So next week an "Information Security and Compliance Company" is doing a 16 hour "Application Penetration Test" on an application we developed. It's on a dedicated server with all the latest patches and is on lock down with IP address validation through the firewall. We have made sure every query is protected from SQL injection attacks and made sure any file uploaded to the application is uploaded outside the root and can not be called from a URL. We think we have covered all the bases, here is a list of what the application will go through.
Cross Site Scripting
Hidden Variable Manipulation
Now some of these are basic security 101, and ColdFusion has lots of tools to address the attacks. Has anyone ever gone through this? If so what type of things were found? Can anyone give me any suggestion of things to check?
If your one of the cools kids and have a Mac (sorry windows guys) and you need to connect your development environment to a MSSQL server it's really easy. There are lots of guides out there on connecting ColdFusion to MSSQL but if your connecting from OS X server to Windows server there are 2 settings you need to check.
First once you log in to your development server under Object Explorer right click on the server name and click Properties. Under Security make sure "SQL Server and Windows authentication mode" is checked. Next click Connections and make sure "Allow remote connections to this server". If you setup you users and DB correctly you should be able to connect.
Two times this year I have wiped windows box and 2 times I wasted hours connecting to MSSQL from my iMac. I'm going to be adding more tips to help me and anyone else in the future.