Software Development, Web Design, Training

Oct-25-2015

CFCamp Notes - Adobe Keynote, Rakshith Naresh

Adobe keynote -- Rakshith Naresh

20 years of ColdFusion
Differences in the average PC then and now:
250x more processing speed
1000 x memory

70% of Fortune 100 companies use CF
100% representation w/ top 20 banks
90% representation in gov't departments

security --
has been a major driver
improving in 3 ways
language
infrastructure
resources

(all of this is already in CF11)

lang
owasp
esapi
anitysamy CSRF token pattern
session rotation
CSRF protect for tags header/content/mail

infrastructure
secure by default
secure profile
-- basically the first part of the CF lockdown guide is done already for you upon install
security sandbox

audit logs
password and css protection
updated crypto libraries

the nature of CF used in large enterprises still bank heavily on CF, they need it to be secure

Resources
AdobePSRT - Adobe's security team
-- security exports
advise the CF team on latest security standards

testing processes
-- revamped based on recommendations from PSRT

knowledge and training
-- entire team goes thru certification so when new features are built, they are secure

security related bugs prioritized
-- they get #1 priority

3rd party audit

in version 11 --
CF11 has web socket supports
HTML5 charting backed in
Mobile App Dev workflow
Language
--CFscript support
--OAuth2 suppor
-- member functions
json enhancements
closures

high performing PDF engine
pixel perfect HTMl conversion to PDF
e-signatures
DDX support
-- document description xml
PDF archiving
-- for future use, so the PDF can be opened 20 years from now.

version 12 stuff --
performance
security
pdf
language improvements
API mgmt

performance--

security --
built-in security code analyzer in CF12!
in CF Builder
can scan any app (legacy apps), perform sec. analysis and get a report down to the line numbers of where the issues are located.
sql injection
xss
crsf
and various others
if you have lots of legacy apps, you can quickly perform a scan and see if they're prone to vulnerabilities

CFIDE -- scripts have been removed. CFIDE access removed from the web server

NTLM support
cfsharepoint, cfinvoke, cfobject
more stuff coming too

PDF
sanitization.
if your PDF has meta data related to your company, you should remove that info when making the PDF public. action=sanitize will strip all off the potentially sensitive info so it's ready for public use

redaction -- select an area in the PDF and redact it

import/export meta data -- programmable in/out of a pdf
can also also import/export comments into the PDF
archive
-- PDF 2B standard format supported in CF12

language improvements --
(not a complete list)
safe navigation operator ?.

ordered structs
StructNew("ordered")
(cute but why not just use an array or stack? what is the benefit?)

sorted structs
StructNew( "sorted", "desc" )
alpha sorts based on the keys
*** can attach a closure to do custom sorting!

passArrayByReference setting
(by default this is false)
true -- gains some performance benefits

searchImplicitScopes setting
improve performance.

CLI
don't have to have CF server running.
can run CFM from the command line
via .BAT file
cf.bat test.cfm foo bar
can invoke web services from command line
read from the command line
CLI scope
can redirect errors to a file, all the usual command line >> << stuff

API management --
programmable web
***repository for programmable APIs

75% of Fortune 100 companies will have APIs by end of this year

#1 reason for APIs - mobile enablement
#2 -- it drives internal innovation, share data between departments, etc. Benefit: reuse and reduction of costs
#3 customers can add functionality on top of what you already provide
#4 new source of revenue -- can charge customers for that API

SOAP to REST translation
1 time config setup
to map the legacy SOAP to REST format and then it's done
(what if the SOAP packet is dynamic? is that a legit concern? it's been ages since i've used SOAP)

(first demo of API mgmt gateway.)
API Administrator
separate from CF Administrator

Swagger
descriptor for rest api
like WSDL is for soap web services, but for REST

cf summit
more than 500 expected attendees
("no promises but we might have a cf summit europe at some point")

CF Aether, code name for version 13
too early for details right now