ColdFusion was hugely popular when it arrived: it had commercial support, an easy syntax for web developers, and remarkably good tooling. But existing security tooling has left those developers in a quagmire of decreasing support in a time of increasing expectations from the application security field at large. And Adobe's doing their part to help. The latest version of ColdFusion has included popular security features, like including the AntiSamy library (full disclosure: I wrote it) for protecting sites from Cross-Site Scripting (XSS).
Regarding Recent High-Profile ColdFusion Hacks
As Brian Krebs reported last year and last month, the ColdFusion platform has had its share of high-profile attacks, and high-profile attacks have a way of adjusting expectations, as the ColdFusion community did when Citroën experienced such an attack in March of this year.
As reported by SC Magazine, the attackers planted malware on a German website for fans of the French car manufacturer Citroën. (Citroën may be an unfamiliar name to people in North America; They are smaller than Ford and larger than Honda, and are among the top-ten vehicle manufacturers in the world.) The malware created backdoor access to the network. Using this backdoor, data was extracted for eight months. It only came to light via The Guardian and Alex Holden, CISO at Hold Security.
Regarding the breach, Holden said that the group behind the attack were likely the same criminal collective responsible for other high-profile hacks in which the attackers leveraged a flaw in the ColdFusion platform to compromise information. The Guardian then correctly summarized the risk implications about third party software, and specifically the ColdFusion platform:
"If you’re outsourcing to a third party or relying on a third party, you don’t just shut the door and say that is someone else’s problem. You can outsource the function but you ultimately own the risk. If that third party doesn’t have the same controls in place or the level of controls you need from a risk management standpoint there’s obviously an issue. You’re in grave risk if that company loses your data....The attacks have also proven the need to update exploitable software. The [unmasked] vulnerabilities in ColdFusion have now been patched."
Essentially it boiled down to this: the patches were available. Someone should have applied the updates. This could have been prevented. Figuring that process out and maintaining a short window of exploitability is really difficult.
But what about the other flaws? The ones that you create if you don't apply secure coding techniques? Both the SANS Institute and The Open Web Application Security Project (aka OWASP) have resources to help you code more securely in ColdFusion, and Contrast is always there to double check your spelling.
Until next time, <cfabort>!
Developing a robust application security program does not need to be a daunting task...
Perhaps, all it takes is rethinking your existing program and moving to one that leverages a continuous application security (CAS) approach. Organizations practicing CAS quickly determine how a new risk affects them, design a defense strategy, and measure their progress to 100% coverage. By implementing eight functions within an enterprise you can assemble an effective application security program.