In this episode, your hosts Ben Nadel and Ryan Brown are joined by Peter Amiri, the current maintainer of the Wheels framework (formerly CF Wheels), to discuss its evolution and future. They dive into the history of the ColdFusion-based framework, its comparison with other MVC options, and how it's being modernized for AI-assisted development.

Key Points

• Wheels is a CFML MVC framework inspired by Ruby on Rails, focused on convention over configuration.

• Peter Amiri discusses taking over as maintainer and revitalizing the project with better tooling, testing, and documentation.

• The team explains the pros and cons of adopting Wheels over other frameworks like ColdBox and Framework One.

• Extensive discussion on integrating Wheels into legacy apps and migrating code incrementally.

• Exploration of AI’s potential role in software development and how Wheels is being shaped to support AI-driven tooling.

When Ben and Ryan introduce Peter Amiri, they quickly establish his role as the maintainer of the Wheels framework and dive into what the framework is and its CFML roots.

• Wheels uses the MVC pattern and draws inspiration from Ruby on Rails.

• It emphasizes convention over configuration, simplifying developer onboarding.

• Originated as ColdFusion on Wheels and recently dropped “CF” to become more inclusive.

Peter discusses his motivation to maintain Wheels and shares his experience of revitalizing the project as the former maintainers stepped away.

• Took over after the previous team burned out, motivated by personal reliance on the framework.

• Focused on reducing friction for contributors and users.

• Implemented GitHub Discussions, a sponsorship model, and improved the CLI.

They explore the role of testing and CI/CD within Wheels, highlighting its robust GitHub Actions pipeline for various CFML engines and databases.

• Automated testing runs on multiple versions of Lucee and Adobe ColdFusion.

• Test matrix includes various databases like MySQL, PostgreSQL, and now Oracle.

• Emphasizes the ease of contributing thanks to a well-structured test pipeline.

Discussion shifts to why one would use a framework in CFML, with arguments around organization, maintainability, and community standards.

• Frameworks reduce decision fatigue by offering structured conventions.

• Onboarding becomes easier for new developers.

• Wheels allows some customization while still being opinionated.

Peter and Ben compare Wheels with ColdBox and Framework One, detailing where Wheels fits in the CFML framework ecosystem.

• Wheels sits between lightweight Framework One and feature-heavy ColdBox.

• Each framework has its own philosophy and target use cases.

• Wheels balances inclusivity and opinionation, supporting plug-ins and modular growth.

They explain how a legacy CFML app can be gradually migrated into Wheels using a strategy like the “strangler pattern.”

• Use the “miscellaneous” folder to encapsulate legacy code.

• Gradually migrate logic into Wheels views, then controllers, and finally models.

• Existing templates can often be reused with minor routing updates.

Discussion turns toward how AI is already helping with Wheels development and where Peter sees it heading.

• AI tools like Claude and ChatGPT are surprisingly capable with CFML.

• Peter is exploring how to optimize Wheels documentation and tooling for AI understanding.

• Talks about Model Context Protocol (MCP) as a way to feed runtime data to AI agents.

The episode wraps up with practical recommendations for showing how to onboard legacy codebases into Wheels and the importance of a smooth developer experience.

• Possible screencast idea for walking through a real-world legacy migration.

• Encouragement to adopt modern MVC for maintainability and scalability.

• Wheels’ goal is to offer a polished developer experience rivaling modern frameworks like Rails or Laravel.

Ben & Ryan Show Episode 19

In this episode, your hosts Ben Nadel and Ryan Brown catch up after a short hiatus with a wide-ranging, unscripted conversation covering everything from the latest ColdFusion trends to personal experiments with AI and vibe coding. With no guest this time, it's a freestyle episode filled with developer insights, community stories, tech musings, and even a few nostalgic tangents about their careers and upcoming conferences.

Key Points

• Ryan shares insights from attending Into the Box

• Ben discusses his limited but productive use of AI, leveraging pseudocode to retain creative ownership of his code.

• The hosts dive into technical and philosophical challenges around AI-assisted development, including context limits, prompt strategies, and tooling.

• Fun anecdotes cover experiments with vibe coding, from building a bingo app to letting kids iterate on games in Replit.

