CACFUG.ORG - 2010

Central Alabama ColdFusion User Group - 2010

Home Employment Why ColdFusion? Demonstrations Archives Tips Other Groups Local Sites

2012 2011 2010 2009 2008 2007 Beginnings

Employment

Browse "Local Sites" and ask individuals at a site near you how they found their job. Help us keep this list current.
Look for the word "employment" below and in other archives. Let us know when you learn of opportunities you don't need.
Or, simply contact the group managers.

4 November 2010 Meeting

Intercepting Proxy - Part 2 (Injection)

Now that the proxy is loaded, we'll compare notes on how we were able to use it over the past month. Remember that an intercepting proxy is essential to testing most web vulnerabilities. Not sure of this? Check out OWASP's testing guide at http://www.owasp.org/index.php/Category:OWASP_Testing_Project

7 October 2010 Meeting

MAC vs. PC

We loaded Web Scarab from Open Web Application Security Project (OWASP) http://www.owasp.org to use as an intercepting proxy. Imagine Marty's frustration when Don got his proxy working immediately on a MAC laptop but Marty couldn't get it working on his PC laptop before the end of the meeting! The Windows hardware insisted on a DLL that wasn't on the box and didn't seem available through the Internet: "WINlnet.dll". He looked in vain for "WINLNET.DLL"winInit.dll, copied it into the same directory as Web Scarab, and it worked. Was this just a misunderstanding due to a capital "I" [sounds like eye] looking like a small "L" [sounds like "ell"]? We don't know, but this resolution seemed to work.

Intercepting Proxy

By the time we got the software installed and understood how to make the browser work with the proxy, the meeting was essentially over. It seems that while the browser is working through the proxy, the browser doesn't work normally. Duh!! OWASP gives great examples of what to test for, and we did see (on Don's MAC laptop) cookies, headers, and other things you normally don't spot through a browser. During the meeting, we didn't get to the point of injecting changes using the proxy. We'll have to share our experiences at as subsequent meeting.

2 September 2010 Meeting

Favorite Technical Sites

We surveyed sites that discuss ColdFusion techniques. Here are some you might find interesting.

http://www.coldfusionjedi.com
http://www.cflib.org
http://www.easycfm.com
http://www.riaforge.com (and click on "ColdFusion")
http://cookbooks.adobe.com/coldfusion (click "more" when you get there)
http://www.corfield.org
http://www.learncf.com
http://www.quackit.com/coldfusion/tutorial
http://www.cfcentral.com.au
http://www.forta.com/cf/links

We couldn't reach agreement during this meeting on which topic to pursue in October, but Marty later turned to Open Web Application Security Project (OWASP) and thought to experiment with an intercepting proxy.

No meetings in July and August!

Life happened to the manager and co-manager simultaneously. For the first time since March 2007, there wasn't a ColdFusion user group meeting in Montgomery. Don had a newborn in his family, and I got married!

3 June 2010 Meeting

Why was Marty distracted coming into this meeting? He was on the cusp of a marriage proposal. Now that his favorite person has accepted, maybe he'll be able to concentrate again. Then again, he has this stupid grin that won't wipe off, so we're not sure he's ready to come back to Earth yet.

What's the Buzz?...... ..... .... ... .. . Where's the Buzz?

Searching for ColdFusion in general brings back articles from 2005! Not enough is being written lately (good or bad) [not that we can think of anything bad about CF]. Or, it's not being linked to enough to attract search engines. There's no buzz.

It's unclear why this is so. Wikipedia makes the case that ColdFusion is MORE portable than java. ColdFusion has gained in flexibility and power, and it was the best middleware in existence before now. And, it's free for development (and shared hosts make it cheap for the average joe's deployment).

So have all the interesting problems already been solved through the use of ColdFusion? Or have they gotten too big for a single person to write about?

6 May 2010 Meeting

Has ColdFusion Gotten Too Big?

