With the modernization of Adobe ColdFusion, we are witnessing some major improvements in many fields. Security is just one of many. Auto Lockdown features, Containerization and many more are visible as well. Let’s dive in and see what make CF modern and reliable.
Security concerns are an important part of any programming language. No platform is 100% secure. But there are many tools and best practices out there to help you be as secure as you can be. Keeping a tight grip on security measures is pivotal to keeping CF alive. Nobody wants to use a very insecure development platform.
With the release of ColdFusion 2018 came a new wave of security improvements. The new auto lockdown feature is one of them. This is a great new feature for those with security concerns. The days of having to manually lock down your server are in the past. With the new auto lockdown feature, you can implement lockdown of your production server with one simple click. Full lockdown procedures will be systemically applied making sure all security measures are fail-safe and within compliance. After the lockdown, all systems are continuously monitored for breaches and potential security threats.
Official Lockdown Guides
For those who prefer to lockdown their CF server manually there are the still the official ColdFusion Lockdown guides. A lot of CF developers don’t even know they exist. Or do but don’t use them in detail. They were written with the help of CF Security Guru Pete Freitag. The lockdown guides are free PDF downloads that show step by step procedures on locking down your server for tight security. Complete with screenshots. They cover everything including Apache and IIS. If everybody were to follow the guide, most ColdFusion hacks would not happen in the first place.
Security Code Analyzer
Adobe also released a new Security Code Analyzer. This is another top-of-the-line security update from Adobe. Every CF expert knows the weight that a great security system can carry. This tool pushes levels of security to a new level. It automatically scans and searches your application code for any existing security vulnerabilities and any potential security breaches. It determines the exact vulnerable code, type of vulnerability, and severity level. After all of that, the analyzer presents you with the option of removing and repairing the problem via recommended means. This may be the security tool that we have all been waiting on.
Maintain Consistent Server Architecture
This may seem like a no-brainer, but you would be surprised how many do not follow this simple best practice. You should maintain consistency throughout the development, testing, and live phases of your project. If you don’t have consistent development, testing, and production environments, you will constantly be fighting an uphill battle. A systemized workflow decreases your cost of time and money. It also increases your security and application performance.
Related Article: 11 Best Practices for a new Adobe ColdFusion Project
Clean up unused deadwood code
Unused old code and even whole directories of “deadwood” not only create maintenance confusion, but they are also a security risk. Often older code is less securely written. Or might be a test version that comments out login checks. In my experience hackers often penetrate a CF server via deadwood code.
The solution? Take the time to clean it up. And even better use a modern development workflow with Git that does not even copy test code to your production server.
You can increase CF server security even more by using CF security expert Pete Freitag’s tools
What does it mean to have a reliable CF server? Reliability refers to the server’s ability to perform consistently according to specifications. Reliability is extremely important for ColdFusion. It can be accomplished in many ways.
• Defensive coding, checking parameters against allowed ranges or values helps bugs from spreading between modules.
• Using good CF error handling stops errors from totally destroying your user’s experience.
• Over-engineering servers with more RAM, CPU than the minimum you need.
• If you host with an ISP then use a dedicated or cloud hosting option rather than shared.
• Clustering several servers using a load balancer, so if one goes down due to a crash or applying updates the other servers in the cluster keep your app live. You can cluster both CF server and database servers.
• Hot backup of code and data
• Regularly applying updates and hotfixes
• Testing new code and updates on a staging server before deploying to production
• Separating different apps or even parts of the same app between different instances of CF (on ColdFusion Enterprise) or on different servers increases reliability. If one app or part of an app crashes it doesn’t affect the others.
• Containerizing your CF apps using Docker in the Cloud with auto scaling and auto failover adds to reliability.
A reliable server can make sure that your CF application runs the way it is supposed to. 24/7. By maintaining reliable CF servers, CF can be more alive by building trust amongst users and fellow ColdFusion developers.
“We’ve got some massive applications that are being built, that are driving business and really critical business for heavy hitting companies, right. And I think that’s where I’m proud to be a part of this whole initiative and I think that ColdFusion is certainly not dead and it’s growing for us. And it is a technology that I think people need to try it before they go ahead and put it down.” — Elishia Dvorak, Technical Marketing Manager at Adobe
From CF Alive episode, “030 Everything CF Summit That You Need to Know, with Elishia Dvorak”
Scalability means your CF app and server infrastructure can easily handle the extra load. Scalability is extremely important for mission-critical CF projects. You want your CF apps to be able to handle any amount of traffic that they come across without slowdowns or even worse server crashes. Scalable applications keep ColdFusion alive by providing you and and your clients with reliable performance. Without scalability, your CF app would be useless under peak load.
