SlideShare a Scribd company logo

Securing Legacy CFML Code

ColdFusionConference
ColdFusionConference

If you are like most CFML developers the application you work on has been around for a few years. The task of securing your legacy application code from vulnerabilities can be an overwhelming and time consuming task. Many developers don't know where to start, and never do. This session will arm you with an approach slaying the legacy security vulnerabilities in your CFML code.

1 of 50
Download to read offline
SECURING LEGACY CFML PETE FREITAG, FOUNDEO INC. foundeo
ABOUT PETE • My Company: Foundeo Inc. • Consulting: Code Reviews, Server Reviews, Development • FuseGuard: Web App Firewall for CFML • HackMyCF: Server Security Scanner • Blog (petefreitag.com), Twitter (@pfreitag), #CFML Slack • Guy behind cfdocs.org community sourced CFML docs.
AGENDA • Legacy Code Challenges • How do you get started? • Low Hanging Fruit • Things to focus on • What’s Next? • Disclaimer: This approach may not be appropriate for all scenarios. This is a generalized approach which I have found can work well for many.
LEGACY CODE? DO YOU HAVE TO WORK WITH
TYPICALLY LEGACY CODE • Has a large codebase (thousands of source code files) • Has code you hope you don't have to see again. • Can take weeks, but often months of work to properly secure. • Can be hard to fix, brittle • Probably uses outdated techniques
FIXING A LARGE CODEBASE HOW TO APPROACH • Beast Mode - Spend several weeks dedicated to identifying & fixing vulnerabilities. • Prioritize - Spend time identifying the most critical vulnerabilities and patch less critical vulnerabilities as you see them. • As you go - As you work on files fix vulnerabilities as you see them. You may not ever fix some vulnerabilities with this approach.
SECURING THAT LEGACY CODE HOW DO YOU START? STEP 1: DELETE THE CODE!
LEGACY CODEBASES ARE LARGE BUT… MUCH OF THE CODE PROBABLY NEVER RUNS
HOMEMADE VERSION CONTROL YOU MIGHT BE USING… • index_2.cfm • index.old.cfm • index-backup.cfm • index-2007-03-04.cfm • index-copy.cfm • folder_backup2009/
VERSION CONTROL • Those backup folders and files are probably full of vulnerabilities. • Version Control Server keeps backups of all your code and all changes you have ever made to it. • Sync server source code with version control. • Identify if someone changed something on the server.
IDENTIFY UNUSED CODE VERSION CONTROL • Spend some time to identify unused code. • Delete it! • Version control has your back, if you deleted something you can recover it from the repository.
THERE ARE LOTS OF FADS IN SOFTWARE DEVELOPMENT, VERSION CONTROL IS NOT ONE OF THEM. ” “
WELCOME TO THE 90’S PATCH THAT SERVER • Use ColdFusion 10 or greater (CF9 and below are no longer supported and no longer patched by Adobe). • Railo has not been touched since 2014, use Lucee (it is very easy to switch). • Windows 2008 (EOL 2015) • Java 8+, Java 7 (EOL 2015), Java 6 (EOL 2013)
FIX VULNERABILITIES PATCH THAT SERVER • Multiple Denial of Service Vulnerabilities in old versions of Java • Path Traversal via Null Byte injection JVM • CRLF Injection (CF10+) • File Uploads “somewhat” more secure (CF10+) • TLS / SSL Protocol Implementations • Java 8 Not supported on CF9 and below
MITIGATES POTENTIAL IMPACT OF A VULNERABILITY LOCKDOWN THE SERVER • If your CFML server is running as SYSTEM or root then the attacker can do a lot more harm. • If CFML server user has read only access to web root.
WEB APPLICATION FIREWALLS IMPLEMENT A WAF • Inspect HTTP Request or Response • Block or log malicious requests • Several options • Hardware • Web Server Level - ModSecurity • Application Level - FuseGuard
SECURING THAT LEGACY CFML? HOW DO YOU START STEP 2: IDENTIFY HIGH RISK VULNERABILITIES IN YOUR CODE.
TAKE CARE OF THESE FIRST HIGH RISK VULNERABILITIES • File Uploads • Dynamic Evaluation Issues • SQL Queries (SQL Injection) • File System Access / Path Traversals • Dynamic Process Execution (CFEXECUTE) • Anything that can fully compromise server
EVALUATE REMOTE CODE EXECUTION VIA
CODE EXAMPLE COMMON LEGACY EVALUATE <cfset day_1 = "Wednesday"> <cfset day_2 = "Thursday"> <cfset day_3 = "Friday"> <cfoutput> #Evaluate("day_#url.day#")# </cfoutput>
EVALUATE EXAMPLE
USE BRACKET NOTATION FIXING LEGACY EVALUATE EXAMPLE <cfset day_1 = "Wednesday"> <cfset day_2 = "Thursday"> <cfset day_3 = "Friday"> <cfoutput> #variables["day_#url.day#"]# </cfoutput>
SEARCH CODE FOR EVALUATE FIXING EVALUATE ISSUES • Search Code for "Evaluate" • In most cases you should not need to use Evaluate at all, use brackets. • If the variable is a query you may need to use queryName[row][columnName] notation. • Not all cases are super simple to fix, but most are. • Remove all Evaluate calls from your code.
DO ANY OTHER FUNCTIONS EVALUATE DYNAMICALLY?
IF YOU ARE USING IIF STOP USING IIF IIF Hi #iif(len(url.name) EQ 0, de("Friend"), de(url.name))# The second and third arguments are evaluated dynamically!
IIF EXAMPLE
USE TERNARY OPERATOR (CF9+, LUCEE) FIXING IIF Hi #(!len(url.name)) ? "Friend" : url.name# Hi #url.name?:"Friend"# ELVIS OPERATOR (CF11+, LUCEE) Elvis Operator tests to see if url.name is defined / not null
DO ANY OTHER FUNCTIONS EVALUATE DYNAMICALLY?
YES! The PrecisionEvaluate function also dynamically evaluates expressions
DO ANY OTHER FUNCTIONS EVALUATE DYNAMICALLY?
YES! Lucee 5 has added a render function that evaluates tags dynamically.
DO ANY OTHER FUNCTIONS EVALUATE DYNAMICALLY?
NO! Not that I know of
FILE UPLOADS COMMON YET DANGEROUS
FILE UPLOAD EXAMPLE
3 RULES FILE UPLOADS • The upload destination must be outside of the web root • Always validate the file extension against a whitelist • Don't trust mime type validation in the accept attribute
ADDITIONAL TIPS FILE UPLOADS • Inspect file content: fileGetMimeType, isImageFile, isPDFFile, etc • Upload to static content server (s3 for example) • Upload directly to s3: https://www.petefreitag.com/item/ 833.cfm • Make sure directory serving uploaded files cannot serve dynamic content. • File Extension Whitelist on Web Server (eg IIS Request Filtering) • secureupload.cfc: https://github.com/foundeo/cfml-security/
PATH TRAVERSAL FILE SYSTEM ACCESS &
VULNERABLE CODE EXAMPLE PATH TRAVERSAL <cfinclude template="path/#fileName#">
PATH TRAVERSAL EXAMPLE
TIPS FIXING PATH TRAVERSALS • Avoid variables in paths • If you really need to use a variable strip out everything except a-z0-9 • Use the CF11 Application.cfc setting this.compileExtForInclude setting.
CAN BE TIME CONSUMING FINDING FILE ACCESS ISSUES • Review all function calls / tags that access file system • cffile, cfdocument, cfinclude, cfmodule, cfspreadsheet • fileRead, fileWrite, fileOpen, etc
SQL INJECTION
CODE EXAMPLE CLASSIC SQL INJECTION <cfquery> SELECT title, story FROM news WHERE id = #url.id# </cfquery>
CODE EXAMPLE FIXING SQL INJECTION <cfquery> SELECT title, story FROM news WHERE id = <cfqueryparam value="#url.id#"> </cfquery>
SQL INJECTION SCRIPT BASED queryExecute("SELECT story FROM news WHERE id = :id", {id=url.id}); queryExecute("SELECT story FROM news WHERE id = #url.id#"); Vulnerable Not Vulnerable
DONEC QUIS NUNC FINDING SQL INJECTION • Search codebase for cfquery, queryExecute, ormExecute query • Use Static Code Analyzer (CFBuilder 2016) • Fix when you see one as you work
SECURING LEGACY CFML STEP 3: FIX ADDITIONAL VULNERABILITIES IN YOUR CODE.
TO REVIEW WHAT'S NEXT • Session Handling (sessionRotate, sessionInvalidate) • Scope Injection • Authentication / Authorization / Forgot / Remember Me Code • Cross Site Scripting • Cross Site Request Forgery • Timing Attacks • Visit OWASP.org for tons of info about web application vulnerabilities
THANK YOU Questions? Pete Freitag pete@foundeo.com foundeo.com | fuseguard.com | hackmycf.com foundeo
Ad

