In April I will be presenting a lot of things at cf.Objective(). Here is a short list:

Secure CFML training

We will start with an application that is full of vulnerabilities and we are going to hack that applications. We are actually going to deploy real attacks against the application to see how it works. We'll even use some hacker tools to automate attacks. By doing this we can better learn how to think like a hacker, which better enables us to code while thinking "how could this be exploited?".

[More]

It's not very often that you will hear me badmouth ColdFusion, but in this case, I feel compelled. ColdFusion has some truly fantastic features and in many ways make securing web applications easier, but in this case, it has provided little but a false-sense of security.

What is scriptProtect?

[More]

I love application security learning resources. The OWASP Top Ten project is one that I always direct people to, as well as numerous books on application security.

One resource I am not sure I have directed people to in the past is

[More]

The other day in #coldfusion on DALnet IRC chat, several of us got to talking about passwords and about the simple password strength function that I had made some time ago. We worked on improving the regex and making is a better function. But then we go to talking about whitespace.

One of the people I was talking to asked "Why don't you allow spaces in password?". He saw that my password strength checker did not allow white space in it. This is something I asked myself a while ago, but I never really spent any time thinking about it.

Unfortunately, the only answer I could offer was "I dunno, I thought passwords weren't supposed to have spaces".

[More]

I caught the last half of the new System Crash show on the Smithsonian Channel last night. This particular show was called "Break and Enter" and is about cyber-security, hacking, and threats to online privacy.

From the show description

Take a disturbing trip to the dark side of the Internet, where cyber crooks pose a constant threat to our finances, privacy, even our national security. Discover how hackers can attack major corporations and bring entire countries to a standstill, and what, if anything, we can do to stop them.

[More]

I hope everyone is aware of the cf.Objective() conference that takes place in Minneapolis/St. Paul every year. In case you are not, you should know that it is an absolutely AMAZING event.

cf.Objective() is touted as "The World's Only Enterprise Engineering Conference for ColdFusion Developers". I have been to two cf.Objective() conferences so far, and this year will be my third. I am very excited about it.

Two years ago, there was a two-day pre-conference training session held on the Mach-II framework. It was a very successful training (I believe they sold out every seat), but beyond that, it was a fantastic training. I attended it, and I loved it. I learned a lot. Last year they had ColdBox training prior to the conference. I did not attend that one, but I hear it was also great.

This year, the organizers of cf.Objective() are trying the pre-conference training again, but with more training sessions. This year there will be six!

[More]

The first time I looked at the OWASP Top Ten web vulnerabilities, they all made sense to me, save for one. That one was A4 - Insecure Direct Object Reference. At the time I was still pretty new to object-oriented programming and so the first thing I thought was that it was referring to those kinds of objects.

But that is not what they are talking about. The are talking about any direct reference to an "implementation object". Meaning objects like files, folders, database records, or other types of "keys".

[More]

I received word last week that two of the topic proposals I submitted to the cf.Objective() planning committee were accepted. I am very excited and honored by this. It's nice to know that people think what I have to say is worth while.

You may have guessed that I will be talking about security, since that seems to be what I enjoy talking about most. But this year will be a little different.

[More]

I just closed the comments of my last post announcing the release of the new Fusion Authority Quarterly Update. Now it is time to announce the winners. But first.

[More]

NOTE: I have closed the comments on this post. The contest is over. I will post the winners soon.

It seems like not many people are talking about the new Fusion Authority Quarterly Update. It has been out for about 3 weeks, I think, and it seems that there is very little buzz about it. So I thought I would generate some.

This is a little self-serving, as I have two articles in the newest version, but I don't mind :) My two articles are in a new "Let's Talk Security" column. They are "Application Security Primer" and "SQL Injection: A Persistent Threat". I was very excited to be asked to start writing for FAQU and I hope to be able to contribute more.

In addition to my two articles, there is some amazing content from authors like Todd Sharp, Ray Camden, Terry Ryan, Mark Kruger, Mike Brunt, Mike Henke, Charlie Arehart, S. Isaac Dealey, Pete Ruckelshaus, Adrian J. Moreno and Mark Phillips. And I am especially looking forward to reading Dave Konopka's "SOA for the rest of us"

To help bring attention to the new Quarterly Update and to generate some buzz, I am going to have a little giveaway. I like to do giveaways once in a while. It is fun. Judith and Michael at House of Fusion have graciously offered two 1-year subscriptions of the Fusion Authority Quarterly Update for me to giveaway.

So on Friday of this week (only three days from now) I am going to give away two 1-year subscriptions to the Fusion Authority Quarterly Update.

[More]