Ben & Ryan Show Episode 24
In this episode, your hosts Ben Nadel and Ryan Brown go guest-free and take the opportunity to dive into ColdFusion bugs, guinea pig maintenance, and their latest experiments in app building and AI usage.They kick things off with some light banter, guinea pig parenting tips, and custom shoes, before transitioning into deep debugging talk, asynchronous programming quirks in ColdFusion 2025, and the evolving relationship developers have with AI tooling.Key Points• Ryan surprises Ben with custom ColdFusion-themed shoes for the upcoming CF Summit.• Ben shares two deep ColdFusion 2025 bugs related to asynchronous iteration and CFQuery behavior.• Big Sexy Poems—a side project by Ben—is being built using HTMX and AlpineJS with a ColdFusion backend.• Debugging ColdFusion edge cases requires intense reduction and isolation of code to find root causes.• Ryan and Ben discuss AI voice mode frustrations and using AI for sales and dev support—highlighting both promise and pitfalls.Ben introduces his new ColdFusion 2025 app, “Big Sexy Poems,” and why he built it.• The app helps poets count syllables, find rhymes, and synonyms using the Datamuse API.• Ben is rebuilding it to learn HTMX and AlpineJS in a real-world context.• ColdFusion 2025 forces him to rethink and modernize old code written for CF2021.• Features include caching, shareable links, and saving user poems.Ben outlines two complex ColdFusion bugs that derailed development.• Bug #1: CFQuery inside asynchronous iteration dumps SQL statements to the page.• Bug #2: A three-level deep array iteration causes closure variables to vanish.• Both bugs are confirmed to go back as far as ColdFusion 2021.• Fixes required rewriting code to remove async parallelism and use manual loops.They explore how to isolate and debug ColdFusion bugs in large codebases.• Ben shares his method: reduce files down to minimal reproducible cases.• Progressively merge and remove components until only the bug trigger remains.• Use CF’s ability to simulate services to isolate logic layers during debugging.• Debugging complex async issues often takes hours but can result in 20-line reproductions.Conversation pivots to AI tools, frustrations, and how Ryan uses AI for sales support.• Ben tried ChatGPT voice mode again and found it frustratingly sycophantic.• Ryan uses persona-driven GPTs to simulate sales coaches and customer role-play.• Operator and GPT Agents have shown promise in configuring servers from specs.• Even advanced tools sometimes fail mid-task or require lots of oversight.• The team plans a live Ben and Ryan Show at CF Summit to talk AI and dev tools in person.
Ben & Ryan Show Episode 23
In this episode, your hosts Ben Nadel and Ryan Brown are joined by Mark Takata, Senior Technical Evangelist for Adobe ColdFusion, to dive deep into the evolving world of "vibe coding" and how AI is transforming development workflows. The trio explore the tools, mental friction, and cultural shifts developers face when working alongside AI, offering a mix of real-world use cases, developer gripes, and future-gazing insights into how AI might shape team structure and job roles.
Key Points
• Vibe coding is reshaping how developers approach prototyping, testing, and feature iteration using tools like Claude, ChatGPT, and Cursor
• Developers are grappling with trust issues, debugging quirks, and the loss of "good friction" in the coding process
• Cursor, a VS Code-based AI IDE, is emerging as a powerful tool for AI-assisted development and code generation at scale
• AI could reshape team roles, potentially phasing out junior positions and introducing roles like AI coaches or prompt engineers
• The group previews their upcoming live session at the Adobe ColdFusion Summit, where these AI coding dynamics will take center stage
Vibe coding is introduced as a developer trend where AI tools generate code based on high-level input
• Ben shares that his team's lead has spent months learning how to "steer" Claude and manage scope, memory, and output reliability
• Ryan recounts building a Bingo app with ChatGPT, running into scope creep and frustrating regressions with each iteration
• The team discusses the challenge of context loss and how to handle patching or manually adjusting code when working with AI
Mark breaks down his real-world usage of Cursor and how it differs from using ChatGPT
• Developers can open existing projects, give directions, and have Cursor fill in the gaps based on previous patterns
• He highlights how he uses it to rapidly prototype ColdFusion demos, noting an increase in productivity and output
• Cursor allows mixing Claude, GPT, and Check55 models for different task types
• Pro-level versions of Cursor offer metrics, visibility into prompt volume, and sophisticated model orchestration
Ben reflects on his preference for copy-paste workflows over AI generation
• He points out the "non-deterministic" nature of AI and the potential for it to introduce unseen changes across entire files
• The team debates whether AI is removing helpful friction that leads to better abstractions and more thoughtful code
• The trio agrees that AI needs better guardrails and consistency for it to be fully trusted in production codebases
The group explores how AI tools could evolve to meet professional coding standards
• Cursor could serve as a CFQuery-like abstraction for AI tooling, handling the translation between models
• AI-generated code may need standardization through community-driven templates or frameworks like PromptOS
• The role of code review could shift, with AI models doing first-pass reviews and flagging issues for humans
• Review at scale is a concern as AI-generated code grows in complexity and volume
Ryan and Ben explore the idea of AI as a team member
• Mark tells a story of a developer with a briefcase of AIs acting as a full software team
• They discuss how AI may appeal more to managers than ICs due to the loss of individual agency
• Ben shares concerns about how PR (pull request) reviews become unmanageable when AI floods teams with code
• Mark mentions teams are already using multiple AIs to cross-review code before surfacing issues to humans
The conversation shifts to how companies should approach AI adoption
• There's concern about erasing junior roles and losing the traditional developer learning pipeline
• Ryan suggests managers be transparent about whether the goal is augmentation or headcount reduction
• Mark emphasizes the need for AI coaches—specialists who manage prompt libraries, usage patterns, and workflows
Ben & Ryan Show Episode 22
In this episode, your hosts Ben Nadel and Ryan Brown sit down with Luis Majano and Daniel Garcia from Ortus Solutions to dive deep into BoxLang, the dynamic new language for the JVM. From modular design to multi-runtime capabilities and modern tooling, this conversation explores past, present, and future of BoxLang.