Recommended

Can you contain the future - Docker, Container Technologies, The Future, and You
Can you contain the future - Docker, Container Technologies, The Future, and YouCan you contain the future - Docker, Container Technologies, The Future, and You
Can you contain the future - Docker, Container Technologies, The Future, and You
ColdFusionConference
 
Locking Down CF Servers
Locking Down CF ServersLocking Down CF Servers
Locking Down CF Servers
ColdFusionConference
 
How do I Write Testable Javascript so I can Test my CF API on Server and Client
How do I Write Testable Javascript so I can Test my CF API on Server and ClientHow do I Write Testable Javascript so I can Test my CF API on Server and Client
How do I Write Testable Javascript so I can Test my CF API on Server and Client
ColdFusionConference
 
Cfml features modern_coding
Cfml features modern_codingCfml features modern_coding
Cfml features modern_coding
ColdFusionConference
 
Hack & Fix, Hands on ColdFusion Security Training
Hack & Fix, Hands on ColdFusion Security TrainingHack & Fix, Hands on ColdFusion Security Training
Hack & Fix, Hands on ColdFusion Security Training
ColdFusionConference
 
Dev objective2015 lets git together
Dev objective2015 lets git togetherDev objective2015 lets git together
Dev objective2015 lets git together
ColdFusionConference
 
Command Box ColdFusion Package Manager, Automation
Command Box ColdFusion Package Manager, AutomationCommand Box ColdFusion Package Manager, Automation
Command Box ColdFusion Package Manager, Automation
ColdFusionConference
 
My Database Skills Killed the Server
My Database Skills Killed the ServerMy Database Skills Killed the Server
My Database Skills Killed the Server
ColdFusionConference
 
Realtime with websockets
Realtime with websocketsRealtime with websockets
Realtime with websockets
ColdFusionConference
 
How do I write Testable Javascript - Presented at dev.Objective() June 16, 2016
How do I write Testable Javascript - Presented at dev.Objective() June 16, 2016How do I write Testable Javascript - Presented at dev.Objective() June 16, 2016
How do I write Testable Javascript - Presented at dev.Objective() June 16, 2016
Gavin Pickin
 
Instant ColdFusion with Vagrant
Instant ColdFusion with VagrantInstant ColdFusion with Vagrant
Instant ColdFusion with Vagrant
ColdFusionConference
 
Testing Automaton - CFSummit 2016
Testing Automaton - CFSummit 2016Testing Automaton - CFSummit 2016
Testing Automaton - CFSummit 2016
Ortus Solutions, Corp
 
ColdFusion builder plugins
ColdFusion builder pluginsColdFusion builder plugins
ColdFusion builder plugins
ColdFusionConference
 
Intro to JavaScript Tooling in Visual Studio Code
Intro to JavaScript Tooling in Visual Studio CodeIntro to JavaScript Tooling in Visual Studio Code
Intro to JavaScript Tooling in Visual Studio Code
ColdFusionConference
 
Getting Started with Docker (For Developers)
Getting Started with Docker (For Developers)Getting Started with Docker (For Developers)
Getting Started with Docker (For Developers)
ColdFusionConference
 
Become a Security Rockstar with ColdFusion 2016
Become a Security Rockstar with ColdFusion 2016Become a Security Rockstar with ColdFusion 2016
Become a Security Rockstar with ColdFusion 2016
ColdFusionConference
 
Load Balancing, Failover and Scalability with ColdFusion
Load Balancing, Failover and Scalability with ColdFusionLoad Balancing, Failover and Scalability with ColdFusion
Load Balancing, Failover and Scalability with ColdFusion
ColdFusionConference
 
Locking Down CF Servers
Locking Down CF ServersLocking Down CF Servers
Locking Down CF Servers
ColdFusionConference
 
10 Reasons ColdFusion PDFs should rule the world
10 Reasons ColdFusion PDFs should rule the world10 Reasons ColdFusion PDFs should rule the world
10 Reasons ColdFusion PDFs should rule the world
ColdFusionConference
 
This is how we REST
This is how we RESTThis is how we REST
This is how we REST
ColdFusionConference
 
Bring api manager into your stack
Bring api manager into your stackBring api manager into your stack
Bring api manager into your stack
ColdFusionConference
 
Automate Thyself
Automate ThyselfAutomate Thyself
Automate Thyself
Ortus Solutions, Corp
 
CommandBox & ForgeBox Package Management
CommandBox & ForgeBox Package ManagementCommandBox & ForgeBox Package Management
CommandBox & ForgeBox Package Management
Ortus Solutions, Corp
 
Take home your very own free Vagrant CFML Dev Environment - Presented at dev....
Take home your very own free Vagrant CFML Dev Environment - Presented at dev....Take home your very own free Vagrant CFML Dev Environment - Presented at dev....
Take home your very own free Vagrant CFML Dev Environment - Presented at dev....
Gavin Pickin
 
Herding cats managing ColdFusion servers with commandbox
Herding cats managing ColdFusion servers with commandboxHerding cats managing ColdFusion servers with commandbox
Herding cats managing ColdFusion servers with commandbox
ColdFusionConference
 
3 WAYS TO TEST YOUR COLDFUSION API
3 WAYS TO TEST YOUR COLDFUSION API3 WAYS TO TEST YOUR COLDFUSION API
3 WAYS TO TEST YOUR COLDFUSION API
Gavin Pickin
 
Intro to Coldfusion
Intro to ColdfusionIntro to Coldfusion
Intro to Coldfusion
Terry Ryan
 
Conquering AngularJS Limitations
Conquering AngularJS LimitationsConquering AngularJS Limitations
Conquering AngularJS Limitations
Valeri Karpov
 
Eskaintza
EskaintzaEskaintza
Eskaintza
hazitegi
 
M_NJOR_MasterThesis_2015_StackedNewsTriangles_FINAL_LOWRES
M_NJOR_MasterThesis_2015_StackedNewsTriangles_FINAL_LOWRESM_NJOR_MasterThesis_2015_StackedNewsTriangles_FINAL_LOWRES
M_NJOR_MasterThesis_2015_StackedNewsTriangles_FINAL_LOWRES
Miklas Njor
 
Ad

More Related Content

What's hot (20)

Realtime with websockets
Realtime with websocketsRealtime with websockets
Realtime with websockets
ColdFusionConference
 
How do I write Testable Javascript - Presented at dev.Objective() June 16, 2016
How do I write Testable Javascript - Presented at dev.Objective() June 16, 2016How do I write Testable Javascript - Presented at dev.Objective() June 16, 2016
How do I write Testable Javascript - Presented at dev.Objective() June 16, 2016
Gavin Pickin
 
Instant ColdFusion with Vagrant
Instant ColdFusion with VagrantInstant ColdFusion with Vagrant
Instant ColdFusion with Vagrant
ColdFusionConference
 
Testing Automaton - CFSummit 2016
Testing Automaton - CFSummit 2016Testing Automaton - CFSummit 2016
Testing Automaton - CFSummit 2016
Ortus Solutions, Corp
 
