On the CFUN-04 Beat: Matt Liotta on Security

Michael Smith:

Why is security important for programmers? Isn't this a network administrator subject?

 

Matt Liotta:

Well if there are any administrators in the attendance I am sure they will benefit from this presentation. However, this presentation is really meant for programmers. How we write code makes a big difference in the overall security of an application. Unfortunately, many programmers miss the potential security problems in their applications simply because they don't know any better. Or worse, they go to extraordinary lengths in the name of security only to miss subtle exploits that invalidate all their work.

 

MS:

That sounds like a lot of work!

 

ML:

Great security takes a lot of work, but good security can be achieved with a little insight that takes almost no extra work at all. In my presentation, I'll explain how certain practices can be adopted that in the end take no extra effort, but pay off big in terms of security, and have side benefits such as performance and robustness.

 

MS:

That is a relief. But what about password protection of sites?

 

ML:

While that is a pretty well understood topic, there are lots of different ways to attack the problem, each with their own implications that one may not be aware of. In fact, now that you bring it up, it is a pretty important topic that I fail to address in my presentation. I'll make sure to update my presentation to cover this information, though, so if you are interested in this topic, I guess I'll be seeing you at my presentation.

 

MS:

That is cool! What about cookies and session variables? Is there a security risk there?

 

ML:

Like anything, it all depends on how you make use of things. Are cookies inherently risky? No, but they certainly can be. I think we have all heard the stories about early e-commerce sites that stored pricing information in cookies, allowing people to buy items at a lower price simply by changing their cookies.

 

MS:

Ouch! And I have heard that even prices in form variables are not safe. So will you show people how they can protect their e-commerce pricing from hackers like that?

 

ML:

My presentation doesn't really focus on different variables scopes, but instead provides a wealth of information on how to appropriately make use of the different scopes. Certain practices can apply to multiple scopes, so it is much better to understand why they apply to those scopes then just to provide a set of rules for each scope.

 

MS:

What about URL variables. Are they hacker proof?

 

ML:

Again, it is not about individual scopes, but understanding the implications of how you use all scopes. Additionally, it isn't really about making things hacker-proof or even, the more appropriate term, cracker-proof; it is about making sure your application is designed in a way that doesn't allow users to make use of it in ways not intended. You don't have to be a cracker to manipulate cookie, URL, or form variables.

 

MS:

Will you have code samples that we can copy in your talk?

 

ML:

Not directly no, but certainly code will be shown.

 

MS:

That sounds cool - I think I will be able to improve the security of my sites after coming to your talk! Thanks for talking with me.

 

Matt Liotta started his development career at the age of twelve by building C applications for faculty at Emory University. He built his first web page soon after the release of Mosaic 1.0. Excited by early web applications, Matt saw the potential to replace legacy client server applications. At Emory University he built an enterprise calendaring system, the faculty poster project, a Y2K compliance tracking application, and a prototype for an electronic research administration system. Since then he worked with an early ASP, Cignify, to build their transaction processing system for payroll time data.

Matt did consulting around San Francisco for companies such as Williams Sonoma and Yipes Communications. Soon after, he built gMoney's Group Transaction System using an innovative XML messaging architecture that matches conceptually with the now popular web services paradigm. Later at TeamToolz, he designed a highly secure and scalable network architecture to support N-tier transport agnostic distributed applications. He then went on to implement a cutting-edge content management system for DevX. He is now President and CEO of Montara Software, which he founded recently.

• Subscribe
• RSS

• Editorial
• Specials
• Community
• News
• Tech and Tags
• Views
• Reviews
• Techniques
• Security
• Best of ColdFusion Talk
• Knowledge Base
• Blog Watch

• Tipical Charlie