Re[2]: ColdFusion 10 vs Railo

as I mentioned the default automatic sandboxing is great, but lacks granular control if you need it. Also as with CF, all sandboxing and security is moot if you simply drop down to using Java code as you are then overriding any built in sandboxing and only limited by the security of the OS On Mon, Aug 20, 2012 at 2:49 PM, Cameron Childress <cameronc@gmail.com>wrote: > > On Mon, Aug 20, 2012 at 9:42 AM, Michael David <lists@michaeldavid.com > >wrote: > > > I trust my own coding abilities as it relates to application security, > > but how secure is Railo itself?  For example, there were a handful of > > patches we had to do on CF9 to address certain vulnerabilities.  How > > about with Railo? > > > I don't think that there have been as many security related patches on > Railo as there have been on CF, but I think that this is a very poor > measure of how secure it is. There could be fewer patches because less > analysis has been done on Railo, for example. Some of the Adobe CF patches > have been related to third party software that's bundled with CF to - so > it's not really a clear indicator. > > But generally speaking, I feel comfortable with Railo's security. As Matt > mentioned there is a fairly good sandboxing scheme. I think I'd put Railo > and CF in roughtly the same bucket regarding security. However, I do feel > that the Railo team is a little bit quicker to respond to bugs and patching > in general, including security related bugs, which may tip the argument in > their favor depending on your point of view. > > -Cameron > > -- > Cameron Childress > -- > p:   678.637.5072 > im: cameroncf > facebook <http://www.facebook.com/cameroncf>; | > twitter<http://twitter.com/cameronc>; | > google+ <https://profiles.google.com/u/0/117829379451708140985>; > > >