ColdFusion builder plugins
ColdFusion builder pluginsColdFusion builder plugins
ColdFusion builder plugins
ColdFusionConference
 
Intro to JavaScript Tooling in Visual Studio Code
Intro to JavaScript Tooling in Visual Studio CodeIntro to JavaScript Tooling in Visual Studio Code
Intro to JavaScript Tooling in Visual Studio Code
ColdFusionConference
 
Getting Started with Docker (For Developers)
Getting Started with Docker (For Developers)Getting Started with Docker (For Developers)
Getting Started with Docker (For Developers)
ColdFusionConference
 
Become a Security Rockstar with ColdFusion 2016
Become a Security Rockstar with ColdFusion 2016Become a Security Rockstar with ColdFusion 2016
Become a Security Rockstar with ColdFusion 2016
ColdFusionConference
 
Load Balancing, Failover and Scalability with ColdFusion
Load Balancing, Failover and Scalability with ColdFusionLoad Balancing, Failover and Scalability with ColdFusion
Load Balancing, Failover and Scalability with ColdFusion
ColdFusionConference
 
Locking Down CF Servers
Locking Down CF ServersLocking Down CF Servers
Locking Down CF Servers
ColdFusionConference
 
10 Reasons ColdFusion PDFs should rule the world
10 Reasons ColdFusion PDFs should rule the world10 Reasons ColdFusion PDFs should rule the world
10 Reasons ColdFusion PDFs should rule the world
ColdFusionConference
 
This is how we REST
This is how we RESTThis is how we REST
This is how we REST
ColdFusionConference
 
Bring api manager into your stack
Bring api manager into your stackBring api manager into your stack
Bring api manager into your stack
ColdFusionConference
 
Automate Thyself
Automate ThyselfAutomate Thyself
Automate Thyself
Ortus Solutions, Corp
 
CommandBox & ForgeBox Package Management
CommandBox & ForgeBox Package ManagementCommandBox & ForgeBox Package Management
CommandBox & ForgeBox Package Management
Ortus Solutions, Corp
 
Take home your very own free Vagrant CFML Dev Environment - Presented at dev....
Take home your very own free Vagrant CFML Dev Environment - Presented at dev....Take home your very own free Vagrant CFML Dev Environment - Presented at dev....
Take home your very own free Vagrant CFML Dev Environment - Presented at dev....
Gavin Pickin
 
Herding cats managing ColdFusion servers with commandbox
Herding cats managing ColdFusion servers with commandboxHerding cats managing ColdFusion servers with commandbox
Herding cats managing ColdFusion servers with commandbox
ColdFusionConference
 
3 WAYS TO TEST YOUR COLDFUSION API
3 WAYS TO TEST YOUR COLDFUSION API3 WAYS TO TEST YOUR COLDFUSION API
3 WAYS TO TEST YOUR COLDFUSION API
Gavin Pickin
 
Intro to Coldfusion
Intro to ColdfusionIntro to Coldfusion
Intro to Coldfusion
Terry Ryan
 
Conquering AngularJS Limitations
Conquering AngularJS LimitationsConquering AngularJS Limitations
Conquering AngularJS Limitations
Valeri Karpov
 
Realtime with websockets
Realtime with websocketsRealtime with websockets
Realtime with websockets
ColdFusionConference
 
How do I write Testable Javascript - Presented at dev.Objective() June 16, 2016
How do I write Testable Javascript - Presented at dev.Objective() June 16, 2016How do I write Testable Javascript - Presented at dev.Objective() June 16, 2016
How do I write Testable Javascript - Presented at dev.Objective() June 16, 2016
Gavin Pickin
 
Instant ColdFusion with Vagrant
Instant ColdFusion with VagrantInstant ColdFusion with Vagrant
Instant ColdFusion with Vagrant
ColdFusionConference
 
Testing Automaton - CFSummit 2016
Testing Automaton - CFSummit 2016Testing Automaton - CFSummit 2016
Testing Automaton - CFSummit 2016
Ortus Solutions, Corp
 
ColdFusion builder plugins
ColdFusion builder pluginsColdFusion builder plugins
ColdFusion builder plugins
ColdFusionConference
 
Intro to JavaScript Tooling in Visual Studio Code
Intro to JavaScript Tooling in Visual Studio CodeIntro to JavaScript Tooling in Visual Studio Code
Intro to JavaScript Tooling in Visual Studio Code
ColdFusionConference
 
Getting Started with Docker (For Developers)
Getting Started with Docker (For Developers)Getting Started with Docker (For Developers)
Getting Started with Docker (For Developers)
ColdFusionConference
 
Become a Security Rockstar with ColdFusion 2016
Become a Security Rockstar with ColdFusion 2016Become a Security Rockstar with ColdFusion 2016
Become a Security Rockstar with ColdFusion 2016
ColdFusionConference
 
Load Balancing, Failover and Scalability with ColdFusion
Load Balancing, Failover and Scalability with ColdFusionLoad Balancing, Failover and Scalability with ColdFusion
Load Balancing, Failover and Scalability with ColdFusion
ColdFusionConference
 
Locking Down CF Servers
Locking Down CF ServersLocking Down CF Servers
Locking Down CF Servers
ColdFusionConference
 
10 Reasons ColdFusion PDFs should rule the world
10 Reasons ColdFusion PDFs should rule the world10 Reasons ColdFusion PDFs should rule the world
10 Reasons ColdFusion PDFs should rule the world
ColdFusionConference
 
This is how we REST
This is how we RESTThis is how we REST
This is how we REST
ColdFusionConference
 
Bring api manager into your stack
Bring api manager into your stackBring api manager into your stack
Bring api manager into your stack
ColdFusionConference
 
Automate Thyself
Automate ThyselfAutomate Thyself
Automate Thyself
Ortus Solutions, Corp
 
CommandBox & ForgeBox Package Management
CommandBox & ForgeBox Package ManagementCommandBox & ForgeBox Package Management
CommandBox & ForgeBox Package Management
Ortus Solutions, Corp
 
Take home your very own free Vagrant CFML Dev Environment - Presented at dev....
Take home your very own free Vagrant CFML Dev Environment - Presented at dev....Take home your very own free Vagrant CFML Dev Environment - Presented at dev....
Take home your very own free Vagrant CFML Dev Environment - Presented at dev....
Gavin Pickin
 
Herding cats managing ColdFusion servers with commandbox
Herding cats managing ColdFusion servers with commandboxHerding cats managing ColdFusion servers with commandbox
Herding cats managing ColdFusion servers with commandbox
ColdFusionConference
 
3 WAYS TO TEST YOUR COLDFUSION API
3 WAYS TO TEST YOUR COLDFUSION API3 WAYS TO TEST YOUR COLDFUSION API
3 WAYS TO TEST YOUR COLDFUSION API
Gavin Pickin
 
Intro to Coldfusion
Intro to ColdfusionIntro to Coldfusion
Intro to Coldfusion
Terry Ryan
 
Conquering AngularJS Limitations
Conquering AngularJS LimitationsConquering AngularJS Limitations
Conquering AngularJS Limitations
Valeri Karpov
 

Viewers also liked (20)

Eskaintza
EskaintzaEskaintza
Eskaintza
hazitegi
 
M_NJOR_MasterThesis_2015_StackedNewsTriangles_FINAL_LOWRES
M_NJOR_MasterThesis_2015_StackedNewsTriangles_FINAL_LOWRESM_NJOR_MasterThesis_2015_StackedNewsTriangles_FINAL_LOWRES
M_NJOR_MasterThesis_2015_StackedNewsTriangles_FINAL_LOWRES
Miklas Njor
 
1067855064 enero 1
1067855064 enero 11067855064 enero 1
1067855064 enero 1
manuel-g-l
 
Article Becas Media Superior (34)
Article Becas Media Superior (34)Article Becas Media Superior (34)
Article Becas Media Superior (34)
allegedransom4260
 
Metro Boston 9.27.06
Metro Boston 9.27.06Metro Boston 9.27.06
Metro Boston 9.27.06
Natalie Greaves
 
