[tptacek]

A year or two ago I would have replied that ColdFusion is actually dead, and that using it or really, even, maintaining applications in it is irresponsible, because it's virtually impossible to secure. But I think it may have become so archaic that vulnerability researchers aren't really hitting it as much any more? Maybe you've weathered the storm, and CF will be safe to use from here on out?

(Obviously: don't use ColdFusion).

[bdcravens]

As the article indicated, there are new releases, both in Adobe's proprietary version and the open source version (Lucee). Foundeo is a company built around CFML security tools (scanners and a WAF), and they release lockdown guides that are kept up to date.

https://www.foundeo.com

https://www.adobe.com/content/dam/acom/en/products/coldfusio...

I think it's the CF applications that aren't being maintained that are the biggest risk (and there's plenty of those) - Adobe has indicated which version are EOL:

https://helpx.adobe.com/support/programs/eol-matrix.html

[wglb]

Scanners and WAF are, in general, not useful security tools.

[borkyborkbork]

When you say archaic are you saying that the language hasn't been kept up to date? (If so you would be wrong)

[wglb]

I remember when it was being designed and first release that it was such a hodge-podge of ideas that in combination resulted in something that we could trivially see were bad using principles from long before.