Presented by Denard Springle
NVCFUG January, 2012


Many people hear ‘security’ in conjunction with
‘ColdFusion’ and think only about ColdFusion
application security, which is primary, but not the
only security you should be concerned about.
Operating System, network, application server
and physical environment are additional security
concerns rarely discussed in the ColdFusion
circles.




Most major breaches of security coming from the
outside are based on operating system attacks.
Windows is the primary target of most scripted hacking
systems and of most hacking groups – this is due
primarily to the large surface area Windows exposes.
Most production web sites on Windows servers are
extremely vulnerable due to lack of proper patch
maintenance.
Most production web sites on Windows servers are
extremely vulnerable to virus due to a general lack of
virus protection and maintenance.

Protecting yourself involves:
 Ensuring you plan for and execute maintenance windows
that apply security patches to the OS as frequently as
possible – preferably within a few to 24 hours after release.
 Turning off all services and removing all applications that
are not required or will never be utilized.
 Turning on the software based firewall included with
modern operating systems and opening only the ports
required to operate (SSH/RDP, HTTP, SSL, FTP, etc.)
 Multiple Anti-Viral/Malware applications set to stop and
remove virus/malware automatically.


Most major breaches of security coming from the
outside are based on port attacks – with the most
common attack still being buffer overrun.
Ports below 1024 are the most commonly
attacked ports in part because these ports are
granted more rights in the operating system and
in part because they are the most commonly
used port for application servers.

Protecting yourself includes:
 One (or more) firewalls between the outside network
and your application server.
 Port forwarding from the firewall(s) to non-standard
ports on the OS (e.g. port 80 at the firewall to port
41280 on the OS)
 Single line connection between outside network,
firewall(s) and the application server – no switches, no
hubs, no other application servers, just one to one.




The second most active target of hackers is the
applications that run on the operating system.
IIS and MSSQL are the two most active targets of
hackers in the application realm – again due to the
large surface area exposed.
Apache, Sun One, MySQL, Oracle, Postgres,
ColdFusion etc. are all additional targets of hackers.
Any application exposed to the transport layer is
susceptible to attack.

Protecting yourself includes:
 Turn off everything in IIS and MSSQL that are not
required (limits exposing processes that could be
taken advantage of – e.g. ASP.NET, FrontPage
extenstions, ODBC, etc.)
 Run separate instances of MSSQL for *each*
database (limits exposing multiple databases to one
hacker)
 Limit IIS to a single web site (limits exposing other
websites to immediate disclosure if one site is hacked)



The majority of physical attacks from the inside
come from disgruntled employees.
The majority of physical internal attacks are
designed to cripple hardware (pull drives, spill
liquid, etc.).
The second most common internal physical
attack is from corporate spies intent on stealing
data or technology, or crippling the competition.

Protecting yourself includes:
 Putting servers under lock and key
 Server room should be locked and impenetrable (can’t use a
utility knife to slice through the sheetrock and walk in, can’t
climb over the ceiling, etc.)
 Servers and wiring should be in locked cages
 Use only fiber optic network connections (reduces EMI and
eliminates physically patching the cabling)
 Servers should additionally be in locked cabinets.
 Implementing PKI, CAC or RSA style authentication and
limiting logins at the console to non-specific administrator
accounts (e.g. NOT ‘Administrator’)



The best defense is a good offense – know what you
are exposing to the outside world and mitigate it as
much as possible.
Nmap is a network scanner tool designed to
penetrate networks and isolate security flaws – it
produces reports generally with links to how to
resolve the issue(s) found.
Windows Security Scanner – scans windows
machines and determines vulnerabilities also with
links to solutions.
hackmycf


Pete Freitag (Foundeo, Inc.) has written a tool
called HackMyCF (http://hackmycf.com/) which is
like an Nmap for ColdFusion servers.
Detects missing patches, isolates common
security issues such as exposing your application
server name and version, and provides links to
more information that can be used to resolve
those issues, including blog posts by Pete
himself.


For those using CF8 and CF9, David Epler has
created a java utility called the ‘Unofficial
Updater’ (https://github.com/dcepler/unofficialupdater2/downloads) that automates the
process of updating your CF server to the latest
patch release (requires Java 6 or Java 7).
ColdFusion Zeus will include a utility in the CF
Admin that will show you updates and allow you
to manage them (download, install, uninstall).


The primary focus of the next release of ColdFusion
will be on application security. All areas of
ColdFusion have been touched on down to and
including the very engine CF will run on (Tomcat vs.
Jrun). Tomcat is an open source engine that is a more
robust, more secure and more trusted application
server than Jrun (and, it’s much, much faster).
CF Zeus will provide enterprise grade security
features putting CF developers on equal footing with
ASP and Java developers from a capabilities
perspective.




ColdFusion Zeus implements ESAPI (The OWASP
Enterprise Security API https://www.owasp.org/index.php/Category:OWAS
P_Enterprise_Security_API)
Implemented under the hood since CF8 HF4
Enhances the built-in security functionality of
ColdFusion and eliminates the need to write your
own secure session handlers.
Enhances security in ColdFusion to mitigate the
vulnerabilities mentioned in the OWASP Top 10.
1.
2.
3.
4.
5.
Injection (code, script,
SQL, etc.)
Cross-Site Scripting
(XSS)
Authentication &
Sessions
Insecure Direct Object
Reference
Cross-Site Request
Forgery (C/XSRF)
6.
7.
8.
9.
10.
Security
Misconfiguration
Insecure Storage
(crypto)
URL Access Restrictions
Poor Transport Layer
Protection
Unvalidated Redirects



Session Cookies – total upgrade – you can now
control attributes of the session cookie that
make it more secure (timeouts, http only, etc.).
Cookies in general now have the http only
attribute – prevents client-side scripts from
accessing server-side cookies.
Session rotation, input parsers, content
validation and more!


As with each prior release of ColdFusion, it has once
again been enhanced with the latest and greatest
encryption and hashing standards, providing
additional options for securing content and a wider
array of multi-encryption possibilities for the uber
secure (or corporately paranoid) among us.
In addition to enhancing the security of ColdFusion,
Zeus brings so many speed enhancements it nearly
eliminates the arguments against writing secure
applications.



Basic security principles have *not* changed with
the implementation of ESAPI – sessions and security
related utility functions have been improved.
Obfuscation, encryption, password hashing and
mitigating exposed surface area of your application
are all still critical aspects of secure application
design and development.
ESAPI provides many utility functions that make
implementing some of these requirements easier.



Open Web Application Security Project (OWASP) –
the defacto standard body for defining security on
the web (https://www.owasp.org/)
Charlie Arehart’s What’s New in Zeus presentation
(http://www.carehart.org/presentations/whats_new
_in_cf_zeus-cfcamp.pdf)
Matt Gifford’s ESAPI Preso
(http://www.slideshare.net/coldfumonkeh/owaspenterprise-security-api-and-available-methods-tohelp-lock-down-a-coldfusion-application)