Joensuu 13.10.2016, Elanto pelaamalla, Peluuri, Mari Pajula
Joensuu 13.10.2016, Elanto pelaamalla, Peluuri, Mari PajulaJoensuu 13.10.2016, Elanto pelaamalla, Peluuri, Mari Pajula
Joensuu 13.10.2016, Elanto pelaamalla, Peluuri, Mari Pajula
Aspa Foundation
 
Sibéal Turraoin - Irish Adventures in the North-West Passage
Sibéal Turraoin - Irish Adventures in the North-West PassageSibéal Turraoin - Irish Adventures in the North-West Passage
Sibéal Turraoin - Irish Adventures in the North-West Passage
Realsmartmedia
 
Scan 11
Scan 11Scan 11
Scan 11
Mohamed El Majdoub
 
Mehatxua
MehatxuaMehatxua
Mehatxua
hazitegi
 
ResumeP.1
ResumeP.1ResumeP.1
ResumeP.1
Esteban Lopez
 
Shale gas by sanyam jain
Shale gas by sanyam jainShale gas by sanyam jain
Shale gas by sanyam jain
Sanyam Jain
 
FPGA Verilog Processor Design
FPGA Verilog Processor DesignFPGA Verilog Processor Design
FPGA Verilog Processor Design
Archana Udaranga
 
Los padres y la escuela
Los padres y la escuelaLos padres y la escuela
Los padres y la escuela
Stefanie Prado
 
I2C Subsystem In Linux-2.6.24
I2C Subsystem In Linux-2.6.24I2C Subsystem In Linux-2.6.24
I2C Subsystem In Linux-2.6.24
Varun Mahajan
 
Hari Krishna Vetsa Resume
Hari Krishna Vetsa ResumeHari Krishna Vetsa Resume
Hari Krishna Vetsa Resume
Hari Krishna
 
Level up your front-end skills- going beyond cold fusion’s ui tags
Level up your front-end skills- going beyond cold fusion’s ui tagsLevel up your front-end skills- going beyond cold fusion’s ui tags
Level up your front-end skills- going beyond cold fusion’s ui tags
ColdFusionConference
 
Cold fusion is racecar fast
Cold fusion is racecar fastCold fusion is racecar fast
Cold fusion is racecar fast
ColdFusionConference
 
Safeguarding applications from cyber attacks
Safeguarding applications from cyber attacksSafeguarding applications from cyber attacks
Safeguarding applications from cyber attacks
ColdFusionConference
 
Setting up your multiengine environment Apache Railo ColdFusion
Setting up your multiengine environment Apache Railo ColdFusionSetting up your multiengine environment Apache Railo ColdFusion
Setting up your multiengine environment Apache Railo ColdFusion
ColdFusionConference
 
Where is cold fusion headed
Where is cold fusion headedWhere is cold fusion headed
Where is cold fusion headed
ColdFusionConference
 
Eskaintza
EskaintzaEskaintza
Eskaintza
hazitegi
 
M_NJOR_MasterThesis_2015_StackedNewsTriangles_FINAL_LOWRES
M_NJOR_MasterThesis_2015_StackedNewsTriangles_FINAL_LOWRESM_NJOR_MasterThesis_2015_StackedNewsTriangles_FINAL_LOWRES
M_NJOR_MasterThesis_2015_StackedNewsTriangles_FINAL_LOWRES
Miklas Njor
 
1067855064 enero 1
1067855064 enero 11067855064 enero 1
1067855064 enero 1
manuel-g-l
 
Article Becas Media Superior (34)
Article Becas Media Superior (34)Article Becas Media Superior (34)
Article Becas Media Superior (34)
allegedransom4260
 
Metro Boston 9.27.06
Metro Boston 9.27.06Metro Boston 9.27.06
Metro Boston 9.27.06
Natalie Greaves
 
Joensuu 13.10.2016, Elanto pelaamalla, Peluuri, Mari Pajula
Joensuu 13.10.2016, Elanto pelaamalla, Peluuri, Mari PajulaJoensuu 13.10.2016, Elanto pelaamalla, Peluuri, Mari Pajula
Joensuu 13.10.2016, Elanto pelaamalla, Peluuri, Mari Pajula
Aspa Foundation
 
Sibéal Turraoin - Irish Adventures in the North-West Passage
Sibéal Turraoin - Irish Adventures in the North-West PassageSibéal Turraoin - Irish Adventures in the North-West Passage
Sibéal Turraoin - Irish Adventures in the North-West Passage
Realsmartmedia
 
Scan 11
Scan 11Scan 11
Scan 11
Mohamed El Majdoub
 
Mehatxua
MehatxuaMehatxua
Mehatxua
hazitegi
 
ResumeP.1
ResumeP.1ResumeP.1
ResumeP.1
Esteban Lopez
 
Shale gas by sanyam jain
Shale gas by sanyam jainShale gas by sanyam jain
Shale gas by sanyam jain
Sanyam Jain
 
FPGA Verilog Processor Design
FPGA Verilog Processor DesignFPGA Verilog Processor Design
FPGA Verilog Processor Design
Archana Udaranga
 
Los padres y la escuela
Los padres y la escuelaLos padres y la escuela
Los padres y la escuela
Stefanie Prado
 
I2C Subsystem In Linux-2.6.24
I2C Subsystem In Linux-2.6.24I2C Subsystem In Linux-2.6.24
I2C Subsystem In Linux-2.6.24
Varun Mahajan
 
Hari Krishna Vetsa Resume
Hari Krishna Vetsa ResumeHari Krishna Vetsa Resume
Hari Krishna Vetsa Resume
Hari Krishna
 
Level up your front-end skills- going beyond cold fusion’s ui tags
Level up your front-end skills- going beyond cold fusion’s ui tagsLevel up your front-end skills- going beyond cold fusion’s ui tags
Level up your front-end skills- going beyond cold fusion’s ui tags
ColdFusionConference
 
Cold fusion is racecar fast
Cold fusion is racecar fastCold fusion is racecar fast
Cold fusion is racecar fast
ColdFusionConference
 
Safeguarding applications from cyber attacks
Safeguarding applications from cyber attacksSafeguarding applications from cyber attacks
Safeguarding applications from cyber attacks
ColdFusionConference
 
Setting up your multiengine environment Apache Railo ColdFusion
Setting up your multiengine environment Apache Railo ColdFusionSetting up your multiengine environment Apache Railo ColdFusion
Setting up your multiengine environment Apache Railo ColdFusion
ColdFusionConference
 
Where is cold fusion headed
Where is cold fusion headedWhere is cold fusion headed
Where is cold fusion headed
ColdFusionConference
 
Ad

Similar to Securing Legacy CFML Code (20)

Securing applications
Securing applicationsSecuring applications
Securing applications
ColdFusionConference
 
ITB_2023_25_Most_Dangerous_Software_Weaknesses_Pete_Freitag.pdf
ITB_2023_25_Most_Dangerous_Software_Weaknesses_Pete_Freitag.pdfITB_2023_25_Most_Dangerous_Software_Weaknesses_Pete_Freitag.pdf
ITB_2023_25_Most_Dangerous_Software_Weaknesses_Pete_Freitag.pdf
Ortus Solutions, Corp
 
Version Control and Continuous Integration
Version Control and Continuous IntegrationVersion Control and Continuous Integration
Version Control and Continuous Integration
Geff Henderson Chang
 
Continuous Delivery - Automate & Build Better Software with Travis CI
Continuous Delivery - Automate & Build Better Software with Travis CIContinuous Delivery - Automate & Build Better Software with Travis CI
Continuous Delivery - Automate & Build Better Software with Travis CI
wajrcs
 
InSpec For DevOpsDays Amsterdam 2017
InSpec For DevOpsDays Amsterdam 2017InSpec For DevOpsDays Amsterdam 2017
InSpec For DevOpsDays Amsterdam 2017
Mandi Walls
 