BoxLang is introduced as a dynamic JVM language designed to bring modularity, productivity, and compatibility to CFML and Java developers
• Supports multiple parsers, including ColdFusion and Lucee
• Designed for serverless, desktop, web, and embedded device runtimes
• Built from scratch rather than forking existing JVM languages like Groovy
• AST-driven transpilation makes it future-friendly and language-agnostic
• Modular runtime allows lean deployments without unnecessary overhead
The discussion explores the difference between static and dynamic languages and how BoxLang blends both paradigms for flexibility and control
• Dynamic types allow runtime decisions and simpler syntax
• Static typing can still be used where guardrails are helpful
• Designed for developers who want modern language flexibility with compiler-like structure
• Enables smoother transitions for CFML developers familiar with dynamic paradigms
• Brings in innovations absent in the JVM space for over a decade
Luis and Daniel outline how BoxLang was purposefully built to address long-standing developer frustrations and legacy CFML limitations
• Entire language and ecosystem are modular and extensible
• Supports CFML compatibility as a module—not a bolt-on
• Developers can build and run only what they need (eg, no web stack for CLI apps)
• Designed to work on everything from Lambda functions to ARM devices
• Emphasizes maintainability and performance
The team shares the adoption journey of BoxLang and how Java developers are responding to its flexibility and productivity tooling
• Java developers can use BoxLang as a library or full language
• Serverless and single-file conventions are major adoption drivers
• In-person events like Into the Box helped validate its appeal
• Clear demand for better tooling helped shape roadmap
• Initial pushback has faded as understanding and usage grow
Ortus highlights how AI has become integral to the BoxLang development process and future vision
• Used AI tools (Claude, ChatGPT, Gemini) for documentation, peer reviews, and prototyping
• Built a localized AI assistant for VSCode pre-trained on BoxLang docs
• Introduced BXAI module to offer LLM integration with fluent APIs
• Planning future MCP support to make apps LLM-ready by default
• AI accelerates everything from code generation to user education
The team discusses real-world adoption examples, Java interoperability, and long-awaited features like extending Java classes from CFML-like syntax
• Solves long-standing CFML-to-Java interop issues
• Allows implementing and extending Java classes natively
• Libraries like Jedis or RabbitMQ now integrate easily
• Demonstrated real-world migrations from legacy CFML (eg, RAILO) to BoxLang
• Charting and frontend decisions still debated to avoid tech bloat
Looking to the future, BoxLang's roadmap includes desktop runtimes, WebAssembly support, more IDE integrations, and merging CommandBox into BoxLang
• Desktop runtime with Electron and JavaFX support
• Azure and Android runtimes are next on the horizon
• Migration of all Ortus projects to BoxLang underway
• Goal is to empower developers to build anything—from scripting tools to full-stack apps
https://try.boxlang.io/
https://www.boxlang.io/
In this episode, your hosts Ben Nadel and Ryan Brown are joined by guests Ray Camden and Wade Bachelder to break down their experiences at the recent Adobe ColdFusion 2025 Hackathon. Together, they dive into the projects, challenges, bugs, and lessons learned while exploring new CFML features like CSV handling, charting, and Java integration.