Yes

One of the virtues of ColdFusion was that it hid details that could otherwise be misused and would have to be debugged. As ColdFusion has gotten larger and larger, the bulk of it has shifted from a declarative language to an object-oriented language, and much of the simplicity has been lost. It used to be that it almost served as its own pseudocode. You could show a functional the raw code, and the commands would be quickly understandable; only the functions would require explanation. Now, the trend is to write code that isn't self-documenting (to put it mildly). Since most of the cost of programming is in maintenance, not initial production, this is a sad trend.

No

As users demand more features, the language has grown to accommodate them. For example, many cross-site scripting attacks use scripts to send users's currently active cookies to a different site. A cookie's HTTPOnly attribute could stop this, but this attribute could not be set in older versions of ColdFusion except by using a custom header to create the cookie: not a simple process. CF9 permits it to be set through the CFCOOKIE tag just as for other attributes. Newer versions of ColdFusion support image manipulation directly instead of forcing programmers to switch languages to do this. The language has grown, but programmers can use (or misuse) its features as they wish. Complaining about language growth is rather like complaining like receiving an extra tool set for Christmas. Sure, you can get most jobs done with the tools on hand, but the new tools won't make it harder and may make the job easier as you get used to them.

8 April 2010 Meeting

Life Balance

Programming is fun, and you often get paid you it. However, it shouldn't be all you do. Remember the song in which the person telling the story speaks of getting up at night to work on a song while his love wishes he'd come back to bed. He says he'll be right back, but he keeps on working. Programming can be that seductive and just as destructive to relationships if we let it go that far.

Just as some forums have a separate section for all the off-topic stuff, we wrestled with life. One of us is dating again after the death of his wife. Another is preparing with his wife to welcome a new baby.

A couple of quotes (researched later) reflected our mood. Carl Sandburg reminds us: "Time is the coin of your life. It is the only coin you have, and only you can determine how it will be spent. Be careful lest you let other people spend it for you." [multiple sources] When we work to prioritize our lives, we have to consciously set aside time for those we love and refuse to say "yes" to every opportunity that comes our way. We can't help everyone, and we can't do everything, but we can build up treasure that moths and rust won't corrupt and no one can take from us. [Matthew 6:19-20] Programming is a great thing, but it isn't everything and isn't even the main thing.

4 March 2010 Meeting

Employment

Whether starting a new job or grateful to have a job, this dominated our thoughts. Especially in this area, ColdFusion work that pays well can be tough to come by. Most of the work in Central Alabama centers around government employment (car companies excluded) that favors anything Microsoft wants to sell. Moonlighting runs the risk of endless requirement changes disguised as bug fixes. You have to have a certain level of formality to protect both parties. "Lord, give me a job of work to do.... That's all I want, that's all I ask of you." -- Tom Paxton.

4 February 2010 Meeting

Risk!

Just because you can imagine it doesn't mean you should do it. We explored business forms, the Payment Card Industry (PCI) Data Security Standard (DSS), and some Open Web Application Security Project (OWASP) cautions.

Business Forms

How do you know that an individual who comes to your site is authorized to represent a business? How do you know that the business exists? How do you gain a sense of how reliable the business is? How do you satisfy a purchase order? We reviewed Internet-capable versions of answers to these questions normally handled through paper forms or personal interaction.

PCI DSS

Cheap, shared hosts are fine for some purposes, but when you start accepting credit cards, support requirements increase dramatically. You can dodge some of this by having the payment gateway accept the card information directly from the customer, but whatever path you take has an impact on the user experience.

OWASP

The OWASP top 10 critical risks should be required reading for every developer. They change periodically based on impact and on real-world exploitation. A real eye-opener since 2007 is cross-site request forgery (CSRF). Any site your customer browses while his session at your site is still active can pretend to be your customer and will be able to use your customer's credentials (cookies, etc) to do it.

7 January 2010 Meeting

IDEs

It's time to stop relying on Wordpad and nimble fingers. We reviewed several IDEs but settled on Eclipse.

Disk Space

For Marty, the toughest part was moving 45 Gigabytes of family photos to external storage to make room for an IDE.