Getting to Walk with DevOps
Getting to Walk with DevOpsGetting to Walk with DevOps
Getting to Walk with DevOps
Eklove Mohan
 
NCUG 2019: Spring forward: an introduction to Spring boot and Thymeleaf for (...
NCUG 2019: Spring forward: an introduction to Spring boot and Thymeleaf for (...NCUG 2019: Spring forward: an introduction to Spring boot and Thymeleaf for (...
NCUG 2019: Spring forward: an introduction to Spring boot and Thymeleaf for (...
Frank van der Linden
 
Splunk: Forward me the REST of those shells
Splunk: Forward me the REST of those shellsSplunk: Forward me the REST of those shells
Splunk: Forward me the REST of those shells
Anthony D Hendricks
 
Best practices in Deploying SUSE CaaS Platform v3
Best practices in Deploying SUSE CaaS Platform v3Best practices in Deploying SUSE CaaS Platform v3
Best practices in Deploying SUSE CaaS Platform v3
Juan Herrera Utande
 
Delphix and DBmaestro
Delphix and DBmaestroDelphix and DBmaestro
Delphix and DBmaestro
Kyle Hailey
 
Use Docker to Enhance Your Testing
Use Docker to Enhance Your TestingUse Docker to Enhance Your Testing
Use Docker to Enhance Your Testing
TechWell
 
Adding Security and Compliance to Your Workflow with InSpec
Adding Security and Compliance to Your Workflow with InSpecAdding Security and Compliance to Your Workflow with InSpec
Adding Security and Compliance to Your Workflow with InSpec
Mandi Walls
 
DevSec Delight with Compliance as Code - Matt Ray - AgileNZ 2017
DevSec Delight with Compliance as Code - Matt Ray - AgileNZ 2017DevSec Delight with Compliance as Code - Matt Ray - AgileNZ 2017
DevSec Delight with Compliance as Code - Matt Ray - AgileNZ 2017
AgileNZ Conference
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Denim Group
 
DCRUG: Achieving Development-Production Parity
DCRUG: Achieving Development-Production ParityDCRUG: Achieving Development-Production Parity
DCRUG: Achieving Development-Production Parity
Geoff Harcourt
 
Version Control meets Database Control
Version Control meets Database ControlVersion Control meets Database Control
Version Control meets Database Control
DBmaestro - Database DevOps
 
A Byte of Software Deployment
A Byte of Software DeploymentA Byte of Software Deployment
A Byte of Software Deployment
Gong Haibing
 
manage databases like codebases
manage databases like codebasesmanage databases like codebases
manage databases like codebases
DBmaestro - Database DevOps
 
Road to Opscon (Pisa '15) - DevOoops
Road to Opscon (Pisa '15) - DevOoopsRoad to Opscon (Pisa '15) - DevOoops
Road to Opscon (Pisa '15) - DevOoops
Gianluca Varisco
 
Best Practices for Building WordPress Applications
Best Practices for Building WordPress ApplicationsBest Practices for Building WordPress Applications
Best Practices for Building WordPress Applications
Taylor Lovett
 
Securing applications
Securing applicationsSecuring applications
Securing applications
ColdFusionConference
 
ITB_2023_25_Most_Dangerous_Software_Weaknesses_Pete_Freitag.pdf
ITB_2023_25_Most_Dangerous_Software_Weaknesses_Pete_Freitag.pdfITB_2023_25_Most_Dangerous_Software_Weaknesses_Pete_Freitag.pdf
ITB_2023_25_Most_Dangerous_Software_Weaknesses_Pete_Freitag.pdf
Ortus Solutions, Corp
 
Version Control and Continuous Integration
Version Control and Continuous IntegrationVersion Control and Continuous Integration
Version Control and Continuous Integration
Geff Henderson Chang
 
Continuous Delivery - Automate & Build Better Software with Travis CI
Continuous Delivery - Automate & Build Better Software with Travis CIContinuous Delivery - Automate & Build Better Software with Travis CI
Continuous Delivery - Automate & Build Better Software with Travis CI
wajrcs
 
InSpec For DevOpsDays Amsterdam 2017
InSpec For DevOpsDays Amsterdam 2017InSpec For DevOpsDays Amsterdam 2017
InSpec For DevOpsDays Amsterdam 2017
Mandi Walls
 
Getting to Walk with DevOps
Getting to Walk with DevOpsGetting to Walk with DevOps
Getting to Walk with DevOps
Eklove Mohan
 
NCUG 2019: Spring forward: an introduction to Spring boot and Thymeleaf for (...
NCUG 2019: Spring forward: an introduction to Spring boot and Thymeleaf for (...NCUG 2019: Spring forward: an introduction to Spring boot and Thymeleaf for (...
NCUG 2019: Spring forward: an introduction to Spring boot and Thymeleaf for (...
Frank van der Linden
 
Splunk: Forward me the REST of those shells
Splunk: Forward me the REST of those shellsSplunk: Forward me the REST of those shells
Splunk: Forward me the REST of those shells
Anthony D Hendricks
 
Best practices in Deploying SUSE CaaS Platform v3
Best practices in Deploying SUSE CaaS Platform v3Best practices in Deploying SUSE CaaS Platform v3
Best practices in Deploying SUSE CaaS Platform v3
Juan Herrera Utande
 
Delphix and DBmaestro
Delphix and DBmaestroDelphix and DBmaestro
Delphix and DBmaestro
Kyle Hailey
 
Use Docker to Enhance Your Testing
Use Docker to Enhance Your TestingUse Docker to Enhance Your Testing
Use Docker to Enhance Your Testing
TechWell
 
Adding Security and Compliance to Your Workflow with InSpec
Adding Security and Compliance to Your Workflow with InSpecAdding Security and Compliance to Your Workflow with InSpec
Adding Security and Compliance to Your Workflow with InSpec
Mandi Walls
 
DevSec Delight with Compliance as Code - Matt Ray - AgileNZ 2017
DevSec Delight with Compliance as Code - Matt Ray - AgileNZ 2017DevSec Delight with Compliance as Code - Matt Ray - AgileNZ 2017
DevSec Delight with Compliance as Code - Matt Ray - AgileNZ 2017
AgileNZ Conference
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Denim Group
 
DCRUG: Achieving Development-Production Parity
DCRUG: Achieving Development-Production ParityDCRUG: Achieving Development-Production Parity
DCRUG: Achieving Development-Production Parity
Geoff Harcourt
 
Version Control meets Database Control
Version Control meets Database ControlVersion Control meets Database Control
Version Control meets Database Control
DBmaestro - Database DevOps
 
A Byte of Software Deployment
A Byte of Software DeploymentA Byte of Software Deployment
A Byte of Software Deployment
Gong Haibing
 
manage databases like codebases
manage databases like codebasesmanage databases like codebases
manage databases like codebases
DBmaestro - Database DevOps
 
Road to Opscon (Pisa '15) - DevOoops
Road to Opscon (Pisa '15) - DevOoopsRoad to Opscon (Pisa '15) - DevOoops
Road to Opscon (Pisa '15) - DevOoops
Gianluca Varisco
 
Best Practices for Building WordPress Applications
Best Practices for Building WordPress ApplicationsBest Practices for Building WordPress Applications
Best Practices for Building WordPress Applications
Taylor Lovett
 
Ad

More from ColdFusionConference (20)

Api manager preconference
Api manager preconferenceApi manager preconference
Api manager preconference
ColdFusionConference
 
Cf ppt vsr
Cf ppt vsrCf ppt vsr
Cf ppt vsr
ColdFusionConference
 
Building better SQL Server Databases
Building better SQL Server DatabasesBuilding better SQL Server Databases
Building better SQL Server Databases
ColdFusionConference
 
API Economy, Realizing the Business Value of APIs
API Economy, Realizing the Business Value of APIsAPI Economy, Realizing the Business Value of APIs
API Economy, Realizing the Business Value of APIs
ColdFusionConference
 
Don't just pdf, Smart PDF
Don't just pdf, Smart PDFDon't just pdf, Smart PDF
Don't just pdf, Smart PDF
ColdFusionConference
 