Key Points
• Wade, Ray, and Ben each created unique apps that showcased new CF2025 features like CSV processing, charts, and cfCatch improvements
• Participants found critical bugs in the charting and CSV implementations, sparking valuable discussion
• They explored integration possibilities with Java, BoxLang, and Maven, discussing tradeoffs and developer ergonomics
• The hosts offered thoughtful feedback to Adobe on how to improve future hackathons, including ideas for in-person events and broader outreach
Wade describes his security-focused project that visualized CVEs using ColdFusion's updated charting and CSV features
• He used CVE data to build pie and line charts comparing vulnerabilities across ColdFusion and Adobe
• Found that new charting features were brittle and theming often broke rendering
• Deployed "classic" CFML mixing old tag-based code with modern features
Ray walks through his one-file bug tracker project designed for quick logging without a database
• Wrote bug data to a CSV file for Excel or Jira import
• Used minimal dependencies, all loaded via CDN
• Added simple HTML charts despite his long-standing dislike for CF's client-side tools
Ben explains his Sitter Snacks app, a lighthearted tool for logging snack preferences using CF's CSV features
• Highlighted issues with chart set and general fragility in newly released features
• Also used ColdFusion's new property file support for config handling
• Touched on differences between CF and Lucee, especially around Java integration
The hosts and guests debate how ColdFusion stacks up to other languages for rapid development
• Wade emphasizes CF's productivity for solo projects and fast MVPs
• Ray argues CF's accessibility has competition now from Python and modern JS stacks
• Ben adds that developer ergonomics—like seamless HTML rendering—still set CF apart
• Discussion dives into nuance around familiarity bias vs actual productivity gains
They discuss AI's role (or lack thereof) in their projects and explore future hackathon improvements
• Most participants didn't rely on AI but acknowledged its brainstorming value
• Ben and Wade tested APIs and used AI sparingly for code snippets
• Suggestions included more flexible timelines, better marketing, and possibly in-person events
• The group emphasized the importance of community and showcasing CF's real-world power
• Ray proposed frequent “Friday Challenges” to boost engagement with bite-sized coding tasks
The episode wraps with closing thoughts and advice for Adobe to better reach and engage the next generation of developers
• Wade calls for better social media presence and outreach to younger devs
• Ray underscores the need for clearer timelines and inclusive event formats
• Ben reflects on ColdFusion's enduring strengths and its alignment with his mental models
• The team encourages more devs to join next year and grow the CFML ecosystem together
Ray's Blog: https://www.raymondcamden.com
Wade's Blog: http://wadebach.com
Ben's Blog: https://www.bennadel.com
ColdFusion Hosting: https://www.xbytecloud.com/hosting/coldfusion-cloud-hosting
In this episode, your hosts Ben Nadel and Ryan Brown are joined by Peter Amiri, the current maintainer of the Wheels framework (formerly CF Wheels), to discuss its evolution and future. They dive into the history of the ColdFusion-based framework, its comparison with other MVC options, and how it's being modernized for AI-assisted development.
Key Points
• Wheels is a CFML MVC framework inspired by Ruby on Rails, focused on convention over configuration.
• Peter Amiri discusses taking over as maintainer and revitalizing the project with better tooling, testing, and documentation.
• The team explains the pros and cons of adopting Wheels over other frameworks like ColdBox and Framework One.
• Extensive discussion on integrating Wheels into legacy apps and migrating code incrementally.
• Exploration of AI’s potential role in software development and how Wheels is being shaped to support AI-driven tooling.
When Ben and Ryan introduce Peter Amiri, they quickly establish his role as the maintainer of the Wheels framework and dive into what the framework is and its CFML roots.
• Wheels uses the MVC pattern and draws inspiration from Ruby on Rails.
• It emphasizes convention over configuration, simplifying developer onboarding.
• Originated as ColdFusion on Wheels and recently dropped “CF” to become more inclusive.
Peter discusses his motivation to maintain Wheels and shares his experience of revitalizing the project as the former maintainers stepped away.
• Took over after the previous team burned out, motivated by personal reliance on the framework.
• Focused on reducing friction for contributors and users.
• Implemented GitHub Discussions, a sponsorship model, and improved the CLI.
They explore the role of testing and CI/CD within Wheels, highlighting its robust GitHub Actions pipeline for various CFML engines and databases.
• Automated testing runs on multiple versions of Lucee and Adobe ColdFusion.
• Test matrix includes various databases like MySQL, PostgreSQL, and now Oracle.
• Emphasizes the ease of contributing thanks to a well-structured test pipeline.
Discussion shifts to why one would use a framework in CFML, with arguments around organization, maintainability, and community standards.
• Frameworks reduce decision fatigue by offering structured conventions.
• Onboarding becomes easier for new developers.
• Wheels allows some customization while still being opinionated.
Peter and Ben compare Wheels with ColdBox and Framework One, detailing where Wheels fits in the CFML framework ecosystem.
• Wheels sits between lightweight Framework One and feature-heavy ColdBox.
• Each framework has its own philosophy and target use cases.
• Wheels balances inclusivity and opinionation, supporting plug-ins and modular growth.
They explain how a legacy CFML app can be gradually migrated into Wheels using a strategy like the “strangler pattern.”
• Use the “miscellaneous” folder to encapsulate legacy code.
• Gradually migrate logic into Wheels views, then controllers, and finally models.
• Existing templates can often be reused with minor routing updates.
Discussion turns toward how AI is already helping with Wheels development and where Peter sees it heading.
• AI tools like Claude and ChatGPT are surprisingly capable with CFML.
• Peter is exploring how to optimize Wheels documentation and tooling for AI understanding.
• Talks about Model Context Protocol (MCP) as a way to feed runtime data to AI agents.
The episode wraps up with practical recommendations for showing how to onboard legacy codebases into Wheels and the importance of a smooth developer experience.
• Possible screencast idea for walking through a real-world legacy migration.
• Encouragement to adopt modern MVC for maintainability and scalability.
• Wheels’ goal is to offer a polished developer experience rivaling modern frameworks like Rails or Laravel.
Ben & Ryan Show Episode 19
In this episode, your hosts Ben Nadel and Ryan Brown catch up after a short hiatus with a wide-ranging, unscripted conversation covering everything from the latest ColdFusion trends to personal experiments with AI and vibe coding. With no guest this time, it's a freestyle episode filled with developer insights, community stories, tech musings, and even a few nostalgic tangents about their careers and upcoming conferences.
Key Points
• Ryan shares insights from attending Into the Box
• Ben discusses his limited but productive use of AI, leveraging pseudocode to retain creative ownership of his code.
