ColdFusion 10 Security Enhancements Presentation
I've given a couple presentations now on the security enhancements in ColdFusion 10. The most recent was today at the Adobe ColdFusion Developer 2012, but I've also given it two other times for a Carahsoft webinar, and for the Carahsoft ColdFusion 10 Preview event in Washington DC. The slide deck was very similar for all three, but today's slides are the most up to date.
I hope you find it useful, there really are quite a few security enhancements in ColdFusion 10, so many that it's difficult to cover all of them in an hour!
Here's a short list of some of the enhancements (not even including all of them):
- Secure Profile in installation
- Weak password warnings in installation
- Hotfix Installer
- CF Admin IP restrictions
- Tomcat - lots of security folks review tomcat, JRun... not so much
- Session Cookie settings
- New SessionRotate() and SessionInvalidate() functions
- CFFile Upload accept allows file extensions, strict mode now checks file content mime type, not just the mime type the browser sends (though this can still be spoofed).
- Hash iterations
- HMAC Function
- CSRF Token Functions
- Ram disk application isolation
- And several more!
- Adobe eSeminar on FuseGuard - October 26, 2011
- Maximum Security CFML - cfObjective Slides - May 17, 2011
- Writing Secure CFML Slides from CFUnited 2010 - August 5, 2010
- Slides for NYCFUG Security Presentation - November 17, 2009
- Hardening ColdFusion - cfObjective 2009 Presentation Slides - July 6, 2009
- Writing Secure CFML cfObjective 2013 Slides
- Upgrading to Java 7 on Linux
- J2EE Sessions in CF10 Uses Secure Cookies
- Learn about ColdFusion Security at cfObjective 2013
- Session Loss and Session Fixation in ColdFusion
- FuseGuard 2.3 Released
- CKEditor Spell Checker Plugin
- Adobe Says Go Ahead and Upgrade your ColdFusion JVM