Many of the reliability tips above help with scaling.
Writing code and designing your database for scaling is also key. As is CF and JVM configuration. All CF servers need tuning to scale well.
To find out if your CF app and servers scale before they get hit with real load, I recommend that you load test them with simulated traffic. There are many load testing software tools that you can use. From the free Apache JMeter to thousands of dollars for Micro Focus (formerly HP and Mercury) LoadRunner.
You also want to simulate a realistic amount of test data. SQL statements that run fast with a hundred test rows of data may run slow as a snail when millions of rows are there. This also include coding a data archiving policy to move old data into backups.
With traditional dedicated CF servers you also need to do capacity planning. Figuring out ahead of time how many servers you need for different load levels. So that you can buy and set them up weeks before they are needed. Fortunately, there is a another free tool that you can use to make your servers auto-scaling. Docker.
So what is Docker? It runs your applications in virtual containers. It modernizes your legacy development and deployment processes. It makes your apps more reliable and scalable. Because when there is extra load, a new server instance can be automatically spun up in seconds. And if a server in your Docker cluster crashes, it too can respun up in seconds.
Docker has been around since 2010, but it has grown in the CF world in the last few years thanks to CF server images for it and the CommandBox tool for installing them in containers in seconds. (More details on CommandBox in the next chapter)
Containerization can do great things for you and your CF team:
• Speed up the App Building Process for New Developers
• Integrate Modern Methodologies and Automate Development Pipelines
• Infinitely Scale your Apps in the Cloud
• Provide an Integrated Security Framework
Building modern apps is a crucial process for the future. They allow your apps to be run across a complex-hybrid cloud environment. This allows for better DevOps, and builds CI/CD (Continuous Integration/Continuous Deployment) apps more easily. Along with these benefits, you can take advantage of new innovations such as architecting your app using microservices.
Docker vs Vagrant
Some CFers use Vagrant for virtualized machines. But, there are huge advantages of Docker over Vagrant.
If you are managing multiple VM’s, then maybe Vagrant is for you. But for most CFers, making the switch to Docker is the logical choice. Docker Containers can manage your apps much more efficiently and save resources while doing so.
Why use CF in the Cloud?
Docker makes it easy to run CF in the Cloud. So why is using a CF in the cloud great?
• Lets you get your applications up and running with minimal upfront cost of new dedicated servers.
• Allows for great immediate scalability of your application.
• Improves operational efficiency, productivity, and agility
These can all be accomplished through using Docker with any cloud provider such as
Adobe and Docker
While Ortus CommandBox has provided unofficial CF images for Docker for several years, the official Adobe Docker image for CF 2018 just came out. However, Adobe fell short on cloud pricing because it still uses perpetual pricing on most cloud providers (ie you pay by the server). So if you need ten extra CF containers for 3 hours during the SuperBowl ad that your company displays, you need to pay for ten extra ACF licences — rather than the more common cloud pricing model of paying by the hour of use. This gives the free open-source Lucee a tremendous advantage for auto scaling. The only form of cloud pricing available for ColdFusion currently is via AWS (Amazon Web Services) Marketplace. This is pricing in which you pay by the hour. Adobe could help keep CF more alive by teaming up with Docker and providing cloud pricing on all cloud providers.
One big issue CF developers have is choosing their form of deployment. The most popular option is for In-House hosting. But the trend is to outsource hosting to an ISP or the Cloud. Here are the options:
• Shared Hosting
• Managed Servers
• Dedicated Machines
• Cloud hosting
To put this in a metaphor, shared hosting is like a hostel dormitory. You share a room with all the other people. If someone gets drunk and throws up on the bunk bed, you have a problem. A managed server is like an apartment complex where there are other apartments but they are walled off from each other. A dedicated machine is like having a detached house — you have to furnish it and fix the faucet when it leaks. Still some work, but you don’t have to worry about your bed being vomited on. Cloud hosting is like having a virtual dedicated house — one that you can instantly clone for more space when a horde of out of town guests arrive.