• The hosts dive into technical and philosophical challenges around AI-assisted development, including context limits, prompt strategies, and tooling.
• Fun anecdotes cover experiments with vibe coding, from building a bingo app to letting kids iterate on games in Replit.
• They preview plans for ColdFusion Summit, hinting at retro themes and marketing tactics like well-chosen swag.
The hosts kick off their catch-up with banter about attending Into the Box
• Into the Box was professionally run with in-depth sessions and tons of fun like mariachi karaoke.
• Ryan explores the idea of xByte Cloud sponsoring future ColdFusion events.
• Discussion of possible future guests from the "Box" ecosystem
• Ben shares his troubles getting BoxLang running in CommandBox due to Java version conflicts.
They reflect on how AI is influencing development workflows, particularly through testing and safe deployments.
• Testing is increasingly seen as essential, especially with frequent Adobe ColdFusion patches.
• Ryan mentions synthetic testing tools like Datadog as helpful for customer QA.
• Ben confesses he’s historically done manual testing, though AI might shift that.
• They explore release practices and breaking changes in Adobe CF updates.
• xByte Cloud supports parallel environments to ease upgrade testing.
The conversation shifts to vibe coding, with examples from both hosts of small projects and the value of playful iteration.
• Ben and Ryan explore Replit and building simple games or utilities with ChatGPT.
• Ryan’s son built a Flappy Bird-style game, iteratively adding features via prompts.
• Ryan vibe-coded a virtual bingo game when the usual service went down.
• They appreciate the immediacy of coding with AI assistance and rapid prototyping.
AI’s limitations and best uses become a recurring thread, as Ben and Ryan wrestle with how to use AI tools without sacrificing learning or control.
• Ben prefers using AI to generate pseudocode but insists on doing the final implementation himself.
• Prompt engineering emerges as a key skill—Ryan tests role-based agent workflows.
• They debate the fear of losing mastery versus gaining productivity.
• Ryan tries auto-correcting code through multiple AI agent passes.
• Both agree curiosity and experimentation are crucial to productive AI use.
Security and maintenance surface toward the end as they react to the latest data breach news and dream of AI-powered password management.
• A recent leak of 16 billion passwords prompts questions about best practices.
• Ben considers how 1Password’s Watchtower could integrate AI to rotate credentials.
• They riff on AI agents auto-managing security tasks like 2FA and password changes.
• The conversation ties back to larger questions about trust, safety, and AI autonomy.
Wrapping up, they share a few final thoughts on CF Summit, marketing swag wins, and what listeners might want from future episodes.
• CF Summit 2025 will celebrate ColdFusion’s 30th anniversary.
• They’re expecting retro-themed parties and looking to bring value as vendors.
• Ben’s wife loves the travel mug from xbyte Cloud—a marketing win.
• The episode ends with a call for listener feedback and a promise to keep the show going.
Ben & Ryan Show Episode 18
In this episode, your hosts, Ben Nadel and Ryan Brown, are joined by longtime ColdFusion developer James Moberg, CTO of Sunstar Media, for a deep-dive into the wild world of user-defined functions (UDFs) and decades of real-world development hacks. From building custom tools that bridge gaps in ColdFusion and Lucee, to mastering performance and security through clever abstraction, the crew shares a treasure trove of lessons learned from the trenches.
Key Points
• James shares his approach to building reusable ColdFusion UDFs that work across Adobe CF and Lucee.
• The crew explores performance wins using command-line tools versus built-in CF tags like CFZip and CFImage.
• Strategies are shared for data sanitization, accessibility, and obfuscation using tools like Jsoup and hashing functions.
• They discuss how caching, output buffering, and shadow DOM techniques can power dynamic web experiences and secure flows.
• Real talk on AI’s limits when it comes to ColdFusion code generation—and why real-world testing still matters.
Different kinds of UDFs and how naming collisions and platform differences have influenced his work.
• Three main categories of UDFs: logic abstraction, proxying functionality, and UI simplification.
• Discusses how CF versions and Lucee differ in function availability and behavior.
• Talks about CF Backport as a strategy for extending older ColdFusion versions.
A spirited discussion on real-world cross-platform quirks, unscoped variables, and strategies for HTML standardization.
• Importance of using scoped variables to prevent unexpected collisions in code.
• How ColdFusion's HTML output can be sanitized using Jsoup and AI-assisted validation.
• Real-world examples of legacy platform quirks that led to better testing and abstraction strategies.
They unpack the use of executables and CFExecute for performance-heavy tasks like PDF generation, image processing, and zipping files.
• CFZip and CFImage are shown to be slower than OS-level executables like 7-Zip or GhostScript.
• Explains how using external tools avoids Java heap memory issues.
• Highlights the benefits of file-based tools for consistency and speed across deployments.
James walks through some of his favorite UDFs
• hashID: CFML user-defined functions (UDFs) provide a simple mechanism for generating and validating hash-based identifiers.
• createShadowHtml: CFML user-defined function (UDF) generates HTML and inline JavaScript to create a dynamic, client-side preview of a given HTML document within a shadow DOM
• streamFindNoCase: user-defined function (UDF) searches the currently accumulated output buffer for the presence of a given string, performing a case-insensitive comparison.
• generateEmailHashCode: user-defined function (UDF) processes an email address by extracting the domain, sanitizing the username by removing periods (dots) and any part after the first "+", converting both parts to lowercase, and then returning a Java-generated integer hash code of the resulting string.