Crafting ColdFusion Applications like an Architect
Crafting ColdFusion Applications like an ArchitectCrafting ColdFusion Applications like an Architect
Crafting ColdFusion Applications like an Architect
ColdFusionConference
 
Security And Access Control For APIS using CF API Manager
Security And Access Control For APIS using CF API ManagerSecurity And Access Control For APIS using CF API Manager
Security And Access Control For APIS using CF API Manager
ColdFusionConference
 
Monetizing Business Models: ColdFusion and APIS
Monetizing Business Models: ColdFusion and APISMonetizing Business Models: ColdFusion and APIS
Monetizing Business Models: ColdFusion and APIS
ColdFusionConference
 
ColdFusion in Transit action
ColdFusion in Transit actionColdFusion in Transit action
ColdFusion in Transit action
ColdFusionConference
 
Developer Insights for Application Upgrade to ColdFusion 2016
Developer Insights for Application Upgrade to ColdFusion 2016Developer Insights for Application Upgrade to ColdFusion 2016
Developer Insights for Application Upgrade to ColdFusion 2016
ColdFusionConference
 
ColdFusion Keynote: Building the Agile Web Since 1995
ColdFusion Keynote: Building the Agile Web Since 1995ColdFusion Keynote: Building the Agile Web Since 1995
ColdFusion Keynote: Building the Agile Web Since 1995
ColdFusionConference
 
Instant ColdFusion with Vagrant
Instant ColdFusion with VagrantInstant ColdFusion with Vagrant
Instant ColdFusion with Vagrant
ColdFusionConference
 
Restful services with ColdFusion
Restful services with ColdFusionRestful services with ColdFusion
Restful services with ColdFusion
ColdFusionConference
 
Super Fast Application development with Mura CMS
Super Fast Application development with Mura CMSSuper Fast Application development with Mura CMS
Super Fast Application development with Mura CMS
ColdFusionConference
 
Build your own secure and real-time dashboard for mobile and web
Build your own secure and real-time dashboard for mobile and webBuild your own secure and real-time dashboard for mobile and web
Build your own secure and real-time dashboard for mobile and web
ColdFusionConference
 
Why Everyone else writes bad code
Why Everyone else writes bad codeWhy Everyone else writes bad code
Why Everyone else writes bad code
ColdFusionConference
 
Testing automaton
Testing automatonTesting automaton
Testing automaton
ColdFusionConference
 
Rest ful tools for lazy experts
Rest ful tools for lazy expertsRest ful tools for lazy experts
Rest ful tools for lazy experts
ColdFusionConference
 
Hidden gems in cf2016
Hidden gems in cf2016Hidden gems in cf2016
Hidden gems in cf2016
ColdFusionConference
 
Everyones invited! Meet accesibility requirements with ColdFusion
Everyones invited! Meet accesibility requirements with ColdFusionEveryones invited! Meet accesibility requirements with ColdFusion
Everyones invited! Meet accesibility requirements with ColdFusion
ColdFusionConference
 
Api manager preconference
Api manager preconferenceApi manager preconference
Api manager preconference
ColdFusionConference
 
Cf ppt vsr
Cf ppt vsrCf ppt vsr
Cf ppt vsr
ColdFusionConference
 
Building better SQL Server Databases
Building better SQL Server DatabasesBuilding better SQL Server Databases
Building better SQL Server Databases
ColdFusionConference
 
API Economy, Realizing the Business Value of APIs
API Economy, Realizing the Business Value of APIsAPI Economy, Realizing the Business Value of APIs
API Economy, Realizing the Business Value of APIs
ColdFusionConference
 
Don't just pdf, Smart PDF
Don't just pdf, Smart PDFDon't just pdf, Smart PDF
Don't just pdf, Smart PDF
ColdFusionConference
 
Crafting ColdFusion Applications like an Architect
Crafting ColdFusion Applications like an ArchitectCrafting ColdFusion Applications like an Architect
Crafting ColdFusion Applications like an Architect
ColdFusionConference
 
Security And Access Control For APIS using CF API Manager
Security And Access Control For APIS using CF API ManagerSecurity And Access Control For APIS using CF API Manager
Security And Access Control For APIS using CF API Manager
ColdFusionConference
 
Monetizing Business Models: ColdFusion and APIS
Monetizing Business Models: ColdFusion and APISMonetizing Business Models: ColdFusion and APIS
Monetizing Business Models: ColdFusion and APIS
ColdFusionConference
 
ColdFusion in Transit action
ColdFusion in Transit actionColdFusion in Transit action
ColdFusion in Transit action
ColdFusionConference
 
Developer Insights for Application Upgrade to ColdFusion 2016
Developer Insights for Application Upgrade to ColdFusion 2016Developer Insights for Application Upgrade to ColdFusion 2016
Developer Insights for Application Upgrade to ColdFusion 2016
ColdFusionConference
 
ColdFusion Keynote: Building the Agile Web Since 1995
ColdFusion Keynote: Building the Agile Web Since 1995ColdFusion Keynote: Building the Agile Web Since 1995
ColdFusion Keynote: Building the Agile Web Since 1995
ColdFusionConference
 
Instant ColdFusion with Vagrant
Instant ColdFusion with VagrantInstant ColdFusion with Vagrant
Instant ColdFusion with Vagrant
ColdFusionConference
 
Restful services with ColdFusion
Restful services with ColdFusionRestful services with ColdFusion
Restful services with ColdFusion
ColdFusionConference
 
Super Fast Application development with Mura CMS
Super Fast Application development with Mura CMSSuper Fast Application development with Mura CMS
Super Fast Application development with Mura CMS
ColdFusionConference
 
Build your own secure and real-time dashboard for mobile and web
Build your own secure and real-time dashboard for mobile and webBuild your own secure and real-time dashboard for mobile and web
Build your own secure and real-time dashboard for mobile and web
ColdFusionConference
 
Why Everyone else writes bad code
Why Everyone else writes bad codeWhy Everyone else writes bad code
Why Everyone else writes bad code
ColdFusionConference
 
Testing automaton
Testing automatonTesting automaton
Testing automaton
ColdFusionConference
 
Rest ful tools for lazy experts
Rest ful tools for lazy expertsRest ful tools for lazy experts
Rest ful tools for lazy experts
ColdFusionConference
 
Hidden gems in cf2016
Hidden gems in cf2016Hidden gems in cf2016
Hidden gems in cf2016
ColdFusionConference
 
Everyones invited! Meet accesibility requirements with ColdFusion
Everyones invited! Meet accesibility requirements with ColdFusionEveryones invited! Meet accesibility requirements with ColdFusion
Everyones invited! Meet accesibility requirements with ColdFusion
ColdFusionConference
 

Recently uploaded (20)

Cyber Awareness overview for 2025 month of security
Cyber Awareness overview for 2025 month of securityCyber Awareness overview for 2025 month of security
Cyber Awareness overview for 2025 month of security
riccardosl1
 
Special Meetup Edition - TDX Bengaluru Meetup #52.pptx
Special Meetup Edition - TDX Bengaluru Meetup #52.pptxSpecial Meetup Edition - TDX Bengaluru Meetup #52.pptx
Special Meetup Edition - TDX Bengaluru Meetup #52.pptx
shyamraj55
 
IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...
IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...
IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...
organizerofv
 
AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...
AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...
AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...
SOFTTECHHUB
 
ThousandEyes Partner Innovation Updates for May 2025
ThousandEyes Partner Innovation Updates for May 2025ThousandEyes Partner Innovation Updates for May 2025
ThousandEyes Partner Innovation Updates for May 2025
ThousandEyes
 
Andrew Marnell: Transforming Business Strategy Through Data-Driven Insights
Andrew Marnell: Transforming Business Strategy Through Data-Driven InsightsAndrew Marnell: Transforming Business Strategy Through Data-Driven Insights
Andrew Marnell: Transforming Business Strategy Through Data-Driven Insights
Andrew Marnell
 
Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...
Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...
Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...
Noah Loul
 
