I've said it before, tradeoff's pop up in programming all the time. They are often difficult decisions, with no easy answer, and we often make the wrong decision.
Security is no stranger to trade-offs, here are three trade-offs that often limit security:
- Security Vs Performance - The biggest example of this is SSL. Your site may have a SSL certificate, but you probably only utilize it on certain parts of the site since SSL is slower.
- Security Vs Usability - You could set your session timeout's to 5 minutes, but people don't like to login repeatedly.
- Security Vs Cost/Time/Effort - This is often the biggest hurtle to writing secure software. We need this done yesterday, often means we skip or skimp on things like validation.
These aren't the only reasons for security vulnerabilities, often they are due to bugs, or from a lack of knowledge about the vulnerability.
- What is the difference between ASCII Chr(10) and Chr(13)
- Fixinator and Foundeo Security Bundle
- Running CFML on AWS Lambda with FuseLess Slides
- Updating Java on ColdFusion or Lucee
- ColdFusion returning empty response with server-error: true
- Careful applying CF11u16, CF2016u8, CF2018u2
- Sessions don't work in Chrome but do in IE
- csrfVerifyToken does not invalidate the token