CFCamp Notes - Adobe Keynote, Rakshith Naresh
October 25, 2015
Adobe keynote -- Rakshith Naresh
20 years of ColdFusion
Differences in the average PC then and now:
250x more processing speed
1000 x memory
70% of Fortune 100 companies use CF
100% representation w/ top 20 banks
90% representation in gov't departments
security --
has been a major driver
improving in 3 ways
language
infrastructure
resources
(all of this is already in CF11)
lang
owasp
esapi
anitysamy CSRF token pattern
session rotation
CSRF protect for tags header/content/mail
infrastructure
secure by default
secure profile
-- basically the first part of the CF lockdown guide is done already for you upon install
security sandbox
audit logs
password and css protection
updated crypto libraries
the nature of CF used in large enterprises still bank heavily on CF, they need it to be secure
Resources
AdobePSRT - Adobe's security team
-- security exports
advise the CF team on latest security standards
testing processes
-- revamped based on recommendations from PSRT
knowledge and training
-- entire team goes thru certification so when new features are built, they are secure
security related bugs prioritized
-- they get #1 priority
3rd party audit
in version 11 --
CF11 has web socket supports
HTML5 charting backed in
Mobile App Dev workflow
Language
--CFscript support
--OAuth2 suppor
-- member functions
json enhancements
closures
high performing PDF engine
pixel perfect HTMl conversion to PDF
e-signatures
DDX support
-- document description xml
PDF archiving
-- for future use, so the PDF can be opened 20 years from now.
version 12 stuff --
performance
security
pdf
language improvements
API mgmt
performance--
security --
built-in security code analyzer in CF12!
in CF Builder
can scan any app (legacy apps), perform sec. analysis and get a report down to the line numbers of where the issues are located.
sql injection
xss
crsf
and various others
if you have lots of legacy apps, you can quickly perform a scan and see if they're prone to vulnerabilities
CFIDE -- scripts have been removed. CFIDE access removed from the web server
NTLM support
cfsharepoint, cfinvoke, cfobject
more stuff coming too
PDF
sanitization.
if your PDF has meta data related to your company, you should remove that info when making the PDF public. action=sanitize will strip all off the potentially sensitive info so it's ready for public use
redaction -- select an area in the PDF and redact it
import/export meta data -- programmable in/out of a pdf
can also also import/export comments into the PDF
archive
-- PDF 2B standard format supported in CF12
language improvements --
(not a complete list)
safe navigation operator ?.
ordered structs
StructNew("ordered")
(cute but why not just use an array or stack? what is the benefit?)
sorted structs
StructNew( "sorted", "desc" )
alpha sorts based on the keys
*** can attach a closure to do custom sorting!
passArrayByReference setting
(by default this is false)
true -- gains some performance benefits
searchImplicitScopes setting
improve performance.
CLI
don't have to have CF server running.
can run CFM from the command line
via .BAT file
cf.bat test.cfm foo bar
can invoke web services from command line
read from the command line
CLI scope
can redirect errors to a file, all the usual command line >> << stuff
API management --
programmable web
***repository for programmable APIs
75% of Fortune 100 companies will have APIs by end of this year
#1 reason for APIs - mobile enablement
#2 -- it drives internal innovation, share data between departments, etc. Benefit: reuse and reduction of costs
#3 customers can add functionality on top of what you already provide
#4 new source of revenue -- can charge customers for that API
SOAP to REST translation
1 time config setup
to map the legacy SOAP to REST format and then it's done
(what if the SOAP packet is dynamic? is that a legit concern? it's been ages since i've used SOAP)
(first demo of API mgmt gateway.)
API Administrator
separate from CF Administrator
Swagger
descriptor for rest api
like WSDL is for soap web services, but for REST
cf summit
more than 500 expected attendees
("no promises but we might have a cf summit europe at some point")
CF Aether, code name for version 13
too early for details right now