AI-Powered Security Analysis for ColdFusion
Manual security code reviews are time-consuming and prone to human error. AI-powered security analysis can scan thousands of lines of ColdFusion code in minutes, identifying SQL injection risks, XSS vulnerabilities, insecure configurations, and compliance violations—all while keeping your proprietary code completely private using local AI models.
Why AI for Security Analysis?
Traditional security audits rely on manual code review, static analysis tools (like HP Fortify), and penetration testing. While these remain essential, AI augments security analysis by:
- Comprehensive Coverage: Scan entire codebase in minutes, not weeks
- Context Awareness: Understand data flow across components, not just single files
- Pattern Recognition: Identify subtle vulnerability patterns humans might miss
- Real-time Feedback: Immediate security feedback during development
- Continuous Monitoring: Run security scans on every commit
- Education: Explain why code is vulnerable and how to fix it
Local AI Setup for Security Analysis
Security code must never leave your environment. Use only local AI models for security analysis.
Recommended Models for Security Analysis
DeepSeek Coder (Best Overall)
# Install via Ollama ollama pull deepseek-coder:33b # Use for security analysis ollama run deepseek-coder:33b # Create security-focused prompt template cat > security-scan.txt << 'EOF' You are a security expert analyzing ColdFusion code. Identify all security vulnerabilities including: - SQL injection - XSS - CSRF - Insecure authentication - Authorization flaws - Insecure file uploads - Information disclosure - Security misconfigurations For each finding provide: - Severity (Critical/High/Medium/Low) - Vulnerable code snippet - Explanation of the vulnerability - Proof of concept exploit - Secure code example EOF
WizardLM (Good for Explanations)
# Install via Ollama ollama pull wizardlm:13b # Good for explaining vulnerabilities to developers ollama run wizardlm:13b
- Best for: Educational explanations of vulnerabilities
- Use case: Training developers on secure coding
Automated Security Scanning Script
Create a script to scan your codebase automatically:
#!/bin/bash
# security-scan.sh - Automated security scanning with local AI
SECURITY_PROMPT="You are a security auditor. Scan this ColdFusion code for vulnerabilities and provide findings in JSON format with: severity, vulnerability_type, line_number, description, exploit, remediation."
# Find all CFM and CFC files
find . -type f \( -name "*.cfm" -o -name "*.cfc" \) | while read file; do
echo "Scanning: $file"
# Send to local AI for analysis
cat "$file" | ollama run deepseek-coder:33b "$SECURITY_PROMPT" > "reports/${file}.security.json"
done
# Aggregate results
echo "Generating summary report..."
node aggregate-security-findings.jsCritical Security Vulnerabilities AI Can Detect
1. SQL Injection
The most common ColdFusion vulnerability. AI identifies unparameterized queries:
Prompt: "Scan this ColdFusion code for SQL injection vulnerabilities. For each issue found: - Identify the vulnerable line - Show the SQL injection attack vector - Explain why it's dangerous - Provide the secure version using cfqueryparam Code: <cfquery name="getUser" datasource="#dsn#"> SELECT * FROM users WHERE username = '#form.username#' AND password = '#form.password#' </cfquery>"
AI Response Example: Vulnerable on line 3-4. User input directly concatenated into SQL. Attacker can inject ' OR '1'='1 to bypass authentication. Fix: Use cfqueryparam for all dynamic values.
2. Cross-Site Scripting (XSS)
AI detects unescaped output that could execute malicious JavaScript:
Prompt: "Identify all XSS vulnerabilities in this ColdFusion template.
