A secure search engine in ColdFusion

Well, it’s official! We’ve got a hacker safe site… (for now anyway)

I’ve always been pretty careful in regards to security when it comes to programming, web server setup etc.

We’ve had our site checked by members of CFAUSSIE before we launched it. There were two issues that came up. One was reported by Steve Bentley who really did an awesome job in discovering the hole.

We’re not scared to put our site out there and let people try and break it, I believe it’s the only way to go if you want to run a successful and high traffic Australian Search Engine. It’s better to discover the security holes before launch and fix them, than discover them after launch and get a bad name.

OK, even though we had the site checked by members of the ColdFusion community, I still did not feel a 100% safe about it all. So, we’ve become a member of www.scanalert.com and had our site and server scanned for thousands of vulnerabilities. It’s not cheap becoming a member of ScanAlert, but I reckon it is well worth the money if you want to be notified about potential security holes (if any) before anyone else discovers them.

Everything went as planned, even our own methods of securing the site and reporting worked, the scan was requesting a high number of pages within a time frame that can only be automated. This gets detected by our application, we get notified, the IP gets logged and also banned from accessing further content. We’re planning to eventually integrate this with the web server so it puts the IP in the access denied list.

The scan report from ScanAlert is pretty comprehensive, if they find something they’ll also help with explaining and fixing the hole. It so happens we had a couple of low alerts. The alerts range from Low to Urgent and in between is Medium, High and Critical. The low alerts were things like allowing ICMP request, which we have to; because we also have the site monitored externally, if and when it goes down we like to be notified! 😉

Another alert had something to do with cookies not being set over a secure channel. I will have to read up a bit more about that one. Not sure how that would work since we can’t put SSL over the whole site.

 I’ll report more about this when information becomes available.