Technology Trends in 2025: AI and Big Data Analytics
Technology Trends in 2025: AI and Big Data AnalyticsTechnology Trends in 2025: AI and Big Data Analytics
Technology Trends in 2025: AI and Big Data Analytics
InData Labs
 
Into The Box Conference Keynote Day 1 (ITB2025)
Into The Box Conference Keynote Day 1 (ITB2025)Into The Box Conference Keynote Day 1 (ITB2025)
Into The Box Conference Keynote Day 1 (ITB2025)
Ortus Solutions, Corp
 
UiPath Community Berlin: Orchestrator API, Swagger, and Test Manager API
UiPath Community Berlin: Orchestrator API, Swagger, and Test Manager APIUiPath Community Berlin: Orchestrator API, Swagger, and Test Manager API
UiPath Community Berlin: Orchestrator API, Swagger, and Test Manager API
UiPathCommunity
 
Heap, Types of Heap, Insertion and Deletion
Heap, Types of Heap, Insertion and DeletionHeap, Types of Heap, Insertion and Deletion
Heap, Types of Heap, Insertion and Deletion
Jaydeep Kale
 
Big Data Analytics Quick Research Guide by Arthur Morgan
Big Data Analytics Quick Research Guide by Arthur MorganBig Data Analytics Quick Research Guide by Arthur Morgan
Big Data Analytics Quick Research Guide by Arthur Morgan
Arthur Morgan
 
Complete Guide to Advanced Logistics Management Software in Riyadh.pdf
Complete Guide to Advanced Logistics Management Software in Riyadh.pdfComplete Guide to Advanced Logistics Management Software in Riyadh.pdf
Complete Guide to Advanced Logistics Management Software in Riyadh.pdf
Software Company
 
How Can I use the AI Hype in my Business Context?
How Can I use the AI Hype in my Business Context?How Can I use the AI Hype in my Business Context?
How Can I use the AI Hype in my Business Context?
Daniel Lehner
 
Quantum Computing Quick Research Guide by Arthur Morgan
Quantum Computing Quick Research Guide by Arthur MorganQuantum Computing Quick Research Guide by Arthur Morgan
Quantum Computing Quick Research Guide by Arthur Morgan
Arthur Morgan
 
AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...
AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...
AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...
Alan Dix
 
Mobile App Development Company in Saudi Arabia
Mobile App Development Company in Saudi ArabiaMobile App Development Company in Saudi Arabia
Mobile App Development Company in Saudi Arabia
Steve Jonas
 
tecnologias de las primeras civilizaciones.pdf
tecnologias de las primeras civilizaciones.pdftecnologias de las primeras civilizaciones.pdf
tecnologias de las primeras civilizaciones.pdf
fjgm517
 
HCL Nomad Web – Best Practices and Managing Multiuser Environments
HCL Nomad Web – Best Practices and Managing Multiuser EnvironmentsHCL Nomad Web – Best Practices and Managing Multiuser Environments
HCL Nomad Web – Best Practices and Managing Multiuser Environments
panagenda
 
DevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptx
DevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptxDevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptx
DevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptx
Justin Reock
 
Cyber Awareness overview for 2025 month of security
Cyber Awareness overview for 2025 month of securityCyber Awareness overview for 2025 month of security
Cyber Awareness overview for 2025 month of security
riccardosl1
 
Special Meetup Edition - TDX Bengaluru Meetup #52.pptx
Special Meetup Edition - TDX Bengaluru Meetup #52.pptxSpecial Meetup Edition - TDX Bengaluru Meetup #52.pptx
Special Meetup Edition - TDX Bengaluru Meetup #52.pptx
shyamraj55
 
IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...
IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...
IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...
organizerofv
 
AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...
AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...
AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...
SOFTTECHHUB
 
ThousandEyes Partner Innovation Updates for May 2025
ThousandEyes Partner Innovation Updates for May 2025ThousandEyes Partner Innovation Updates for May 2025
ThousandEyes Partner Innovation Updates for May 2025
ThousandEyes
 
Andrew Marnell: Transforming Business Strategy Through Data-Driven Insights
Andrew Marnell: Transforming Business Strategy Through Data-Driven InsightsAndrew Marnell: Transforming Business Strategy Through Data-Driven Insights
Andrew Marnell: Transforming Business Strategy Through Data-Driven Insights
Andrew Marnell
 
Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...
Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...
Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...
Noah Loul
 
Technology Trends in 2025: AI and Big Data Analytics
Technology Trends in 2025: AI and Big Data AnalyticsTechnology Trends in 2025: AI and Big Data Analytics
Technology Trends in 2025: AI and Big Data Analytics
InData Labs
 
Into The Box Conference Keynote Day 1 (ITB2025)
Into The Box Conference Keynote Day 1 (ITB2025)Into The Box Conference Keynote Day 1 (ITB2025)
Into The Box Conference Keynote Day 1 (ITB2025)
Ortus Solutions, Corp
 
UiPath Community Berlin: Orchestrator API, Swagger, and Test Manager API
UiPath Community Berlin: Orchestrator API, Swagger, and Test Manager APIUiPath Community Berlin: Orchestrator API, Swagger, and Test Manager API
UiPath Community Berlin: Orchestrator API, Swagger, and Test Manager API
UiPathCommunity
 
Heap, Types of Heap, Insertion and Deletion
Heap, Types of Heap, Insertion and DeletionHeap, Types of Heap, Insertion and Deletion
Heap, Types of Heap, Insertion and Deletion
Jaydeep Kale
 
Big Data Analytics Quick Research Guide by Arthur Morgan
Big Data Analytics Quick Research Guide by Arthur MorganBig Data Analytics Quick Research Guide by Arthur Morgan
Big Data Analytics Quick Research Guide by Arthur Morgan
Arthur Morgan
 
Complete Guide to Advanced Logistics Management Software in Riyadh.pdf
Complete Guide to Advanced Logistics Management Software in Riyadh.pdfComplete Guide to Advanced Logistics Management Software in Riyadh.pdf
Complete Guide to Advanced Logistics Management Software in Riyadh.pdf
Software Company
 
How Can I use the AI Hype in my Business Context?
How Can I use the AI Hype in my Business Context?How Can I use the AI Hype in my Business Context?
How Can I use the AI Hype in my Business Context?
Daniel Lehner
 
Quantum Computing Quick Research Guide by Arthur Morgan
Quantum Computing Quick Research Guide by Arthur MorganQuantum Computing Quick Research Guide by Arthur Morgan
Quantum Computing Quick Research Guide by Arthur Morgan
Arthur Morgan
 
AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...
AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...
AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...
Alan Dix
 
Mobile App Development Company in Saudi Arabia
Mobile App Development Company in Saudi ArabiaMobile App Development Company in Saudi Arabia
Mobile App Development Company in Saudi Arabia
Steve Jonas
 
tecnologias de las primeras civilizaciones.pdf
tecnologias de las primeras civilizaciones.pdftecnologias de las primeras civilizaciones.pdf
tecnologias de las primeras civilizaciones.pdf
fjgm517
 
HCL Nomad Web – Best Practices and Managing Multiuser Environments
HCL Nomad Web – Best Practices and Managing Multiuser EnvironmentsHCL Nomad Web – Best Practices and Managing Multiuser Environments
HCL Nomad Web – Best Practices and Managing Multiuser Environments
panagenda
 
DevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptx
DevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptxDevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptx
DevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptx
Justin Reock
 