Check for:
- Unescaped user input in HTML context
- Unescaped values in JavaScript context
- Unescaped values in URL parameters
- Missing encodeForHTML/encodeForJavaScript
For each vulnerability:
- Show the vulnerable code
- Demonstrate the XSS attack
- Provide the escaped version
Code:
<cfoutput>
<h1>Welcome #url.name#!</h1>
<script>
var userData = '#session.userData#';
</script>
</cfoutput>"3. Insecure File Uploads
AI analyzes file upload code for security issues:
Prompt: "Analyze this file upload code for security vulnerabilities:
- Missing file type validation
- Executable file uploads allowed
- Path traversal vulnerabilities
- Missing file size limits
- Insecure storage locations
<cffile action="upload"
destination="#expandPath('./uploads/')#"
nameConflict="makeUnique">"4. Authentication & Authorization Flaws
Prompt: "Review this ColdFusion authentication system for security flaws: - Session fixation vulnerabilities - Weak password hashing - Missing session timeout - Insecure password reset - Authorization bypass opportunities - Missing CSRF protection Code: [paste authentication components]"
5. Insecure Configurations
Prompt: "Analyze Application.cfc for security misconfigurations: - Debug output enabled in production - Weak session settings - Missing security headers - Insecure cookie settings - Overly permissive CORS - Missing request throttling Code: [paste Application.cfc]"
AI Security Scanning Workflow
Phase 1: Automated Vulnerability Scan
Step 1: Identify Attack Surface
Use AI to map all user input points:
Example Prompt:
"Analyze this ColdFusion application and identify all user input points including: form fields, URL parameters, cookies, HTTP headers, file uploads, API endpoints, WebSocket messages. For each, indicate if validation is present and if output is properly escaped."
"Analyze this ColdFusion application and identify all user input points including: form fields, URL parameters, cookies, HTTP headers, file uploads, API endpoints, WebSocket messages. For each, indicate if validation is present and if output is properly escaped."
Step 2: Data Flow Analysis
AI traces user input through the application:
Prompt: "Trace the data flow for form.username from input to database. Show: - Where it's received (form, URL, etc.) - What validation is applied - How it's used (database query, output, etc.) - If it's parameterized/escaped at each use - Potential injection points Application files: [paste relevant controllers/services]"
Step 3: Generate Security Report
Prompt: "Generate a comprehensive security audit report for this ColdFusion application. Include: - Executive summary with risk ratings - Detailed findings with severity (Critical/High/Medium/Low) - Proof of concept exploits for each vulnerability - Remediation steps for each finding - Compliance mapping (OWASP Top 10, CWE) - Estimated fix effort for each issue Scan results: [paste previous AI scan outputs]"
Phase 2: Compliance Checking
OWASP Top 10 Compliance
Prompt: "Check this ColdFusion application against OWASP Top 10 2021. For each category, identify: - Vulnerabilities found - Code examples - Risk assessment - Remediation priority Categories to check: A01: Broken Access Control A02: Cryptographic Failures A03: Injection A04: Insecure Design A05: Security Misconfiguration A06: Vulnerable Components A07: Authentication Failures A08: Software & Data Integrity A09: Security Logging Failures A10: Server-Side Request Forgery Application code: [paste Application.cfc and key components]"
PCI DSS Compliance (for payment apps)
Prompt: "Analyze this payment processing code for PCI DSS compliance: - Requirement 3: Protect stored cardholder data - Requirement 4: Encrypt transmission of cardholder data - Requirement 6: Develop secure systems - Requirement 8: Identify and authenticate access - Requirement 10: Track and monitor network access Check for: - Credit card data in logs - Unencrypted card storage - Missing encryption in transit - Weak access controls - Insufficient logging Code: [paste payment processing components]"
Phase 3: Secure Code Generation
Generate Secure Alternatives
AI rewrites vulnerable code securely:
Prompt: "Rewrite this vulnerable ColdFusion code to be secure. Apply all OWASP best practices including: - Parameterized queries - Output encoding - Input validation - Secure session management - CSRF protection - Security headers Original code: [paste vulnerable code] Provide: - Secure rewritten code - Explanation of each security improvement - Test cases to validate security"
Specific Security Scenarios
API Security Analysis
Prompt: "Analyze this REST API for security issues: - Missing authentication - Weak authorization (IDOR, privilege escalation) - Rate limiting - Input validation - Output encoding - CORS misconfigurations - API key exposure - Sensitive data in responses API Code: [paste REST API components]"
Session Security