• enableWKHTMLTOPDFForms: user-defined function (UDF) modifies the binary of a non-Adobe-generated PDF file to enable the editing of form fields in Adobe Acrobat.
• tempCache: user-defined function (UDF) allows you to temporarily store data in the ColdFusion cache and retrieve it using a generated UUID.
• jreEscape: user-defined function (UDF) ensures strings can be safely used in regex patterns by preventing special characters from being interpreted as regex metacharacters.
• maskCC: user-defined function (UDF) takes a text string as input, searches for patterns that resemble credit card numbers, attempts to validate these potential numbers using ColdFusion's built-in credit card validation, and then masks the validated numbers by replacing all but the last four digits with asterisks.
Helpful Links
http://www.mycfml.com/ - James's website showing these functions and more.
Ben and Ryan Show Episode 17
In this episode, your hosts Ben Nadel and Ryan Brown are joined by Peter Amiri to share the gripping, real-world story of what it's like to experience—and recover from—a devastating ransomware attack. They dive deep into the technical and emotional toll of cyber extortion, walking through how it happened, what went wrong, and the long road to restoring operations while learning critical lessons along the way.
Key Points
• Peter recounts a ransomware attack that began with a zero-day exploit in their firewall and resulted in full encryption of their Windows-based infrastructure.
• Despite following industry best practices like 3-2-1 backups, cyber insurance, and EDR tools, the breach occurred due to overlooked alerts and underestimated risks.
• The team responded by cutting internet access, engaging incident response vendors, and rebuilding their environment from scratch in parallel with negotiating a ransom.
• Lessons include the critical need for MDR services, verified air-gapped backups, centralized SSO/MFA security, and proactive disaster recovery planning.
• Ultimately, the company recovered within 8 days, avoiding catastrophic data loss by leveraging unencrypted legacy copies and strategic capacity planning.
Peter discusses the company's security posture before the attack
• Cyber insurance renewals demanded increased security: MFA, then EDR, leading to major financial investment.
• EDR picked up early malicious activity, but alerts were missed due to noise and lack of security specialization.
• Overconfidence in lesser-used virtualization tools contributed to a false sense of security.
• Alarm fatigue contributed to overlooking early breach signals.
The breach was triggered by a zero-day exploit in their firewall
• The attackers deleted VM snapshots rapidly, prompting the team to disconnect internet access immediately.
• Analysis revealed the attackers were inside for 3-4 months.
• Compromised admin accounts were used to delete offsite backups.
• A seven-day-old backup and a three-month-old ERP copy survived due to architectural luck.
Peter explains how they recovered
• A three-tier recovery strategy began: rebuilding from scratch, retaining encrypted originals, and decrypting clone copies.
• FBI approval was needed for ransom payment, which was surprisingly low and flagged as a possible re-engagement tactic.
• A decryption test with non-critical files validated the attackers had access.
• The decryption key ultimately worked, restoring full operations just before their parallel recovery would have been completed.
Post-breach, Peter outlines the enhancements made to secure their environment and improve detection and response.
• A secondary DR site was implemented with air-gapped nightly snapshots.
• All systems moved to enterprise SSO with MFA and session timeouts.
• A managed MDR provider was retained to monitor and escalate potential threats in real time.
• Simulation phishing campaigns and employee security training were introduced to combat social engineering.
The conversation shifts to the importance of recovery readiness over prevention
• Emphasis is placed on headroom in infrastructure for recovery, especially in on-prem environments.
• Decision-making between "verify first" vs. "block first" policies is discussed based on system criticality and false positive rates.
• Real examples of phishing, supplier impersonation, and invoice fraud highlight human vulnerabilities in security.
Helpful Links
Arete (company that helped Peter and provides Managed Detection and Response services)
https://areteir.com/
SentinelOne (Incident Response Platform)
https://www.sentinelone.com/
Ben and Ryan Show Episode 16
In this episode of the Ben and Ryan Show, hosts Ben Nadel and Ryan Brown are joined by guest John Nessim to explore the evolving world of content management systems (CMS). With his deep development background and years of practical experience, John dives into everything from traditional platforms like WordPress to advanced headless CMS solutions, offering valuable insights into when and why to choose different tools for your website.
Key Points:
• CMS platforms have evolved to balance user-friendliness with developer control, from WYSIWYG editors to headless solutions.
• WordPress dominates the market but can be bloated and vulnerable if not managed properly.
• Headless CMS options like Strapi and Sanity allow for greater flexibility, scalability, and multi-platform content distribution.
• Accessibility enhancements not only improve user experience but also deliver measurable SEO benefits.
• Choosing the right CMS depends on business maturity, scalability needs, and how content is consumed and maintained.
Definition and purpose of a CMS
• The key function of CMS is to give control over content to non-developers.
• Static site generators may not qualify as CMS unless they include content creation tools.
• CMS evolved from managing unstructured text to structuring rich data like events and services.
• Headless CMS is described as content blocks managed separately from the front-end template.
Headless CMS
• Headless CMS organizes content in blocks delivered via APIs (usually JSON/XML).
• WordPress now supports headless modes using technologies like React or Next.js.
• Hosting implications include managing the CMS separately from front-end deployment.
