Recently, we decided to upgrade one of our applications from ColdFusion 8 to take advantage of the enhanced security offered in ColdFusion version 10. With the abundance of web applications out there, online security is an increasingly significant concern for everyone. Furthermore, with recent news of security hacks, particularly with older versions of ColdFusion, it seemed prudent to address the concern before it became an issue for our clients. Too often, security is not addressed until there is a breach. In ColdFusion 10, security has finally become a key element of the code and we decided to take advantage of two primary changes: Secure Profiles and Hot Fix Notifications.
Secure Profiles
The first big change for us was the new profiles made available by ColdFusion 10. From the very beginning, it is apparent that security plays a bigger role. When you install the code, the installer defaults to security settings which follow best practices to secure your system or application. In previous versions of ColdFusion, it was always recommended to “lock down” the server it was running on. Certain settings in Internet Information Services (IIS) and your Operating System had to be applied by a System Administrator in order to accomplish this. This was such a common practice that these steps for previous versions of ColdFusion were actually published online! Now, when installing ColdFusion 10, the installer actually provides you the option to “lock down” the server it is running on with a “Secure Profile.” This feature offers some significant improvements at install, such as the ability to create separate username and passwords for an administrator and Remote Development Services (RDS). Although the “Secure Profile” is not 100% secure, it puts you on the path to properly securing your server.
Hot Fix Notifications
Another significant change in ColdFusion 10 is the hot fix installer and notification. Although most likely transparent to end users of ColdFusion applications, this feature means notifications are provided to the Administrator when a hot fix needs to be installed by listing all the updates that are available from Adobe. There is no more searching websites and determining which hot fixes should be installed. For instances when security scans are run on a regular basis, say monthly, this can be a huge time saver. Previously, we would not be aware of a hot fix unless we were pulling the information (i.e., actively monitoring Adobe’s website, looking for recently released hot fixes) or if a security scan was run and a risk was found. We would then have to assess what the risk was and if the hot fix to address the risk would cause any problems with the existing application code. If the hot fix had been released weeks earlier, perhaps the day after our last scan, we would be behind the power curve on securing the environment, and have to play catch up. Now, with notifications being pushed to the ColdFusion Administrator, users are immediately aware when the hot fix comes out and a faster determination on installing the hot fix to secure the environment can be made.
Although it is still early in the upgrade process, we are pleased that Adobe has decided to increase focus on security in ColdFusion 10. This focus allows us to use previous time spent ensuring a secure environment on other application enhancements.