ColdFusion and Application Security

Contrast Now Supports Securing ColdFusion!
Even before adding support for .NET, the Contrast team had planned to support ColdFusion. Let's go through our preferred customer checklist:

• Smart community: Check.
• Enterprise developers: Check.
• Security aware: Check.
• Not a lot of great options for security automation: Check.
• Runs on the JVM: Check.

We knew it was a great fit. But when we set out to support ColdFusion, we considered something that others didn't.

Our research has shown that most of the breaches in ColdFusion apps were actually due to vulnerabilities in the ColdFusion platform, and not necessarily from mistakes made in the custom code that developers write.

So in designing our ColdFusion agent, we went in with the attitude that finding vulnerabilities inside of the ColdFusion platform *and* inside of ColdFusion custom applications were both necessary. When we run our Contrast agent on a fresh, out-of-the-box ColdFusion 9 app, you'll see that Contrast tells us we should quickly install several hotfixes.

We knew that static tools have never really had great support for ColdFusion. Some companies are scanning ColdFusion code, but they can't detect vulnerabilities in your ColdFusion platform itself because they don't have access to it! Contrast has a history of detecting vulnerabilities regardless of whether or not you own the code yourself - because you own the risk, regardless of who owns the code.

We're ready to help! We've completed our first round of beta testing, and we have a challenge for any ColdFusion developer wondering about their application security: Contact us to learn more!