Flexible Container Cloud Hosting
As mentioned earlier, the number one solution for software deployment is containerization using Docker. There are several orchestration layer tools that you can use to make it even more powerful:
A Docker orchestration layers lets you configure your application load between containers. If it reaches a certain threshold, then orchestration can automatically deploy another CF server with your app code “pre-installed” in the image. There is automatic load balancing between all containers running your app. This gives an unheard of level of flexibility.
Modern Testing Environment
Using a modern testing environment is critical to keeping CF alive. The lack of a mature testing environment can lead to absolute chaos during the run-up to deploying new code. Minimize the amount of resources you will spend going back to revise broken code. This also prevents established bugs from spreading by detecting them early. There are many quality improvements that are made through using modern testing such as:
• Code Coverage
• Automated Testing
• Code Review
• Bug Modeling and Prevention
Use portable testing environments — such as CF Builder– as well. The benefit to using portable environments is making the reuse of the development environment configuration much easier.
A typical set up includes:
• A staging server where you test (ideally using Docker to mirror your production setup)
• A Continuous Integration tool such as Jenkins that automatically pushes new changes for testing
• Automated testing using TestBox
• Automatic reporting of any bugs and preventing buggy branches being merged into production code
Poor Testing and Deployment
Poor testing and deployment can trip up and injure a project on the last lap of the race.
Lucee is popular among the CF community due to its ease of use and it being free. According to the 2018 State of the CF Union, 40% of CFers use Lucee 5. That is an astounding number. Improving Lucee would definitely keep CF alive.
“We’re also a member of the Lucee Association, so I’m really proud to be involved with that and to help open source software stay alive and, perhaps, one day, that side of CFML will be what keeps CFML alive. That’s what I hope. I hope Adobe ColdFusion never does drop it and that it remains strong and all of those things, but for us, we’re really proud to be a part of that and to contribute to that to make sure it doesn’t die.” — Dominic Watson, Technical Director at Pixl8 Interactive
From CF Alive episode, “007 Marketing Automation using the Preside Platform with Dominic Watson“
Lucee contains everything you need as a developer to get started with ColdFusion and do much of what Adobe ColdFusion does. It runs most ACF code without change.
Lucee uses the same tag-based language as ColdFusion as well as a full set of script based features, therefore making programming easy. Using Lucee, promotes using CFML thus, promoting the use of Adobe ColdFusion as well.
Because it is free, Lucee tends to be where new CFML users tend to start. So supporting Lucee is a great way to help keep ColdFusion alive.
“More support of Lucee. I think there’s a very strong argument to be made that the most exciting things that are coming out of the CFML world are happening with Lucee. The pace of developments, the implementing of best practices, and from the broader software world. More of this is happening with Lucee. Of course, Lucee is more friendly to cloud environments just because of the fact that it’s an open source software product.” — Patrick Quinn, CoFounder, CEO and CTO of Webapper
From CF Alive episode, “039 CFML Secrets with Patrick Quinn (AWS, Lucee and SeeFusion)“
Free version of Adobe ColdFusion?
Some new users to CFML may be driven away by the cost of the platform (currently $2499 for Standard and $9499 for Enterprise edition). And perhaps they don’t feel that they would use all the features in CF 2018. Of course, the developer edition is free and you can host your CF apps at ISPs for low monthly fees.
One thing Adobe could do to keep up with Lucee and eliminate these problems is to promote their own free version. Call it CF Lite. This would have the basic necessities to use CFML. This could encourage beginner developers to use CF. After outgrowing CF Lite, users could be more motivated to swap over to the Standard or Enterprise editions.
It could also be given away as part of Adobe’s current education outreach program. Graduating developers would already be comfortable with the basics of CFML. This would make the transition into full Adobe ColdFusion that much easier. And this could help to combat Adobe’s losses to Lucee.
More Open Source CF Modules
More open source CF projects help other CFers develop apps faster. When you can plug in an existing tested module rather than coding it yourself, you save time and bugs. One of the best places to find open-source CF code is ForgeBox. ForgeBox has hundreds of modules for CF already and is growing. If Adobe were to show support to ForgeBox, CFlib and other CF code repositories, which would encourage more CFers to create new packages to share. That would help make CF more alive.
Join the CF Alive revolution
Discover how we can all make CF more alive, modern and secure this year. Join other ColdFusion developers and managers in the CF Alive Inner Circle today.
- Get early access to the CF Alive book and videos
- Be part of a new movement for improving CF’s perception in the world.
- Contribute to the CF Alive revolution
- Connect with other CF developers and managers
- There is no cost to membership.
Originally published at teratech.com on November 29, 2018.