Securing Legacy CFML Code

  • 1. SECURING LEGACY CFML PETE FREITAG, FOUNDEO INC. foundeo
  • 2. ABOUT PETE • My Company: Foundeo Inc. • Consulting: Code Reviews, Server Reviews, Development • FuseGuard: Web App Firewall for CFML • HackMyCF: Server Security Scanner • Blog (petefreitag.com), Twitter (@pfreitag), #CFML Slack • Guy behind cfdocs.org community sourced CFML docs.
  • 3. AGENDA • Legacy Code Challenges • How do you get started? • Low Hanging Fruit • Things to focus on • What’s Next? • Disclaimer: This approach may not be appropriate for all scenarios. This is a generalized approach which I have found can work well for many.
  • 5. TYPICALLY LEGACY CODE • Has a large codebase (thousands of source code files) • Has code you hope you don't have to see again. • Can take weeks, but often months of work to properly secure. • Can be hard to fix, brittle • Probably uses outdated techniques
  • 6. FIXING A LARGE CODEBASE HOW TO APPROACH • Beast Mode - Spend several weeks dedicated to identifying & fixing vulnerabilities. • Prioritize - Spend time identifying the most critical vulnerabilities and patch less critical vulnerabilities as you see them. • As you go - As you work on files fix vulnerabilities as you see them. You may not ever fix some vulnerabilities with this approach.
  • 7. SECURING THAT LEGACY CODE HOW DO YOU START? STEP 1: DELETE THE CODE!
  • 8. LEGACY CODEBASES ARE LARGE BUT… MUCH OF THE CODE PROBABLY NEVER RUNS
  • 9. HOMEMADE VERSION CONTROL YOU MIGHT BE USING… • index_2.cfm • index.old.cfm • index-backup.cfm • index-2007-03-04.cfm • index-copy.cfm • folder_backup2009/
  • 10. VERSION CONTROL • Those backup folders and files are probably full of vulnerabilities. • Version Control Server keeps backups of all your code and all changes you have ever made to it. • Sync server source code with version control. • Identify if someone changed something on the server.
  • 11. IDENTIFY UNUSED CODE VERSION CONTROL • Spend some time to identify unused code. • Delete it! • Version control has your back, if you deleted something you can recover it from the repository.
  • 12. THERE ARE LOTS OF FADS IN SOFTWARE DEVELOPMENT, VERSION CONTROL IS NOT ONE OF THEM. ” “
  • 13. WELCOME TO THE 90’S PATCH THAT SERVER • Use ColdFusion 10 or greater (CF9 and below are no longer supported and no longer patched by Adobe). • Railo has not been touched since 2014, use Lucee (it is very easy to switch). • Windows 2008 (EOL 2015) • Java 8+, Java 7 (EOL 2015), Java 6 (EOL 2013)
  • 14. FIX VULNERABILITIES PATCH THAT SERVER • Multiple Denial of Service Vulnerabilities in old versions of Java • Path Traversal via Null Byte injection JVM • CRLF Injection (CF10+) • File Uploads “somewhat” more secure (CF10+) • TLS / SSL Protocol Implementations • Java 8 Not supported on CF9 and below
  • 15. MITIGATES POTENTIAL IMPACT OF A VULNERABILITY LOCKDOWN THE SERVER • If your CFML server is running as SYSTEM or root then the attacker can do a lot more harm. • If CFML server user has read only access to web root.
  • 16. WEB APPLICATION FIREWALLS IMPLEMENT A WAF • Inspect HTTP Request or Response • Block or log malicious requests • Several options • Hardware • Web Server Level - ModSecurity • Application Level - FuseGuard
  • 17. SECURING THAT LEGACY CFML? HOW DO YOU START STEP 2: IDENTIFY HIGH RISK VULNERABILITIES IN YOUR CODE.
  • 18. TAKE CARE OF THESE FIRST HIGH RISK VULNERABILITIES • File Uploads • Dynamic Evaluation Issues • SQL Queries (SQL Injection) • File System Access / Path Traversals • Dynamic Process Execution (CFEXECUTE) • Anything that can fully compromise server
  • 20. CODE EXAMPLE COMMON LEGACY EVALUATE <cfset day_1 = "Wednesday"> <cfset day_2 = "Thursday"> <cfset day_3 = "Friday"> <cfoutput> #Evaluate("day_#url.day#")# </cfoutput>
  • 22. USE BRACKET NOTATION FIXING LEGACY EVALUATE EXAMPLE <cfset day_1 = "Wednesday"> <cfset day_2 = "Thursday"> <cfset day_3 = "Friday"> <cfoutput> #variables["day_#url.day#"]# </cfoutput>
  • 23. SEARCH CODE FOR EVALUATE FIXING EVALUATE ISSUES • Search Code for "Evaluate" • In most cases you should not need to use Evaluate at all, use brackets. • If the variable is a query you may need to use queryName[row][columnName] notation. • Not all cases are super simple to fix, but most are. • Remove all Evaluate calls from your code.
  • 24. DO ANY OTHER FUNCTIONS EVALUATE DYNAMICALLY?
  • 25. IF YOU ARE USING IIF STOP USING IIF IIF Hi #iif(len(url.name) EQ 0, de("Friend"), de(url.name))# The second and third arguments are evaluated dynamically!
  • 27. USE TERNARY OPERATOR (CF9+, LUCEE) FIXING IIF Hi #(!len(url.name)) ? "Friend" : url.name# Hi #url.name?:"Friend"# ELVIS OPERATOR (CF11+, LUCEE) Elvis Operator tests to see if url.name is defined / not null
  • 28. DO ANY OTHER FUNCTIONS EVALUATE DYNAMICALLY?
  • 29. YES! The PrecisionEvaluate function also dynamically evaluates expressions
  • 30. DO ANY OTHER FUNCTIONS EVALUATE DYNAMICALLY?
  • 31. YES! Lucee 5 has added a render function that evaluates tags dynamically.
  • 32. DO ANY OTHER FUNCTIONS EVALUATE DYNAMICALLY?
  • 33. NO! Not that I know of
  • 36. 3 RULES FILE UPLOADS • The upload destination must be outside of the web root • Always validate the file extension against a whitelist • Don't trust mime type validation in the accept attribute
  • 37. ADDITIONAL TIPS FILE UPLOADS • Inspect file content: fileGetMimeType, isImageFile, isPDFFile, etc • Upload to static content server (s3 for example) • Upload directly to s3: https://www.petefreitag.com/item/ 833.cfm • Make sure directory serving uploaded files cannot serve dynamic content. • File Extension Whitelist on Web Server (eg IIS Request Filtering) • secureupload.cfc: https://github.com/foundeo/cfml-security/
  • 39. VULNERABLE CODE EXAMPLE PATH TRAVERSAL <cfinclude template="path/#fileName#">
  • 41. TIPS FIXING PATH TRAVERSALS • Avoid variables in paths • If you really need to use a variable strip out everything except a-z0-9 • Use the CF11 Application.cfc setting this.compileExtForInclude setting.
  • 42. CAN BE TIME CONSUMING FINDING FILE ACCESS ISSUES • Review all function calls / tags that access file system • cffile, cfdocument, cfinclude, cfmodule, cfspreadsheet • fileRead, fileWrite, fileOpen, etc
  • 44. CODE EXAMPLE CLASSIC SQL INJECTION <cfquery> SELECT title, story FROM news WHERE id = #url.id# </cfquery>
  • 45. CODE EXAMPLE FIXING SQL INJECTION <cfquery> SELECT title, story FROM news WHERE id = <cfqueryparam value="#url.id#"> </cfquery>
  • 46. SQL INJECTION SCRIPT BASED queryExecute("SELECT story FROM news WHERE id = :id", {id=url.id}); queryExecute("SELECT story FROM news WHERE id = #url.id#"); Vulnerable Not Vulnerable
  • 47. DONEC QUIS NUNC FINDING SQL INJECTION • Search codebase for cfquery, queryExecute, ormExecute query • Use Static Code Analyzer (CFBuilder 2016) • Fix when you see one as you work
  • 48. SECURING LEGACY CFML STEP 3: FIX ADDITIONAL VULNERABILITIES IN YOUR CODE.
  • 49. TO REVIEW WHAT'S NEXT • Session Handling (sessionRotate, sessionInvalidate) • Scope Injection • Authentication / Authorization / Forgot / Remember Me Code • Cross Site Scripting • Cross Site Request Forgery • Timing Attacks • Visit OWASP.org for tons of info about web application vulnerabilities