging/Testing environment so that they can constantly test your latest code, and they should know a thing or two about stress/load testing your apps to make sure they will perform if your app gets a lot of traffic. Over time, they will learn how the legacy app works better than most developers because they must "Regression test", which means that they will do automated and manual tests of all the major parts of your system on a regular basis, and especially before major releases, to make sure that not only the new code works but that nothing broke inadvertently when you changed code or did a "merge" in your source control system.
  But if it's not possible/feasible to hire a QA Tester, then developers will usually be the ones doing the bulk of the testing. If you can get other employees and customers to help test, that's good, too, as long as you have an efficient way to manage all reported bugs. For developers testing their own application, the least you can do is make sure that developers aren't the only ones testing their own code. At least one other developer should test all possible functionality for another developers code. This kills two birds with one stone: 1) the 2nd developer learns the new functionality, and 2) the 1st developer probably didn't think of all possible Use Cases, so the 2nd developer will usually catch something unexpected.
Security: A lot has been written on this subject, so I'll just say that I'd start with cfqueryparam. You probably know this, but putting cfqueryparam around your variables in your SQL will secure your SQL against SQL Injection attacks, and has the added benefit of improving the performance of the queries. Here's a quite old article on it from Ben Forta himself. If you have hundreds or thousands of queries to fix, prioritize the public-facing ones (public web site, login pages, etc.) to do first, and then work on the rest as you have time.
How do you quickly find all the queries which should have cfqueryparam? I have a RegEx that, while isn't perfect, does a pretty good job searching in Eclipse/CFBuilder:
```
\s+(where|set)\s+[a-z_\.]+\s+(like|\=)\s+'?%?#[a-z"_'\.\(\)\+\/]+#%?'?
```
To do a RegEx search in Eclipse, hit Control/Command + H >> select the File Search tab >> copy the regex pattern above into the Containing text field >> tick the Regular Expression checkbox & un-tick the Case sensitive checkbox. The regex will find the first occurrence of a variable in a cfquery tag which should have cfqueryparam. It doesn't find ones in INSERT queries yet, and I doubt it's 100% accurate otherwise, but it will give you a very good start.
For more about security, others have done a much better job than I will:
Pete Freitag's excellent security checklist presentation: http://foundeo.com/security/presentations/hardening-coldfusion.pdf and has a site that will auto-scan for security problems on your ColdFusion site(s): http://hackmycf.com/
What would you like to see next in this blog series? I'm thinking of a blog entry about development tools: CFEclipse vs. CF Builder vs. Dreamweaver, and ANT for "automated builds", and FogBugz or Jira for Case/Bug management, etc... sound good, or you want something else?

4

31 Mar 2011

Is your ColdFusion site secure? FuseGuard it, if you hesitated

0

29 Dec 2010

Regex to find cfquery missing cfqueryparam

10

28 Apr 2010

Making the best of legacy CF code: Part 4

Search

Sites I Like

Tags

Archive

Solo Web Startup

Get Updates