Why Is Coldfusion Security Important - MACROMEDIA COLDFUSION 5-ADVANCED ADMINISTRATION Manual

60

Why Is ColdFusion Security Important?

Today's Web applications offer unique opportunities from e-commerce to global
communication and collaboration. Today, developers and administrators alike must
concern themselves with issues of security. The nature of the Web—global access,
ease of connectivity and interaction, and lack of any real control over clients—
creates an environment where application misuse or abuse can flourish. As a result,
almost any discussion of Web applications and data integration quickly becomes a
discussion of security. Web developers must fully understand the security risks that
could affect their applications so they can address legitimate concerns while
ignoring the tabloid-style hype that sometimes surrounds any mention of Web
security.
All Web applications can potentially fall victim to these security breaches:
ColdFusion is a proven, highly secure environment for Web application development
and deployment. ColdFusion can help you reduce these security risks:
Snooping and eavesdropping The risk that someone could "overhear" data
being sent over the Web is a primary concern when applications send
confidential data, such as credit-card information, over public connections.
User impersonation Without proper authentication control, the risk of
non-trusted users gaining access to secure information by impersonating trusted
users is a very real risk. Someone who successfully impersonates a trusted user
could gain access to anything that user was authorized to see or download.
Unauthorized access The risk of exposing sensitive information to
unauthorized users is the biggest and most complex security risk, because the
Internet effectively links every computer to one large network. While completely
allowing or disallowing access to a given system or data source remains relatively
straight-forward, allowing the partial access that is required for an application to
be useful remains risky. For example, it is easy for a large bank to publish a public,
freely accessible site where no individual account information is available, but it's
much harder for the bank to create an account maintenance site where users
have exclusive access to their own personal accounts.
Encryption ColdFusion supports the Secure Sockets Layer (SSL) protocol which
protects against snooping, eavesdropping, or any sort of message tampering
when information is passed between clients and servers. For more information,
see "Data encryption" on page
Authentication Authentication simply means making sure someone is a valid
user of the system. Authentication involves prompting a user for a unique
identification, like a login name, and some form of verification—information that
no one other than the user could know, like a password or personal identification
number (PIN).
Access control Authenticated users are usually granted access to particular
features or components based on security clearance, group affiliation, or other
criteria specified by the developer.
Chapter 3 ColdFusion Security
61.