• They preview plans for ColdFusion Summit, hinting at retro themes and marketing tactics like well-chosen swag.

The hosts kick off their catch-up with banter about attending Into the Box

• Into the Box was professionally run with in-depth sessions and tons of fun like mariachi karaoke.

• Ryan explores the idea of xByte Cloud sponsoring future ColdFusion events.

• Discussion of possible future guests from the "Box" ecosystem

• Ben shares his troubles getting BoxLang running in CommandBox due to Java version conflicts.

They reflect on how AI is influencing development workflows, particularly through testing and safe deployments.

• Testing is increasingly seen as essential, especially with frequent Adobe ColdFusion patches.

• Ryan mentions synthetic testing tools like Datadog as helpful for customer QA.

• Ben confesses he’s historically done manual testing, though AI might shift that.

• They explore release practices and breaking changes in Adobe CF updates.

• xByte Cloud supports parallel environments to ease upgrade testing.

The conversation shifts to vibe coding, with examples from both hosts of small projects and the value of playful iteration.

• Ben and Ryan explore Replit and building simple games or utilities with ChatGPT.

• Ryan’s son built a Flappy Bird-style game, iteratively adding features via prompts.

• Ryan vibe-coded a virtual bingo game when the usual service went down.

• They appreciate the immediacy of coding with AI assistance and rapid prototyping.

AI’s limitations and best uses become a recurring thread, as Ben and Ryan wrestle with how to use AI tools without sacrificing learning or control.

• Ben prefers using AI to generate pseudocode but insists on doing the final implementation himself.

• Prompt engineering emerges as a key skill—Ryan tests role-based agent workflows.

• They debate the fear of losing mastery versus gaining productivity.

• Ryan tries auto-correcting code through multiple AI agent passes.

• Both agree curiosity and experimentation are crucial to productive AI use.

Security and maintenance surface toward the end as they react to the latest data breach news and dream of AI-powered password management.

• A recent leak of 16 billion passwords prompts questions about best practices.

• Ben considers how 1Password’s Watchtower could integrate AI to rotate credentials.

• They riff on AI agents auto-managing security tasks like 2FA and password changes.

• The conversation ties back to larger questions about trust, safety, and AI autonomy.

Wrapping up, they share a few final thoughts on CF Summit, marketing swag wins, and what listeners might want from future episodes.

• CF Summit 2025 will celebrate ColdFusion’s 30th anniversary.

• They’re expecting retro-themed parties and looking to bring value as vendors.

• Ben’s wife loves the travel mug from xbyte Cloud—a marketing win.

• The episode ends with a call for listener feedback and a promise to keep the show going.

Ben & Ryan Show Episode 18

In this episode, your hosts, Ben Nadel and Ryan Brown, are joined by longtime ColdFusion developer James Moberg, CTO of Sunstar Media, for a deep-dive into the wild world of user-defined functions (UDFs) and decades of real-world development hacks. From building custom tools that bridge gaps in ColdFusion and Lucee, to mastering performance and security through clever abstraction, the crew shares a treasure trove of lessons learned from the trenches.

Key Points

• James shares his approach to building reusable ColdFusion UDFs that work across Adobe CF and Lucee.

• The crew explores performance wins using command-line tools versus built-in CF tags like CFZip and CFImage.

• Strategies are shared for data sanitization, accessibility, and obfuscation using tools like Jsoup and hashing functions.

• They discuss how caching, output buffering, and shadow DOM techniques can power dynamic web experiences and secure flows.

• Real talk on AI’s limits when it comes to ColdFusion code generation—and why real-world testing still matters.

Different kinds of UDFs and how naming collisions and platform differences have influenced his work.

• Three main categories of UDFs: logic abstraction, proxying functionality, and UI simplification.

• Discusses how CF versions and Lucee differ in function availability and behavior.

• Talks about CF Backport as a strategy for extending older ColdFusion versions.

A spirited discussion on real-world cross-platform quirks, unscoped variables, and strategies for HTML standardization.

• Importance of using scoped variables to prevent unexpected collisions in code.

• How ColdFusion's HTML output can be sanitized using Jsoup and AI-assisted validation.

• Real-world examples of legacy platform quirks that led to better testing and abstraction strategies.

They unpack the use of executables and CFExecute for performance-heavy tasks like PDF generation, image processing, and zipping files.