Prompt: "Review session management for security flaws: - Session fixation vulnerabilities - Predictable session IDs - Session timeout too long - Session data in URL - Missing secure/httpOnly flags - Cross-site session exposure - Session hijacking opportunities Application.cfc: [paste Application.cfc sessionManagement settings]"
Third-Party Integration Security
Prompt: "Analyze third-party API integration for security issues: - API keys in source code - Insecure API key storage - Missing TLS/SSL validation - Unvalidated API responses - SSRF vulnerabilities - Webhook signature validation Integration code: [paste API integration components]"
AI Security Best Practices
Never Trust AI Completely
- False Positives: AI may flag secure code as vulnerable - verify each finding
- False Negatives: AI may miss vulnerabilities - use multiple scanning methods
- Context Matters: AI may not understand your specific security requirements
- Manual Review: Always have security experts review critical findings
Layered Security Approach
Combine AI with traditional security tools:
- Static Analysis: HP Fortify, SonarQube, Adobe Code Analyzer
- AI Analysis: Local AI models for pattern detection
- Dynamic Analysis: OWASP ZAP, Burp Suite for runtime testing
- Penetration Testing: Human pen testers for real-world attacks
- Code Review: Senior developers reviewing critical code
Continuous Security Monitoring
Integrate AI security scanning into CI/CD:
# .github/workflows/security-scan.yml
name: AI Security Scan
on: [push, pull_request]
jobs:
security-scan:
runs-on: self-hosted # Use self-hosted runner with Ollama
steps:
- uses: actions/checkout@v2
- name: Run AI Security Scan
run: |
./scripts/security-scan.sh
- name: Check for Critical Findings
run: |
# Fail build if critical vulnerabilities found
if grep -q '"severity": "Critical"' reports/*.json; then
echo "Critical security vulnerabilities found!"
exit 1
fiSecurity-Focused AI Prompts Library
Comprehensive Security Audit
Prompt Template: "Perform a comprehensive security audit of this ColdFusion application. Scope: [Production / Development / API / Admin Panel] Compliance Requirements: [OWASP Top 10 / PCI DSS / HIPAA / SOC 2] Check for: 1. Injection vulnerabilities (SQL, LDAP, XPath, etc.) 2. Broken authentication and session management 3. Sensitive data exposure 4. XML External Entities (XXE) 5. Broken access control 6. Security misconfiguration 7. Cross-Site Scripting (XSS) 8. Insecure deserialization 9. Using components with known vulnerabilities 10. Insufficient logging and monitoring For each finding provide: - CVE/CWE reference if applicable - CVSS score - Exploit steps - Business impact - Remediation with code examples - Verification steps Application files: [paste application code]"
Secure Code Review Checklist
Prompt Template: "Review this code against the ColdFusion secure coding checklist: Input Validation: ☐ All user input validated ☐ Whitelist validation where possible ☐ Type checking enforced ☐ Length limits applied Output Encoding: ☐ HTML output encoded (encodeForHTML) ☐ JavaScript output encoded (encodeForJavaScript) ☐ URL parameters encoded (encodeForURL) ☐ SQL parameters bound (cfqueryparam) Authentication: ☐ Strong password requirements ☐ Account lockout after failed attempts ☐ Secure password storage (bcrypt/argon2) ☐ Session regeneration after login Authorization: ☐ Role-based access control ☐ Resource-level authorization ☐ No direct object reference vulnerabilities Code: [paste code for review]"
AI Security Analysis Checklist
- Local AI model installed and tested
- Security scanning script configured
- Baseline security scan completed
- All critical findings documented
- False positives reviewed and documented
- Remediation plan created for each finding
- Secure code alternatives generated
- Test cases created to prevent regression
- CI/CD integration configured
- Security team trained on AI tool usage
- Compliance requirements mapped to findings
- Regular scan schedule established
Gotchas
- False sense of security: AI can miss vulnerabilities - always use multiple security layers
- Context blindness: AI may not understand your specific threat model
- Over-reporting: AI may flag non-issues - requires manual triage
- Outdated knowledge: AI training data may not include latest vulnerabilities
- Business logic flaws: AI struggles with application-specific logic vulnerabilities
- Prompt injection: Malicious code could try to manipulate AI responses
- Model limitations: Smaller local models may miss complex vulnerabilities
Related Resources
- Security Baseline - Essential security hardening
- How to Secure CF 2025 - Comprehensive security guide
- Security Hardening Framework - Defense-in-depth approach
- REST API Hardening - API security best practices
- Debugging ColdFusion - AI-assisted debugging
Need Security Help?
Convective provides comprehensive ColdFusion security services including penetration testing, security audits, and remediation. Our team has decades of experience securing mission-critical CF applications. Learn more about our security services.