Key Takeaways from Summit Presentation

• Hashing = Integrity, specifically for passwords

If available, use the SCrypt (preferred) or BCrypt algorithms for password hashing and storage. Otherwise, use SHA-512 with 600,000 iterations or more and add a unique salt per password. Consider adding pepper before hashing for additional protection. Don’t use weak outdated defaults such as MD5, SHA1, etc.

• Symmetrical Encryption = Data protection at rest

Use AES unless you need compatibility with another application Use a 256 bit key unless a weaker key is needed for compatibility Use the correct block mode for your data Avoid ECB if possible; it exposes patterns in your data (default if “AES” is specified with no block mode) Use CBC mode for short data like PII or credit card numbers (most secure: “AES/CBC/PKCS5Padding”) Use CTR or GCM for larger data like documents (balance of speed and security: “AES/CTR/NoPadding”) Generate and specify your own IV when possible for better compatibility

• Key Management

Never store encryption keys with encrypted data unless they themselves are strongly encrypted with a KEK. Never store secrets in code; accidental leaks from GitHub are more common than you think Keys should be stored securely using an HSM if possible, otherwise a Cloud-Based Vault.

• Credit Card Numbers

Don’t store unless you really need to. Use strong encryption; AES-CBC w/256 bit key. Use KEK for card keys

Notes from Podcast

• Password4J Library – Ability to get access to Argon2id in ColdFusion – https://password4j.com/

Iterations for hashing

• Allows you to do more as computers get better.

• Tradeoff between performance and security.

• Goal is to keep hashing to 500ms.

• Create alerts if hashing starts to take less time so you can increase your iterations. This way you don’t have to go back and check your code.

SCrypt / BCrypt

• Adobe does not include version in string of Script

• Different implementations of SCrypt do their own variations

• Data is embedded in SCrypt and BCrypt so verify function does not need separate functions for each version or workload

Session Management

• Both Ben and Justin use their own session management

• Redis Session Blog – https://blog.xbytecloud.com/optimizing-coldfusion-performance-reliability-and-scalability/

Should you roll your own auth?

• You can do your own authentication (“auth”)

• Businesses are often requesting to use existing single sign-on authentication (Microsoft/Google/Octa)

• Is single factor authentication ever allowed – yes, depends on application and security. If no personally identifiable information or credit card info stored

Should you roll your own credit card processing

• Almost always no

• PCI-DSS requirements a lot lower

• Even temporarily storing your info to pass to someone authenticating, your application is still in scope of PCI-DSS

• Never store credit card numbers, even encrypted

Changes to Adobe ColdFusion around encryption

• Blog post about changes: https://blog.xbytecloud.com/recent-adobe-coldfusion-2021-2023-updates-real-world-experiences/

• You shouldn’t follow the path of least resistance by overriding and using the old defaults

• Idea for secure by default – puts more control in the hands of CISO or Security Officer – need to check something to allow security

Passkeys

• Because everyone uses multiple devices, need methods to use passkeys other places

• Not all applications share passkeys between devices

• Many websites don’t allow multiple passkeys per account so you can only login on a single device – can be very confusing

• Designed to have proof of presence using biometric authentication

• Not everyone doing the biometrics, 1password has super long master ley to set up new device but it is still a password and not as good as biometric authentication

• No internal support in Adobe ColdFusion – Justin is working on library to allow it in CF