AboutWeb’s ColdFusion Security Program

Making ColdFusion Secure

There have been numerous reports of ColdFusion sites being compromised recently.  The majority of these compromises occurred because ColdFusion servers were not patched and/or were not configured properly for security.  In an effort to strengthen ColdFusion infrastructure of the Internet, AboutWeb is contacting companies with vulnerable ColdFusion servers. 

How do we know if a site isn't secure?  We start with Google.  Using specially constructed searches we can find indicators that ColdFusion sites have not properly secured. In the name of responsible disclosure we contact these companies and inform them their sites are vulnerable.  We also offer to run a free scan that can check for other configuration issues on their site.

Security Site Scan

AboutWeb can run a scan against your site to check for other ColdFusion vulnerabilities for free.  This scan is non-invasive and checks headers and other information coming back from standard HTTP requests to see if there are any indications of vulnerabilities or configuration issues.  This is not a comprehensive security scan, because we are using a non-invasive scan we are limited in the vulnerabilities we can check for.  However, the scan does provide a quick way to check for known vulnerabilities and improper configuration settings.

Security Audit

AboutWeb offers a security audit service. We will examine your Web Server configuration, ColdFusion configuration, and conduct a quick Code Review.  This audit will require access to your servers and source code.  The code review consists of looking for vulnerabilities from the OWASP Top 10.  Note that this is not a comprehensive code review; this review is specifically looking for security vulnerabilities in as expedient a manner as possible to provide an idea of what type of security issues exist in the application.  For a comprehensive code review, consider a Full Vulnerability Assessment.

This audit can usually be completed in a single day depending upon size and number of web applications in the code review.  We cannot provide this service for free since it requires the focused attention of our of security experts.

Contact Us if you would like schedule a consultation for any of our security services.

Learn More about Securing ColdFusion.