Re: ColdFusion Security Tool

[Scott Norton <dsnorton () UW EDU>]

I strongly suspect that if their process and or personality has lead them to ColdFusion, it will be difficult to 
integrate high levels of practice and tooling. That might be a stereo type; but my personal feeling it is a 
philosophical alignment with those that select that product.

Making sure they deploy on ColdFusion AWS is probably your leading strategy for potential damage containment.

Good luck
From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Harry Hoffman
Sent: Friday, January 31, 2020 2:17 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] ColdFusion Security Tool

I don’t mean this in a cheeky way, but the only guidance around Cold Fusion should be to find something different.

There have been so many areas of compromise around Cold Fusion that the risk/reward evaluation is almost always 100%/0%

If they do decide to use it anyway make sure it’s on a stand-alone system that isn’t tied into something like AD or 
LDAP. And firewall it off from any systems that you deem valuable.

Cheers,
Harry

On Fri, Jan 31, 2020 at 4:14 PM Matt Hall <matthew.hall () chemeketa edu<mailto:matthew.hall () chemeketa edu>> wrote:
We are curious if anyone uses or has used Fixinator (or a similar product)?   
https://fixinator.app/<https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffixinator.app%2F&data=02%7C01%7Cdsnorton%40uw.edu%7C0b1502ac1f4d48cdc56908d7a69b556c%7Cf6b6dd5bf02f441a99a0162ac5060bd2%7C1%7C1%7C637161058393633529&sdata=JBJLr0XiyoTWJsqglfkWl6wHUEni%2ByT5pgFshtyM6Bk%3D&reserved=0>

We are looking for a tool to help guide a group of employees that want to use ColdFusion.

Matthew Hall
Information Security Analyst
Chemeketa Community College
Phone: (503) 584-7586
Email: Matthew.Hall () chemeketa edu<mailto:Matthew.Hall () chemeketa edu>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Cdsnorton%40uw.edu%7C0b1502ac1f4d48cdc56908d7a69b556c%7Cf6b6dd5bf02f441a99a0162ac5060bd2%7C1%7C1%7C637161058393643530&sdata=RwHbklzFdwe3cB26zm3P7%2B2UxNTO85pK2ZeZgyThgc8%3D&reserved=0>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Cdsnorton%40uw.edu%7C0b1502ac1f4d48cdc56908d7a69b556c%7Cf6b6dd5bf02f441a99a0162ac5060bd2%7C1%7C1%7C637161058393643530&sdata=RwHbklzFdwe3cB26zm3P7%2B2UxNTO85pK2ZeZgyThgc8%3D&reserved=0>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community