CodFusion

I've been using Google Analytics since its inception, but recently I ran into a need to have their tracking script to be able to detect SSL connections. Their original Javascript code, which is simply using the older Urchin script, didn't have a way to do this. Luckily, there was an easy solution.

Google came out with a new version of that Javascript code last year. The older code will continue to work but will not be updated. The newer version includes a number of nice features including SSL detection, Customized tracking and Cross-domain tracking.

This new code snippet is in beta (like everything in Google land). The PDF explaining the features is at http://www.google.com/analytics/GATCmigrationguide.pdf. This may be old news for some, but I figure it was worth a post.

For those of you developing or maintaining Ecommerce applications, the PCI-DSS 6.6 requirement is coming due this Monday, June 30th. Your merchant account agreement requires that you follow the PCI standard. You may also be in a state that legally binds you to follow the standard. So you could disregard this, but at your own peril. The requirement simply states:

Ensure that all web-facing applications are protected against known attacks by applying either of the following methods:
- Having all custom application code reviewed for common vulnerabilities by an organization that specializes in application security
- Installing an application layer firewall in front of web-facing applications.

The PCI Security Standards Council also released a supporting document to further explain the 6.6 requirements at https://www.pcisecuritystandards.org/tech/supporting_documents.htm

I am not going to rehash the requirement here. There are plenty of people talking about 6.6 and it is fairly simple to understand. Frankly, I think the supporting document water the requirement down a bit, but the intent is very clear. You should have an infrastructure or policy in place that prevents the more common web application threats like SQL injection and cross-site scripting.

If you have the budget, I highly encourage implementing a web application firewall (WAF). A WAF is not the same as a regular firewall. Typically, network firewalls operate in the Network and Transport layers of the OSI model. They block things like IP addresses, ports and protocols. What runs over the open ports and addresses are not filter or blocked. That is the job for a WAF which operates at the Application layer. For example, if a hacker is sending a XSS attack over the wire, the WAF should detect, block and log the attempt.

Now you are probably going to say that your code is perfect and blocks SQL injection and XSS attacks. You use cfqueryparam and/or my Portcullis XSS filter. You properly catch errors, etc. But take a moment to think about what is happening here. If an attack is directed to your application server, it has to go through a network firewall, network switches and even your web server before it even touches the application server (ColdFusion). If it can get through your coding, the hacker has really nothing else to worry about. Would it not be better to also have a WAF further up the chain to block and log attacks? This will add a critical layer to your security and free up your server from having to handle and catch bogus requests. Even if an attack were to get through the WAF then your proper coding should provide a further catch. This makes launching a successful attack even harder. Also, as a further note, it is simply not enough to prevent these attacks with better coding. You should be logging them and also notified as they happen so you can closely monitor the activity. WAFs can do this for you.

So how do you get a WAF? There are several hardware solutions out there. You can also setup a reverse proxy with a Linux Apache installation that uses the mod_security module. For IIS users, Port80 Software has a software solution for the Windows Server environment.

As a mention in my PCI-DSS presentations, this standard is not only good for people handling credit card information but is also a solid standard for any organization trying to properly secure their applications.

My notes from the Adobe Keynote given this morning.

Adobe Keynote by Ben Forta / Adam Lehman

CF8 sales are the best since Adobe acquired Macromedia. CF 8.0.1 released this spring with 64 bit support for Windows, Mac, and Linux

Adobe is creating CF Open Process Initiatives
-Public bug database
-Public enhancement request system
-Customer Advisory Boards
 -Enterprise Developers & Community Leaders
 -CFML development
 -RIA, etc.

Work has started on Centaur
 -Advancing CFML language
 -Improve Integration
 -Improving developer experience

Planning for the Future
One of the biggest problems for CF customers is the lack of developers. So Adobe wants to push for use at the college and academic level. Announced today, CF will be freely available for students and academic use. This will be a similar model to Flex Builder for Education. You will be required to provide verification, and the product is full unrestricted Enterprise version for educational purposes only.

Another issue has been that given the age of the language CFML  has become fragmented and inconsistent. So Adobe is forming a CFML language Advisory committee to define rules,guidelines and evolution for the language. The members include Sean Corfield,Ben Forta, Sanjeev Kumar, Gert Franz, Ray Camden, and Rob Brooks-Bilson.

Centaur Sneak Peek

Be able to create CFC methods in cfscript
-argument definition and validation
-roles
-access
-return types

So there you could create CFC components in cfscript syntax

Explicit local scope keeps local variables. This will work like the older var scope but you can put the cfset anywhere in the method.

<cfset local.var = 1>

Can default scope for a CFC. A great feature that can help scope variables in methods where people forgot to do so.

<cffinally> added to the try/catch block. Performs cleanup after a catch operation.

<cfcontinue> resets you back to the top of a loop. Where <cfbreak> breaks you out of a loop.

Implicit constructors
 <cfcomponent init=""...> looks for init method then a method named the same as the cfc

Implicit getters/setters
 The cfproperty will generate the implicit getters and setters on the backend to save you from writing the code.

Also a new server.cfc which will have two methods: OnServerStart and OnServerEnd. So you can load objects when the server starts up and also do clean up when shutting the service down.

Working on AIR integration

<cf:Datasource> and cf:Query tags in MXML language to handle CRUD operations to a backend value object. It will handle offline/online modes

ColdFusion will have a backend ORM via Hibernate.

<cfcomponent orm="true" datasource="cfartgallery">
</cfcomponent>

CF will auto generate the config mapping files which you can modify. A catch with this is that there are a lot of tags that take query objects and not a cfc object to run. So they are working on that issue.