Blog

Category Filtering: 'Technology'

Remove Filter


Who's Had More Vulns Redux- PHP, Java, ColdFusion, ROR, or .NET?

Posted by Brad Wood
Aug 31, 2016 15:33:00 UTC

Adobe released some new security updates for ColdFusion 10 and 11 yesterday.  This brought with it the usual flurry of twitter activity from security-minded accounts who pounce on the opportunity to retweet every vuln report on the internet.  It's too bad no one takes this much effort to focus on positive news from other languages.  Among the landslide of tweets were also a few people poking at ColdFusion such as this person who went as far as to say businesses should scrap all use of Adobe products in general due to the number of vulnerabilities.

CFML & CommandBox, Tools Of Biblical Proportions

Posted by Brad Wood
Feb 06, 2015 06:37:00 UTC

In the beginning was the Web, and the Web was with CFML, and the Web was CFML. It was with CFML in the beginning. Through it all websites were made; without it no websites were made that had been made. In it were tags, and those tags were the productivity of all programmerkind. The productivity shone in the darkness, and the darkness did not overcome it.

Ok, maybe I'm overstating CFML a bit, but when it was created it was revolutionary.  It redefined how websites were built and set the bar for other web programming languages.  And though CFML led the pack for a while, there were soon others to follow.  These languages were also productive, came with compelling frameworks, and made building sites fast and fun.  Many of these servers were also free and open source and around them large communities grew.  

It's Time You Looked At ColdBox 4

Posted by Brad Wood
Jan 24, 2015 03:10:00 UTC

Yes, that's right.  Wherever you are and whatever you're doing, it's time you had a look at what's happening over in ColdBox 4.  I'm just giddy about our newest release of the most-advanced CFML MVC platform.  If you want to read all the details of what makes ColdBox 4 absolutely slap-yo-momma amazing, you can read the press release over on the engineering blog or the What's New guide.  

Even if you are using an older version of ColdBox, we're re-imagining the way CF apps are built and I think you want to be onboard.  This is my personal blog though, so here you'll find my candid, personal, and extremely biased opinions on why you're doing yourself a disservice if attempting to build meaningful ColdFusion applications in 2015 without ColdBox 4.0.  Fair warning, I'm about to tell you how I really feel :)

CFML, Good Discussions, And Misinformation

Posted by Brad Wood
Jan 15, 2015 00:33:00 UTC

So this blog is a bit of a spill over from a Twitter conversation I had today with Stefan Mischook, a PHP programmer and maker of all sorts of training videos at www.studioweb.com and www.killersites.com.  A few years ago, Stefan uploaded a video blog to YouTube titled "Should you learn Coldfusion?" (sic) where he presented a not-so-glowing review of ColdFusion through the lens of circa 2003.  I've seen the video before come up in YouTube searches.  Part of that is a testament to the pathetically small amount of actual CFML content on YouTube.  While I've recorded a number of screencasts and webinars that are posted online, they're all on Vimeo or Adobe Connect so alas I'm not contributing to that specific site.  

What Languages Did You Use This Year? (Vote For CFML)

Posted by Brad Wood
Dec 30, 2014 23:27:00 UTC

There's an interesting project going on over at code2014.com to see what languages were used the most this year.  Now, I have to preface this by saying that I generally dislike these sort of popularity contests.  They give the appearance of something statistical, but only represent a subset of the population that's exposed to them and bothers to vote.  Perhaps I'm also just bitter since CFML seems to get shafted by a lot of these sort of things.  (See the Tiobe index for details)

But nonetheless, I've thought a lot recently about the declining mindshare of CFML in the eyes of other developers (or the complete lack of knowledge of it in some cases).  This is easily evidenced by attending a non-CFML conference and telling people that you're a ColdFusion programmer and observing the disbelieving stares.  So, I think it's in our best interests to increase the presence of CFML on the Internet in circles outside of ours where we all know it's a great, modern language used by many.  It's honestly hard to blame people for asking if anyone still uses CFML when they literally haven't heard a mention of it in 5 years.  News like the recent addition of Railo to Bitnami was huge for CFML and I was happy to see the CFML community gathered and voted it straight to the top for the entire month.

