Damon Cooper's BLOG
Viewing By Day : July 3, 2007 / Main
July 3, 2007
Adobe ColdFusion 8 Product Security Briefing Available

I've posted the final ColdFusion 8 Product Security Briefing PDF just delivered to us by the 3rd party security firm nformation Risk Management, Plc ("IRM") here:

ColdFusion 8 IRM Product Security Briefing

Bottom line on this release: "...ColdFusion 8 exhibits a high degree of resilience to application layer attacks with no compromise on functionality provisioned by the new features."

At Adobe, and on the ColdFusion team, we take product and customer security very seriously. We understand the trust you place in us and the awesome responsibility we have to making sure our products are as secure as we can humanly make them, prior to ship.

To that end, we have a strict and very detailed internal Product Security Audit Policy that we adhere to.

From an engineering perspective, before any public final release, including the ColdFusion 8 release, the product undergoes an extensive, open-book, multi-phased external product security audit at key checkpoints from a reputable outside contractor who specializes in product security. It's very expensive in terms of committment of cost and resources, but very well worth it for us and our customers, we believe.

We open our source code, discuss feature implementation at length in closed-door meetings with the security company and the engineering team discusses every new product feature implementation and change in excruciating detail.

Each developer and QA engineer confesses his/her fears (and I have plenty of those, so I contribute my share!) about every new feature from a "Can it be hacked, abused or exploited?" perspective, and we grant full, unfettered access to our source tree and engineers to the outside firm. They're under iron-clad NDA of course, and they work diligently to tear apart what we've built, find real and potential problems and weak points, so we can fix any issues before the product ever gets near a paying customer.

Conclusion from the IRM document:

"IRM's security evaluation of ColdFusion 8 revealed that the product has been well designed with security as a major consideration during development. The ColdFusion 8 model requires certain administrative tasks to be performed as a part of deployment in order to enforce a stringent security regime. Security management of these servers is essential in ensuring security of the overall deployment. It is important to follow Adobe’s best practice guides for securing these servers and applying appropriate security patches.

Adobe also maintains resources on secure development of ColdFusion applications which can be found at the following URL: http://www.adobe.com/devnet/coldfusion/security.html.

ColdFusion developers should strive to incorporate secure coding principles into their development methodologies as highlighted by Adobe.

Overall IRM was impressed with Adobe’s integration of security processes in the development lifecycle, the result of which can be seen in ColdFusion 8, a product that withstands stringent security testing with relative ease. All of the new features incorporated in this release adhere to highest levels of application security enforcement without any compromise on functionality."

Damon