Proposal - Coldfusion vs JSP

[bloise]

Greetings,

I work for a small company and have developed a coldfusion app. We are in the process of bidding for a government contract and in the proposal it states that the code shall be in JSP to "ensure security on the server". Active server pages will not be accepted.

Question: What does JSP and the envrionment have over the Coldfusion environment regarding security. And can someone point me to a white paper that addresses Coldfusion security.

Thanks for the help,
Mike

 

[webmigit]

I hate these questions.. They require brutal honesty.

Cold Fusion has some bugs (primary db-based) that it still needs to work out. Macromedia is improving but I don't think the government will accept the bugs that pop up.

As far as ensuring security on the server... That tells you the gov't's opinion of MS but I don't think that JSP is any more secure necessarily that php/asp/cf.

The cause of that statement is probably an overzealous jsp programmer that said how much more secure it naturally was.. The main part of security is the programmer's talent for writing secure applications. I'm not aware of any vulnerablities uncovered recently in CF but I've been pretty busy.

To restate most simply: I love cold fusion but its got some bugginess that had I known about before I started builing my latest applications, I would have tried another language.

ALFII.com

http://www.alfii.com

---------------------
If this post answered or helped to answer your question, please reply with such so that forum members with a similar question will know to use this advice.

 

[Rayz66]

I love cold fusion but its got some bugginess that had I known about before I started builing my latest applications, I would have tried another language."

What kind of bugs?

 

[webmigit]

Databases mainly... Its not CF's fault, but they don't do much about it. It really hurt my site badly for a while.

Macromedia also makes changes with little regard to the applications it will affect. They don't *think* of ways to mess up apps of course... but key changes to tags.. that don't need to happen can break applications.

ALFII.com

http://www.alfii.com

---------------------
If this post answered or helped to answer your question, please reply with such so that forum members with a similar question will know to use this advice.

 

[wantstolearncfm]

Macromedia also makes changes with little regard to the applications it will affect. They don't *think* of ways to mess up apps of course... but key changes to tags.. that don't need to happen can break applications.

If i remember rightly in the next version of coldfusion cfgraph is going to be totally wiped and cfchart used entirely instead.
Now if there are people with old sites using cfgraph code and then the server their on upgrades, surely there are some issues to seriously resolve?!

http://google.com

http://support.microsoft.com/

CF Reference
The links of my knowledge

 

[silverspecv]

I think that's a bunch of BS (the security thing, not the bug thing).. the guy that said security has more to do with the programmer than the language is right on the money. You could write an app in jsp that will be just as vulnerable to drop table attacks, etc.

I was reading up on the version of coldfusion after MX, and there is supposed to be an option to compile a whole coldfusion app into jsp bytecode complete with the coldfusion runtime all balled up into an .EAR file or a .WAR file or some j2ee oriented tarball. In that case, it could be considered native jsp, right?

 

[soho34]

Save your time. I struggled at my small company in a bidding war of ColdFusion v. JSP. I lost. The company went with JSP and it took twice as long to do anything.....simply displaying the date was a programmatic adventure.

If you're accustomed to ColdFusion, try selling them on the CF version that's J2EE compatible.

Basically, if your company wants you to crank out the code as fast as possible (and they probably do), you're better off in the long run with a secured CF site.

I lost my battle and left the company, but good luck to you.

CF rules!!!!!!

 

[webmigit]

Yeah, you just can't beat #Now()# for date and time..

CF is doing one great thing.

They're migrating to a bi-lingual interface. CFSCRIPT is hardly cf.. its more like js or php.. I think its incredible that they're doing this, for programmers who stay up on cold fusion, its an awesome approach.

I like it because I've wanted to learn php but hardly had time.. I know moderate js.. and with what I know of js, I'm able to crack open cfscript's syntax and my coding ability in cfscript is getting much stronger.

In a few months, I could write php applications with a little research, because of CF.

That is cool.

ALFII.com

http://www.alfii.com

---------------------
If this post answered or helped to answer your question, please reply with such so that forum members with a similar question will know to use this advice.

 

[TruthInSatire]

The very best thing about CF is you can create an entire "CF" page in JAVA using jdo and "creating Objects". You can essentially do anything java can do right in your CF page. open zip files, make a pdf on the fly, image manipulation ect... You just need to know how to do it with java.

Using standards complient SOAP you can also create quick web services (what .net bosts most about)

I work for the government (military) and we use CF all the time, one of the more prefered languages. ASP is out the door because it isn't cross platform, not for security reasons. I'm assuming your command is uneducated, or has some lame "rice bowl (or group of people the command favors that likes JSP better)". I've seen VERY FEW jsp pages in the government compaired to CF.

A common mistake that people make when trying to design something completely foolproof is to underestimate the ingenuity of complete fools.
-Douglas Adams (1952-2001)