Damon Cooper's BLOG
Viewing By Entry / Main
August 5, 2006
ColdFusion 7.0.2 Product Security Audit Report Available

In the spirit of openness, we've published the final ColdFusion 7.0.2 Product Security Audit Report given to us by the 3rd party security firm, IRM, used to examine ColdFusion 7.0.2 for potential vulnerabilities, here:

ColdFusion 7.0.2 IRM Security Audit Whitepaper

We'll try to make a practice of publishing the full final reports from our external product vulnerability audits for future releases from now on as well.



What kind of a methodology was used? Static analysis? Manual code review? Threat modeling? Were any issues found that were later fixed?

The report is very, very vague.

IRM used all the above techniques as well as the analysis described of the generated CFML Wizard code. It is the final report, and while it doesn't detail the issues found and fixed in the release, it does speak to the fact that all found issues were addressed to their satisfaction, and then subsequently re-reviewed to their satisfaction one more time before they issued this final report.

We gave them complete source code (under iron-clad NDA of course), direct, unlimited access to our engineers, did deep-dives on the features, adapters and gateways and confessed where we were worried about problems. The IRM team made note, and with access to ColdFusion and Flex source code, dug in deep and they found problems we had to address.

They found issues ranging from potential SQL injection issues with the generated CFML code, to mandating that we by default lock-down the RMI CF/FDS listeners to localhost, to mandating we change the way coded some things, to identifying a potential DoS attack scenario (and recommended resolution we implememted), etc.