Blue Orange Green Pink Purple

PCI Compliance and Portcullis

Posted in ColdFusion. on Tuesday, November 10th, 2009 by George Tags: ColdFusion, PCI Compliance

Nov 10

So we’ve been doing a little bit of PCI Compliance work here at the office. One of the things that we found that really helped us out was a program called Portcullis – http://www.codfusion.com/blog/post.cfm/portcullis-cfc-filter-to-protect-against-sql-injection-and-xss. I suppose it’s not a full program, but a CFC to assist in how you do your security. We used it to help secure a site and meet our requirements. Much less expensive than some of the other web application firewalls out there, since it’s free

2 Comments

Joel Richards on December 19th, 2009

Hi George–
I just implemented a portcullis on a site that was failing PCI compliance tests due to cross-site scripting vulnerabilities and it cleared that issue right up.
My site is still failing because the server it’s hosted on uses coldfusion session management, not J2EE session management. I asked the host to turn on J2EE session variables, but they said they can’t. CF_token is set as a UUID, so I’d think this would pass muster, but it’s not. Have you run into this issue? Do you have any ideas?
thanks,
Joel
George on January 19th, 2010

We actually did run into this and we were able to show our compliance company that since the CFToken is never used without the CFID it truly is a unique and random generation. They were able to add an exception for this to the compliance process.