• Businesses are leaning toward this model to support multiple front-ends like web, mobile, and embedded apps.
Traditional CMSs
• Website builders are constrained but easy-to-use tools for non-technical users.
• WordPress is a middle ground—flexible, extensible, but prone to bloat and plugin issues.
• Mura and its fork MASA are powerful ColdFusion-based CMSs used for multi-language and multi-site setups.
• Custom or niche CMSs still hold value in developer-friendly ecosystems.
Accessibility
• Structured content (headings, alt tags) improves screen reader compatibility and SEO.
• Color contrast and readability considerations enhance inclusivity and usability.
• SEO and accessibility goals often align, especially with structured markup.
• Tools and plugins can measure and enforce accessibility standards effectively.
WordPress
• WordPress’s popularity makes it a target for bots and DDoS attacks.
• CMS platforms can become resource-intensive without proper caching and security measures.
• Best practices include Cloudflare protection, selective plugin usage, and admin page hardening.
• WordPress was never intended for large-scale, mission-critical systems.
Picking a CMS
• Simpler businesses should stick with GoDaddy or WordPress for cost-effectiveness.
• Growing companies may outgrow WordPress and require more robust headless CMSs.
• Business use cases should dictate the CMS—static presence, lead generation, e-commerce, etc.
• Costs, flexibility, and developer availability all factor into CMS choice.
Final Thoughts
• AI-driven tools like Wix’s website generator disappoint in quality without developer oversight.
• Advanced AI tools can accelerate site creation when paired with knowledgeable devs.
• CMSs need to consider future-proofing against evolving SEO rules and AI-driven content indexing.
• John offers real-world examples of using simple tools effectively based on client needs.
Useful Links
In this episode, your hosts Ben Nadel and Ryan Brown take a break from their usual guest interviews to reflect on their personal and professional journeys in the first months of 2025. They discuss major career transitions, the challenges of job hunting in today's market, and the evolving landscape of software development, all while sharing personal stories and insights on adapting to change.
Key Points:
• Ben shares his transition from co-founding Envision to joining a new company in a completely different industry, facing a steep learning curve.
• Ryan talks about how networking and content creation play a key role in career opportunities, and why developers should build a public presence.
• They discuss the struggles of job searching, from dealing with stress and rejection to navigating a shifting industry.
• The importance of continuous learning, including Ben’s deep dive into CF Wheels and Ryan’s exploration of AI tools for productivity.
• A surprising story about purchasing fake AirPods from a major retailer and the unexpected resolution.
Ben reflects on his career shift after Envision’s closure, now working with Peter Amiri in a company focused on truck parts manufacturing.
• He describes the shift from self-directed work to structured teamwork and ticket-based workflows.
• Adjusting to new processes, communication methods, and working with a small but growing development team.
• Learning CF Wheels as part of the new job and the challenges of adapting to a new framework.
• The difficulty of balancing personal projects with work and feeling mentally exhausted from constant adaptation.
Ryan discusses his experience with job hunting and how networking made all the difference.
• Instead of relying on traditional applications, he leveraged his contacts to land new opportunities.
• He highlights how producing content and engaging with the community helps people stay visible in their industry.
• They reflect on how technical interviews often fail to identify the best candidates.
• The importance of having a portfolio to showcase real-world skills rather than relying on resume claims.
The hosts talk about their growing podcast and their experiences connecting with industry leaders.
• The unexpected success of the show and the ease of booking high-profile guests.
• How structuring the podcast recording schedule helped them maintain consistency.
• The challenge of engaging with technical communities outside of developer circles, like sysadmins and DevOps professionals.
Ben shares his journey into learning CF Wheels and the challenges of adapting to a new development ecosystem.
• How CF Wheels compares to Ruby on Rails and its "convention over configuration" approach.
• The struggle of learning a new problem domain while adjusting to a new job environment.
• Dealing with imposter syndrome and the pressure to adapt quickly.
Ryan recounts his bizarre experience buying fake AirPods from Walmart.
• The troubleshooting process, multiple failed attempts to connect them, and Apple's confirmation that they were counterfeit.
• How Walmart ultimately resolved the issue after several attempts at customer service.
• A lesson in checking serial numbers when purchasing electronics from big retailers.
The hosts wrap up with a look ahead at upcoming episodes, including more Adobe-focused discussions and AI developments.
In this episode, your hosts, Ben Nadel and Ryan Brown, sit down with Steve Leve from ShareASale to dive into the challenges and lessons learned from navigating an acquisition, managing technical debt, and executing large-scale migrations. They explore the impact of legacy systems, the balance between maintaining old infrastructure and innovating new solutions, and the role of AI in modern software development.
Key Points:
• Steve shares his journey from a small-town coder to a principal architect at ShareASale.
• The team discusses the challenges of merging companies post-acquisition, including business model differences and technical debt.
• Lessons from large-scale infrastructure migrations, including moving from ColdFusion monoliths to modern architectures.
• The importance of balancing innovation with maintaining existing systems and the trade-offs of cloud computing.
• How AI is reshaping development practices, from documentation to automated testing.
Migrating an entire business platform brings its share of surprises and roadblocks.
• Steve shares his experience of being acquired by AWIN and the growing pains that followed.
• The team discusses the complexities of merging different operational and technological approaches.