So, go vote.  Right now. it's easy, just Tweet out the names of all the languages you've used this year with the hashtag #code2014 somewhere in the message.  At first, they didn't even have ColdFusion or CFML on the list, but were quick to add it after several people on the Internet brought it up.  I'm unclear on whether they're counting "CFML" or "ColdFusion" so you might add both just for good measure. 

---------------------------

Update, Hybrid group confirmed they are looking for both CFML and ColdFusion in their search:

https://twitter.com/hybrid_group/status/550060557596766209

Who's Had More Vulns- PHP, Java, or ColdFusion?

Posted by Brad Wood
Jan 30, 2014 06:53:00 UTC

Update: There's an updated blog post with more current results here: 

http://www.codersrevolution.com/blog/whos-had-more-vulns-redux-php-java-coldfusion-ror-or-net


I get tired of people on complaining about ColdFusion as a technology choice because it's "so insecure".   I regularly am told that it has more holes, more vulnerabilities, and a worse track record than other platforms. That's why I compiled this quick chart showing the number of Common Vulnerabilities and Exposures (CVE) by year for CF as well as PHP and Java (as reported by cvedetails.com) which are two of the most-used languages on the web.  I also threw in Apache Tomcat for comparison since it completes in the web space and CF10 actually runs on a version of it.

 

Click to enlarge

So to break this down, the red line riding out on top with a huge spike in 2007, that's PHP.  The purple line coming out of the backfield for a solid lead (?) at the end is Java.  The yellow line is Tomcat who still manages 10-15 vulns a year (and the only one to go LOWER than CF.  And that green line on the bottom with the lowest number of vulns every year, and nothing even reported until 2006- that would be CF.

So, sure-- there's a lot more info than just the counts on the chart.  My point also isn't that PHP or Java are bad-- I'm just trying to make the point that oft-used technologies are targeted by crackers and nobody is perfect.  And according to this data, CF is doing way better than several of the main techs out there.  It should also be noted that CF, Java, and PHP were all created the same year-- 1995, so don't give me any of this "old" crap either.  (Tomcat was created in 1999)

References:

 

My "One Tough Puzzle" JavaScript Brute Force Solution

Posted by Brad Wood
Sep 30, 2012 04:20:00 UTC
So, I've been sitting on this for months (because I'm lazy) and decided it's finally time to post it. My mother-in-law visited a while back and brought a puzzle for the kids to play with. It's called "One Tough Puzzle". It claims to have "more the 300,000 wrong ways, but only one right way to assemble it." Well, after fiddling with it for a while, I did what any code-blooded hacker would do and wrote some JavaScript to brute force solve it.

Call to Arms: We All Need to Evangelize

Posted by Brad Wood
Aug 25, 2012 05:28:00 UTC
Prior to this week, there were Wikipedia entries for MockBox, CacheBox and WireBox, but they've all been deleted by Wikipedia. There still is an entry for the ColdBox Platform-- for now. It's also been marked for deletion. So has the FuseBox page. The main reason for the deletion notices is that those articles don't have enough notable third-party references to support them. Wikipedia moderators say those topics just don't have enough articles, news, and books written about them OUTSIDE of their own community, or for that matter; the ColdFusion community.

ColdBox 3.0 Has Gone Gold!

Posted by Brad Wood
Mar 30, 2011 19:34:00 UTC
I am very excited to announce that ColdBox 3.0 has been officially released. After 6 milestone releases and 2 release candidates it is finally complete. I am especially proud to see this since a number of fixes, and code submissions of my own have worked their way into the ColdBox framework, Sample Apps, and Builder Extensions over the past 2 years. A brief list of new features in ColdBox 3.0 includes:

ColdFusion's Heartbeat

Posted by Brad Wood
Jan 23, 2010 08:50:00 UTC
I jogged down the stairs, one arm over my head, as I pulled my coat on a sleeve at a time. Fishing the car keys out of my pocket with one hand, I leaned over my computer to tap in my E-mail password with the other. "Wow, 41 unread messages in the CF-Talk folder," I thought. "There must be a hot new topic on the list today." With a click I watched the new thread flow in. "Why i fear ColdFusion is on its last legs" "Oh Geez," I sighed, "Please not with this again!" There wasn't time to read all that right then. I'd have to catch up on this one later in the day when my absorption rate was higher.

Site Updates

Entries Search