• CFZip and CFImage are shown to be slower than OS-level executables like 7-Zip or GhostScript.

• Explains how using external tools avoids Java heap memory issues.

• Highlights the benefits of file-based tools for consistency and speed across deployments.

James walks through some of his favorite UDFs

• hashID: CFML user-defined functions (UDFs) provide a simple mechanism for generating and validating hash-based identifiers.

• createShadowHtml: CFML user-defined function (UDF) generates HTML and inline JavaScript to create a dynamic, client-side preview of a given HTML document within a shadow DOM

• streamFindNoCase: user-defined function (UDF) searches the currently accumulated output buffer for the presence of a given string, performing a case-insensitive comparison.

• generateEmailHashCode: user-defined function (UDF) processes an email address by extracting the domain, sanitizing the username by removing periods (dots) and any part after the first "+", converting both parts to lowercase, and then returning a Java-generated integer hash code of the resulting string.

• enableWKHTMLTOPDFForms: user-defined function (UDF) modifies the binary of a non-Adobe-generated PDF file to enable the editing of form fields in Adobe Acrobat.

• tempCache: user-defined function (UDF) allows you to temporarily store data in the ColdFusion cache and retrieve it using a generated UUID.

• jreEscape: user-defined function (UDF) ensures strings can be safely used in regex patterns by preventing special characters from being interpreted as regex metacharacters.

• maskCC: user-defined function (UDF) takes a text string as input, searches for patterns that resemble credit card numbers, attempts to validate these potential numbers using ColdFusion's built-in credit card validation, and then masks the validated numbers by replacing all but the last four digits with asterisks.

Helpful Links

http://www.mycfml.com/ - James's website showing these functions and more.

Ben and Ryan Show Episode 17

In this episode, your hosts Ben Nadel and Ryan Brown are joined by Peter Amiri to share the gripping, real-world story of what it's like to experience—and recover from—a devastating ransomware attack. They dive deep into the technical and emotional toll of cyber extortion, walking through how it happened, what went wrong, and the long road to restoring operations while learning critical lessons along the way.

Key Points

• Peter recounts a ransomware attack that began with a zero-day exploit in their firewall and resulted in full encryption of their Windows-based infrastructure.

• Despite following industry best practices like 3-2-1 backups, cyber insurance, and EDR tools, the breach occurred due to overlooked alerts and underestimated risks.

• The team responded by cutting internet access, engaging incident response vendors, and rebuilding their environment from scratch in parallel with negotiating a ransom.

• Lessons include the critical need for MDR services, verified air-gapped backups, centralized SSO/MFA security, and proactive disaster recovery planning.

• Ultimately, the company recovered within 8 days, avoiding catastrophic data loss by leveraging unencrypted legacy copies and strategic capacity planning.

Peter discusses the company's security posture before the attack

• Cyber insurance renewals demanded increased security: MFA, then EDR, leading to major financial investment.

• EDR picked up early malicious activity, but alerts were missed due to noise and lack of security specialization.

• Overconfidence in lesser-used virtualization tools contributed to a false sense of security.

• Alarm fatigue contributed to overlooking early breach signals.

The breach was triggered by a zero-day exploit in their firewall

• The attackers deleted VM snapshots rapidly, prompting the team to disconnect internet access immediately.

• Analysis revealed the attackers were inside for 3-4 months.

• Compromised admin accounts were used to delete offsite backups.

• A seven-day-old backup and a three-month-old ERP copy survived due to architectural luck.

Peter explains how they recovered

• A three-tier recovery strategy began: rebuilding from scratch, retaining encrypted originals, and decrypting clone copies.

• FBI approval was needed for ransom payment, which was surprisingly low and flagged as a possible re-engagement tactic.

• A decryption test with non-critical files validated the attackers had access.

• The decryption key ultimately worked, restoring full operations just before their parallel recovery would have been completed.

Post-breach, Peter outlines the enhancements made to secure their environment and improve detection and response.

• A secondary DR site was implemented with air-gapped nightly snapshots.

• All systems moved to enterprise SSO with MFA and session timeouts.

• A managed MDR provider was retained to monitor and escalate potential threats in real time.

• Simulation phishing campaigns and employee security training were introduced to combat social engineering.

The conversation shifts to the importance of recovery readiness over prevention

• Emphasis is placed on headroom in infrastructure for recovery, especially in on-prem environments.

• Decision-making between "verify first" vs. "block first" policies is discussed based on system criticality and false positive rates.

• Real examples of phishing, supplier impersonation, and invoice fraud highlight human vulnerabilities in security.

Helpful Links

Arete (company that helped Peter and provides Managed Detection and Response services)

https://areteir.com/

SentinelOne (Incident Response Platform)

https://www.sentinelone.com/

Ben and Ryan Show Episode 16

In this episode of the Ben and Ryan Show, hosts Ben Nadel and Ryan Brown are joined by guest John Nessim to explore the evolving world of content management systems (CMS). With his deep development background and years of practical experience, John dives into everything from traditional platforms like WordPress to advanced headless CMS solutions, offering valuable insights into when and why to choose different tools for your website.

Key Points:

• CMS platforms have evolved to balance user-friendliness with developer control, from WYSIWYG editors to headless solutions.

• WordPress dominates the market but can be bloated and vulnerable if not managed properly.

• Headless CMS options like Strapi and Sanity allow for greater flexibility, scalability, and multi-platform content distribution.

• Accessibility enhancements not only improve user experience but also deliver measurable SEO benefits.

• Choosing the right CMS depends on business maturity, scalability needs, and how content is consumed and maintained.

Definition and purpose of a CMS

• The key function of CMS is to give control over content to non-developers.

• Static site generators may not qualify as CMS unless they include content creation tools.

• CMS evolved from managing unstructured text to structuring rich data like events and services.

• Headless CMS is described as content blocks managed separately from the front-end template.

Headless CMS

• Headless CMS organizes content in blocks delivered via APIs (usually JSON/XML).

• WordPress now supports headless modes using technologies like React or Next.js.

• Hosting implications include managing the CMS separately from front-end deployment.

• Businesses are leaning toward this model to support multiple front-ends like web, mobile, and embedded apps.

Traditional CMSs

• Website builders are constrained but easy-to-use tools for non-technical users.

• WordPress is a middle ground—flexible, extensible, but prone to bloat and plugin issues.

• Mura and its fork MASA are powerful ColdFusion-based CMSs used for multi-language and multi-site setups.

• Custom or niche CMSs still hold value in developer-friendly ecosystems.

Accessibility

• Structured content (headings, alt tags) improves screen reader compatibility and SEO.

• Color contrast and readability considerations enhance inclusivity and usability.

• SEO and accessibility goals often align, especially with structured markup.

• Tools and plugins can measure and enforce accessibility standards effectively.

WordPress

• WordPress’s popularity makes it a target for bots and DDoS attacks.

• CMS platforms can become resource-intensive without proper caching and security measures.

• Best practices include Cloudflare protection, selective plugin usage, and admin page hardening.

• WordPress was never intended for large-scale, mission-critical systems.

Picking a CMS

• Simpler businesses should stick with GoDaddy or WordPress for cost-effectiveness.

• Growing companies may outgrow WordPress and require more robust headless CMSs.

• Business use cases should dictate the CMS—static presence, lead generation, e-commerce, etc.

• Costs, flexibility, and developer availability all factor into CMS choice.

Final Thoughts

• AI-driven tools like Wix’s website generator disappoint in quality without developer oversight.

• Advanced AI tools can accelerate site creation when paired with knowledgeable devs.

• CMSs need to consider future-proofing against evolving SEO rules and AI-driven content indexing.

• John offers real-world examples of using simple tools effectively based on client needs.

Useful Links

https://nessimworks.com/

https://strapi.io/

https://www.sanity.io/

https://www.masacms.com/

https://www.murasoftware.com/

In this episode, your hosts Ben Nadel and Ryan Brown take a break from their usual guest interviews to reflect on their personal and professional journeys in the first months of 2025. They discuss major career transitions, the challenges of job hunting in today's market, and the evolving landscape of software development, all while sharing personal stories and insights on adapting to change.

Key Points:

• Ben shares his transition from co-founding Envision to joining a new company in a completely different industry, facing a steep learning curve.

• Ryan talks about how networking and content creation play a key role in career opportunities, and why developers should build a public presence.

• They discuss the struggles of job searching, from dealing with stress and rejection to navigating a shifting industry.

• The importance of continuous learning, including Ben’s deep dive into CF Wheels and Ryan’s exploration of AI tools for productivity.

• A surprising story about purchasing fake AirPods from a major retailer and the unexpected resolution.

Ben reflects on his career shift after Envision’s closure, now working with Peter Amiri in a company focused on truck parts manufacturing.

• He describes the shift from self-directed work to structured teamwork and ticket-based workflows.

• Adjusting to new processes, communication methods, and working with a small but growing development team.

• Learning CF Wheels as part of the new job and the challenges of adapting to a new framework.

• The difficulty of balancing personal projects with work and feeling mentally exhausted from constant adaptation.

Ryan discusses his experience with job hunting and how networking made all the difference.

• Instead of relying on traditional applications, he leveraged his contacts to land new opportunities.

• He highlights how producing content and engaging with the community helps people stay visible in their industry.

• They reflect on how technical interviews often fail to identify the best candidates.

• The importance of having a portfolio to showcase real-world skills rather than relying on resume claims.

The hosts talk about their growing podcast and their experiences connecting with industry leaders.

• The unexpected success of the show and the ease of booking high-profile guests.

• How structuring the podcast recording schedule helped them maintain consistency.

• The challenge of engaging with technical communities outside of developer circles, like sysadmins and DevOps professionals.

Ben shares his journey into learning CF Wheels and the challenges of adapting to a new development ecosystem.

• How CF Wheels compares to Ruby on Rails and its "convention over configuration" approach.

• The struggle of learning a new problem domain while adjusting to a new job environment.

• Dealing with imposter syndrome and the pressure to adapt quickly.

Ryan recounts his bizarre experience buying fake AirPods from Walmart.

• The troubleshooting process, multiple failed attempts to connect them, and Apple's confirmation that they were counterfeit.

• How Walmart ultimately resolved the issue after several attempts at customer service.

• A lesson in checking serial numbers when purchasing electronics from big retailers.

The hosts wrap up with a look ahead at upcoming episodes, including more Adobe-focused discussions and AI developments.

In this episode, your hosts, Ben Nadel and Ryan Brown, sit down with Steve Leve from ShareASale to dive into the challenges and lessons learned from navigating an acquisition, managing technical debt, and executing large-scale migrations. They explore the impact of legacy systems, the balance between maintaining old infrastructure and innovating new solutions, and the role of AI in modern software development.

Key Points:

• Steve shares his journey from a small-town coder to a principal architect at ShareASale.

• The team discusses the challenges of merging companies post-acquisition, including business model differences and technical debt.

• Lessons from large-scale infrastructure migrations, including moving from ColdFusion monoliths to modern architectures.

• The importance of balancing innovation with maintaining existing systems and the trade-offs of cloud computing.

• How AI is reshaping development practices, from documentation to automated testing.

Migrating an entire business platform brings its share of surprises and roadblocks.

• Steve shares his experience of being acquired by AWIN and the growing pains that followed.

• The team discusses the complexities of merging different operational and technological approaches.

• They reflect on the unexpected technical challenges, including a looming data center shutdown and hardcoded infrastructure dependencies.

• The importance of knowledge sharing within a team to prevent reliance on a single expert.

Navigating technical debt is all about prioritization and timing.

• The group explores the idea that not all technical debt needs to be fixed—only what blocks innovation or scaling.

• Steve emphasizes "tidy first" as an approach to incrementally improving code rather than massive rewrites.

• Real-world examples of how debt manifests in migrations and why some old code surprisingly holds up.

• The discussion touches on key strategies for managing technical debt within an evolving business landscape.

Migrating to AWS and cloud adoption brings new efficiencies but also new constraints.

• Steve and Ben share stories of migrating to AWS, the surprises along the way, and the need for expert help.

• Lessons on the hidden costs of cloud adoption and why simply lifting and shifting to the cloud isn't always the best strategy.

• The team debates the trade-offs between autoscaling, managed services, and maintaining on-premise solutions.

• Real-world examples of cost-efficient cloud migration strategies.

Strangler patterns, AI-driven documentation, and the future of software development.

• The team discusses the strangler pattern as a way to incrementally transition from legacy systems to modern platforms.

• Steve shares insights on how AI is being used for documentation, testing, and even code analysis.

• The group speculates on how AI-driven tools can improve developer efficiency and streamline migrations.

• They reflect on the importance of keeping up with evolving tech while maintaining a pragmatic approach to change.

This episode is packed with practical insights, real-world experiences, and candid discussions about the messy, challenging, and ultimately rewarding process of managing technical debt, cloud migration, and acquisitions. Whether you're a developer, architect, or IT leader, there's something valuable here for you!

In this episode, your hosts, Ben Nadel and Ryan Brown, sit down with Andrew Pendleton, Senior Director of Design Systems at Verizon, to discuss the role of design systems in driving consistency, accessibility, and innovation. They explore how Verizon’s approach to accessibility goes beyond compliance, how design systems empower both designers and engineers, and the challenges of maintaining a unified system in a vast enterprise.

Key Points:

• Verizon’s Design System centralizes design and engineering decisions to create scalable frameworks for digital experiences.

• Accessibility at Verizon is treated as a driver of innovation, not just compliance, influencing best practices and component design.

• The impact of constraints in design systems, allowing teams to move faster and focus on complex problems.

• The importance of cross-team communication and standardized language in improving adoption and efficiency.

• Strategies for starting a design system and integrating accessibility in an organization.

Andrew shares how his background in digital art, development, and management uniquely positioned him to lead Verizon’s Design System team.

• He discusses the importance of bridging the gap between designers, engineers, and product teams through shared terminology and best practices.

• The conversation covers how accessibility has led to innovations like responsive web design, captioning, and high-contrast modes.

• Verizon’s approach to user testing includes an accessibility lab where customers with disabilities provide direct feedback on digital and physical product experiences.

The team dives into how Verizon builds and maintains accessible components for its design system, including an advanced video player with baked-in accessibility features.

• Andrew explains how they studied platforms like YouTube, Adobe, and native HTML elements to build an optimized solution.

• The importance of leveraging the platform but extending it where necessary to maintain accessibility.

• The balance between stability and flexibility in design systems to allow innovation while maintaining consistency.

The discussion shifts to the challenges of adoption within a large enterprise and strategies to encourage engineers and designers to embrace the design system.

• Architectural misalignment and legacy technologies present obstacles to adoption, requiring phased transitions.

• Design tokens help standardize visual elements even in non-React environments.

• The role of accountability in ensuring accessibility and quality standards are maintained, even when teams customize components.

Andrew and the hosts close the episode by discussing how individuals and organizations can begin implementing accessibility in their work.

• Recommended resources for learning about accessibility, including books and online tools.

• The importance of having an accessibility champion within a company to drive awareness and adoption.

• Practical steps developers and designers can take to improve their accessibility practices, even in organizations without formal accessibility initiatives.

This episode is packed with insights on design systems, accessibility, and the intersection of technology and user experience. Whether you’re a developer, designer, or product leader, there’s something here for you!

Ben and Ryan Show Episode 12

In this episode, your hosts Ben Nadel and Ryan Brown sit down with security expert Brian Riley, author of the HoyaHaxa blog, to discuss ColdFusion security vulnerabilities and best practices for mitigating risks. The conversation dives into recent ColdFusion exploits, how security patches impact developers, and the broader implications of securing applications beyond just ColdFusion itself.

Key Points:

• ColdFusion has been targeted by multiple 0-day vulnerabilities, highlighting its continued presence in critical systems.

• Adobe's recent security updates introduce breaking changes, forcing developers to make necessary adjustments.

• Security is a multi-layered approach—application security is just one part of a larger ecosystem that includes OS, networking, and cloud infrastructure.

• The trade-off between convenience and security often leads to vulnerabilities, especially with features like remote CFC access.

• Managed hosting providers and security tools like HackMyCF can help developers stay ahead of emerging threats.

Discussion Highlights:

ColdFusion Security Landscape

• ColdFusion is still actively targeted by attackers, despite debates over its relevance.

• Government and financial institutions heavily rely on ColdFusion, making it a high-value target.

Adobe's Recent Security Updates

• Adobe is pushing security patches that enforce stricter security measures, sometimes breaking legacy applications.

• The variable scoping issue is a major focus—forcing developers to fix long-standing bad practices.

• Deprecated encryption methods are being phased out for stronger security.

Common Security Best Practices

• Regularly update ColdFusion and all associated components like Java and Tomcat.

• Restrict access to CFIDE and ColdFusion Administrator to prevent common exploits.

• Use a multi-layered defense strategy, including web application firewalls (WAFs), OS-level security, and network protections.

Challenges of Security in Hosting and DevOps

• Managed hosting providers must balance security with not breaking customer applications.

• Attackers often leverage vulnerabilities beyond just the ColdFusion layer, including database, OS, and network weaknesses.

• Cloudflare and similar services help block DDoS attacks but aren't always sufficient in real-time scenarios.

The Convenience vs. Security Tradeoff

• Many vulnerabilities exist because developers prioritize ease of use over security.

• Features like remote CFC access, while convenient, often introduce security risks.

• Security teams and developers must collaborate to strike the right balance between usability and protection.

Final Thoughts and Resources

• Brian Riley's blog HoyaHaxa provides deep dives into ColdFusion security issues.

• OWASP’s Top Ten is a great resource for understanding common security vulnerabilities.

• Developers should engage in proactive security practices rather than waiting for the next 0-day exploit.

Recent ColdFusion Related HoyaHaxa Blogs

• https://www.hoyahaxa.com/2024/12/an-initial-analysis-of-cve-2024-53961.html

• https://www.hoyahaxa.com/2024/08/bsideslv-2024-slides-modern-coldfusion.html

• https://www.hoyahaxa.com/2024/07/on-coldfusion-administrator-access.html

Ben and Ryan Show Episode 11

In this episode, hosts Ben Nadel and Ryan Brown interview Grant Powell, founder of Curios. Grant shares his journey in the Web3 and NFT space, detailing how Curios started as a licensable NFT platform and successfully pivoted after the NFT bubble burst. The discussion dives deep into digital ownership, blockchain challenges, and how Curios is revolutionizing digital content distribution for creators.

Key Points:

• Curios' Evolution – Originally an NFT licensing platform, Curios pivoted to focus on digital content ownership after the market downturn.

• Blockchain & ColdFusion – The role of ColdFusion in building Curios' rapid development and API-driven platform.

• NFTs Beyond Art – Real-world applications for NFTs in digital ownership, including music, books, and event ticketing.

• Decentralization – The benefits and challenges of decentralized platforms compared to centralized ones like Ticketmaster.

• AI in Collectibles – Grant’s work with collectibles.com and AI-driven identification and valuation of collectibles.

Episode Breakdown:

Curios' Origin and Pivot

• Curios started as a platform to help businesses create and manage NFTs.

• The NFT craze led to unrealistic expectations, and as the hype collapsed, Curios pivoted to a broader digital ownership platform.

• ColdFusion played a key role in the flexibility and speed of their platform’s development.

Real Use Cases for NFTs

• NFTs are more than just overpriced JPEGs—they serve as proof of ownership for digital content like eBooks, music, and videos.

• Grant highlights how digital ownership differs from physical ownership and why secondary markets for digital goods are still developing.

• Ticketing is a strong use case, especially for VIP passes and exclusive access to events.

Challenges of Web3 and Blockchain Scalability

• Many blockchains create “walled gardens” that limit interoperability.

• Curios was among the first platforms to support multiple blockchains.

• Scalability issues in blockchain transactions require additional abstraction layers to ensure speed and efficiency.

Digital Rights and Ownership Protection

• Blockchain technology ensures proof of ownership, but enforcement remains an issue.

• The right to access content is separate from hosting the content itself, allowing removal when necessary.

AI and the Future of Collectibles

• Grant discusses collectibles.com and how AI is transforming the world of collecting.

• AI can help identify, grade, and value physical collectibles like coins, comics, and trading cards.

• The future of AI-driven marketplaces and its impact on the secondary market for rare items.

The Balance Between Work, Entrepreneurship, and Life

• Grant and Ben share insights on time management and balancing multiple projects.

• The importance of structuring schedules to maintain productivity without burnout.

• Investors’ perspectives on serial entrepreneurship and the fine line between focus and diversification.