• They reflect on the unexpected technical challenges, including a looming data center shutdown and hardcoded infrastructure dependencies.
• The importance of knowledge sharing within a team to prevent reliance on a single expert.
Navigating technical debt is all about prioritization and timing.
• The group explores the idea that not all technical debt needs to be fixed—only what blocks innovation or scaling.
• Steve emphasizes "tidy first" as an approach to incrementally improving code rather than massive rewrites.
• Real-world examples of how debt manifests in migrations and why some old code surprisingly holds up.
• The discussion touches on key strategies for managing technical debt within an evolving business landscape.
Migrating to AWS and cloud adoption brings new efficiencies but also new constraints.
• Steve and Ben share stories of migrating to AWS, the surprises along the way, and the need for expert help.
• Lessons on the hidden costs of cloud adoption and why simply lifting and shifting to the cloud isn't always the best strategy.
• The team debates the trade-offs between autoscaling, managed services, and maintaining on-premise solutions.
• Real-world examples of cost-efficient cloud migration strategies.
Strangler patterns, AI-driven documentation, and the future of software development.
• The team discusses the strangler pattern as a way to incrementally transition from legacy systems to modern platforms.
• Steve shares insights on how AI is being used for documentation, testing, and even code analysis.
• The group speculates on how AI-driven tools can improve developer efficiency and streamline migrations.
• They reflect on the importance of keeping up with evolving tech while maintaining a pragmatic approach to change.
This episode is packed with practical insights, real-world experiences, and candid discussions about the messy, challenging, and ultimately rewarding process of managing technical debt, cloud migration, and acquisitions. Whether you're a developer, architect, or IT leader, there's something valuable here for you!
In this episode, your hosts, Ben Nadel and Ryan Brown, sit down with Andrew Pendleton, Senior Director of Design Systems at Verizon, to discuss the role of design systems in driving consistency, accessibility, and innovation. They explore how Verizon’s approach to accessibility goes beyond compliance, how design systems empower both designers and engineers, and the challenges of maintaining a unified system in a vast enterprise.
Key Points:
• Verizon’s Design System centralizes design and engineering decisions to create scalable frameworks for digital experiences.
• Accessibility at Verizon is treated as a driver of innovation, not just compliance, influencing best practices and component design.
• The impact of constraints in design systems, allowing teams to move faster and focus on complex problems.
• The importance of cross-team communication and standardized language in improving adoption and efficiency.
• Strategies for starting a design system and integrating accessibility in an organization.
Andrew shares how his background in digital art, development, and management uniquely positioned him to lead Verizon’s Design System team.
• He discusses the importance of bridging the gap between designers, engineers, and product teams through shared terminology and best practices.
• The conversation covers how accessibility has led to innovations like responsive web design, captioning, and high-contrast modes.
• Verizon’s approach to user testing includes an accessibility lab where customers with disabilities provide direct feedback on digital and physical product experiences.
The team dives into how Verizon builds and maintains accessible components for its design system, including an advanced video player with baked-in accessibility features.
• Andrew explains how they studied platforms like YouTube, Adobe, and native HTML elements to build an optimized solution.
• The importance of leveraging the platform but extending it where necessary to maintain accessibility.
• The balance between stability and flexibility in design systems to allow innovation while maintaining consistency.
The discussion shifts to the challenges of adoption within a large enterprise and strategies to encourage engineers and designers to embrace the design system.
• Architectural misalignment and legacy technologies present obstacles to adoption, requiring phased transitions.
• Design tokens help standardize visual elements even in non-React environments.
• The role of accountability in ensuring accessibility and quality standards are maintained, even when teams customize components.
Andrew and the hosts close the episode by discussing how individuals and organizations can begin implementing accessibility in their work.
• Recommended resources for learning about accessibility, including books and online tools.
• The importance of having an accessibility champion within a company to drive awareness and adoption.
• Practical steps developers and designers can take to improve their accessibility practices, even in organizations without formal accessibility initiatives.
This episode is packed with insights on design systems, accessibility, and the intersection of technology and user experience. Whether you’re a developer, designer, or product leader, there’s something here for you!
Ben and Ryan Show Episode 12
In this episode, your hosts Ben Nadel and Ryan Brown sit down with security expert Brian Riley, author of the HoyaHaxa blog, to discuss ColdFusion security vulnerabilities and best practices for mitigating risks. The conversation dives into recent ColdFusion exploits, how security patches impact developers, and the broader implications of securing applications beyond just ColdFusion itself.
Key Points:
• ColdFusion has been targeted by multiple 0-day vulnerabilities, highlighting its continued presence in critical systems.
• Adobe's recent security updates introduce breaking changes, forcing developers to make necessary adjustments.
• Security is a multi-layered approach—application security is just one part of a larger ecosystem that includes OS, networking, and cloud infrastructure.
• The trade-off between convenience and security often leads to vulnerabilities, especially with features like remote CFC access.
• Managed hosting providers and security tools like HackMyCF can help developers stay ahead of emerging threats.
Discussion Highlights:
ColdFusion Security Landscape
• ColdFusion is still actively targeted by attackers, despite debates over its relevance.
• Government and financial institutions heavily rely on ColdFusion, making it a high-value target.
Adobe's Recent Security Updates
• Adobe is pushing security patches that enforce stricter security measures, sometimes breaking legacy applications.
