Posts tagged ‘security’

Securing ColdFusion (tips)

I’ve started to write a document for OWASP about ColdFusion security which I hope will be included on the site when I finish it.

Any feedback is more than welcome, if you’d like to see anything included about ColdFusion Security, let me know and I’ll do my best to include it.

Some of the items covered are:

  1. SQL Injection
  2. Database Logins
  3. Logging
  4. XSS (Cross Site Scripting)
  5. Cookie Hijacking
  6. Proper Error Handling
  7. Input Validation
  8. Securing Protected Areas
  9. Forms being submitted outside of your domain
  10. Automated data mining

The document about ColdFusion security can be downloaded here. Please note that the document is still a work in progress.

This document is sponsored by www.clickfind.com.au

ColdFusion Security

January 23, 2008 at 7:15 am Leave a comment

TrustWatch – doesn’t look so trustworthy!

I have to write about our experience with trustwatch.com, I just have to!

 A website that should stand for TRUST on the Internet should be contactable via email, right? Especially if it’s powered by http://www.geotrust.com/  

We felt there might be some synergy between www.clickfind.com.au and www.trustwatch.com as we only list real Australian businesses, and verify the ABN details with the government registry. Therefore we only have real businesses listed, which should instil some trust with the users of clickfind.

Since all partners on http://www.trustwatch.com/get-verified.html are US based and mostly deal with US based companies only, we felt that it would be a good thing to approach them and see what partnership is possible. If no partnership was possible, we’d still be interested in their API, which they list somewhere on the site.

So we compiled our first email:

 Dear Sir/Madam, We like to enquire how we can become a partnerhttp://www.trustwatch.com/partners.html Our company lists Australian businesses only, and requires each one to provide ABN details, we then retrieve their business details from the government registry. Only registered businesses have an ABN which gives people searching the site the confidence knowing they are dealing with a real Australian business. Please see an example on https://www.clickfind.com.au/business/listing.cfm?businessIdentity=45717 please scroll down till you see “Registered business” on the left hand side. Looking forward hearing from you. 

The email got returned because their mail server is either down or doesn’t exist anymore.

Please see attachment for the Delivery Status Notification.

trustwatch screenshot 1

OK, that can happen to the best of us, so I started searching their website for a contact form. I found one http://www.trustwatch.com/feedback.html

So I figured provide some feedback, the feedback link went to a survey that was closed. OK, report an error then! The link went to a survey that was closed. Nothing but dead links. Hmm, certainly doesn’t instil a lot of trust so far. See attachments for a screen shot.

TrustWatch screenshot 2 – TrustWatch screenshot 3 

That’s when I figured I’d write about this experience. Before I did so, I figured I’d better make darn sure there is no other email address to contact them on. After searching all the pages I finally found another address: info@trustwatch.com I wrote another email:

 Hello, There are a couple of reasons for contacting you. 1. we are interested in the trustwatch API2. we’ve been trying to contact you via other channels in regards to partnership, please see below;  1. we’ve emailed you on partners@trustwatch.com and the email got returned, see screenshot trustwatch_01.jpg2. we’ve tried the feedback links on your site which all lead to screenshot trustwatch_02.jpg and trustwatch_03.jpg We think your company is great, and what you are doing, we are completely behind it. But having dead links and hard to find emails is not a great public image 😉 So, I thought you might like to know about it and I took the time to go through all your pages till I came across this email address. Following is a copy of the first email I sent:  

Please see attachment for the Delivery Failure Notice.

TrustWatch screenshot 4

That was the end of us trying to bring trustwatch to Australia 😉

  

Yes, I could have contacted them by telephone (that’s if it wasn’t disconnected), but that’s not the point here. The emails we’re also days apart.

January 8, 2008 at 12:45 am 1 comment


Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 19 other followers

Archives

Top Rated

Top Clicks

  • None

Blog Stats

  • 168,294 hits

%d bloggers like this: