It's not the fact that the examples are in ColdFusion that makes this article mostly irrelevant. To suggest that it does really just makes you sound ignorant, especially since the particular attack being demonstrated is not language specific.
ColdFusion isn't the best language, but it's certainly not one of the worst either. I think the poor reputation mostly stems from complaints about the joe-shmoe-friendly tag-based syntax and the fact that it's commercial, but most of these probably come from people who have never even used it. I spent some time with it and there are some pretty nifty things you can do with it. The fact that it's built on Java is nice too since you can leverage the entire Java standard library and run on all the so-called enterprise-y application servers all without the pain of having to use Java. This leads to rapid, corporate-friendly development which makes developers and PHBs happy. That's probably there are still lots of businesses out there using it.
MySpace is the largest CF site I'm aware of. I think they actually use the BlueDragon flavor of CF- or at least they did at one time. Most people haven't heard of it, but there's actually another implementation besides the one from Adobe. I remember some talk about MySpace being ported to .NET, but I still see a bunch of .cfm URLs on there so I'm not sure what they're doing.
I don't know what you mean by that security remark. You can develop secure applications in CF just like you can with any other language. Some languages might require some more hoop jumping than others (example: protecting against SQL injection in PHP was a real drag for a long time), but I'm not aware of anything inherent in CF that makes it particularly difficult. In fact, I've found that many things tend to be easier in CF.
Don't get me wrong- I'm not saying everyone should go out and learn ColdFusion. I just think it may be undeserving of the snide comments it seems to attract.
Well, my company funds itself by, amongst other things, going out and breaking web apps, and I'm going to assert without evidence that in both code quality and in environmental security (admin interfaces, etc), CF sites rank at the bottom, and .NET and J2EE sites are neck and neck at the top.
We're a Rails product shop and our dev team is recovery Lisp hippies, so that's not a BigCo bias, it's just the empirical observation.
I won't dispute your results, but those alone are insufficient evidence to suggest any correlation between languages and the ability to develop secure applications. It's a huge leap to say that ApplicationX, developed in Blub++, has more bugs than some completely different application developed in another language, therefore Blub++ is an insecure language.
More likely, the correlation is between security and a number of factors far from choice of language, such as developer experience, diversity of the development team, budget, etc.
Based on my own experience, I've seen that many CF developers are typically less experienced and work in smaller shops so those results aren't the least bit surprising. It's important to keep in mind that they say far more about the developers than the language the application was developed in.
ColdFusion isn't the best language, but it's certainly not one of the worst either. I think the poor reputation mostly stems from complaints about the joe-shmoe-friendly tag-based syntax and the fact that it's commercial, but most of these probably come from people who have never even used it. I spent some time with it and there are some pretty nifty things you can do with it. The fact that it's built on Java is nice too since you can leverage the entire Java standard library and run on all the so-called enterprise-y application servers all without the pain of having to use Java. This leads to rapid, corporate-friendly development which makes developers and PHBs happy. That's probably there are still lots of businesses out there using it.