• The variable scoping issue is a major focus—forcing developers to fix long-standing bad practices.
• Deprecated encryption methods are being phased out for stronger security.
Common Security Best Practices
• Regularly update ColdFusion and all associated components like Java and Tomcat.
• Restrict access to CFIDE and ColdFusion Administrator to prevent common exploits.
• Use a multi-layered defense strategy, including web application firewalls (WAFs), OS-level security, and network protections.
Challenges of Security in Hosting and DevOps
• Managed hosting providers must balance security with not breaking customer applications.
• Attackers often leverage vulnerabilities beyond just the ColdFusion layer, including database, OS, and network weaknesses.
• Cloudflare and similar services help block DDoS attacks but aren't always sufficient in real-time scenarios.
The Convenience vs. Security Tradeoff
• Many vulnerabilities exist because developers prioritize ease of use over security.
• Features like remote CFC access, while convenient, often introduce security risks.
• Security teams and developers must collaborate to strike the right balance between usability and protection.
Final Thoughts and Resources
• Brian Riley's blog HoyaHaxa provides deep dives into ColdFusion security issues.
• OWASP’s Top Ten is a great resource for understanding common security vulnerabilities.
• Developers should engage in proactive security practices rather than waiting for the next 0-day exploit.
Recent ColdFusion Related HoyaHaxa Blogs
• https://www.hoyahaxa.com/2024/12/an-initial-analysis-of-cve-2024-53961.html
• https://www.hoyahaxa.com/2024/08/bsideslv-2024-slides-modern-coldfusion.html
• https://www.hoyahaxa.com/2024/07/on-coldfusion-administrator-access.html
Ben and Ryan Show Episode 11
In this episode, hosts Ben Nadel and Ryan Brown interview Grant Powell, founder of Curios. Grant shares his journey in the Web3 and NFT space, detailing how Curios started as a licensable NFT platform and successfully pivoted after the NFT bubble burst. The discussion dives deep into digital ownership, blockchain challenges, and how Curios is revolutionizing digital content distribution for creators.
Key Points:
• Curios' Evolution – Originally an NFT licensing platform, Curios pivoted to focus on digital content ownership after the market downturn.
• Blockchain & ColdFusion – The role of ColdFusion in building Curios' rapid development and API-driven platform.
• NFTs Beyond Art – Real-world applications for NFTs in digital ownership, including music, books, and event ticketing.
• Decentralization – The benefits and challenges of decentralized platforms compared to centralized ones like Ticketmaster.
• AI in Collectibles – Grant’s work with collectibles.com and AI-driven identification and valuation of collectibles.
Episode Breakdown:
Curios' Origin and Pivot
• Curios started as a platform to help businesses create and manage NFTs.
• The NFT craze led to unrealistic expectations, and as the hype collapsed, Curios pivoted to a broader digital ownership platform.
• ColdFusion played a key role in the flexibility and speed of their platform’s development.
Real Use Cases for NFTs
• NFTs are more than just overpriced JPEGs—they serve as proof of ownership for digital content like eBooks, music, and videos.
• Grant highlights how digital ownership differs from physical ownership and why secondary markets for digital goods are still developing.
• Ticketing is a strong use case, especially for VIP passes and exclusive access to events.
Challenges of Web3 and Blockchain Scalability
• Many blockchains create “walled gardens” that limit interoperability.
• Curios was among the first platforms to support multiple blockchains.
• Scalability issues in blockchain transactions require additional abstraction layers to ensure speed and efficiency.
Digital Rights and Ownership Protection
• Blockchain technology ensures proof of ownership, but enforcement remains an issue.
• The right to access content is separate from hosting the content itself, allowing removal when necessary.
AI and the Future of Collectibles
• Grant discusses collectibles.com and how AI is transforming the world of collecting.
• AI can help identify, grade, and value physical collectibles like coins, comics, and trading cards.
• The future of AI-driven marketplaces and its impact on the secondary market for rare items.
The Balance Between Work, Entrepreneurship, and Life
• Grant and Ben share insights on time management and balancing multiple projects.
• The importance of structuring schedules to maintain productivity without burnout.
• Investors’ perspectives on serial entrepreneurship and the fine line between focus and diversification.
Ben and Ryan Show Episode 10
In this episode of the Ben and Ryan Show, hosts Ben Nadel and Ryan Brown are joined by Dan Short, the Director of Engineering at Virtuous Software, to explore the dynamics of career paths in software engineering, particularly the transition from individual contributor to management. The conversation dives deep into personal experiences, practical advice, and insightful reflections on leadership, motivation, and the evolving role of technology in the workplace.
Key Points:
• The transition from individual contributor to management and the challenges of developing management skills
• Understanding personal "why" and aligning career choices with motivation and joy.
• Can you do both - balancing technical expertise with managerial responsibilities (or not).
• Addressing the role of AI as a supportive tool rather than a replacement for engineering roles.
• Strategies for fostering team motivation and achieving organizational goals effectively.
Dan’s Introduction and Career Path
Dan shares his journey from the Army to becoming the Director of Engineering at Virtuous Software, highlighting his transition from administrative tasks to technical and managerial roles.
• Early career in automating processes using Microsoft tools.
• Progression from IT management to web development during the early 2000s.
• Moving into management out of necessity and adapting through trial and error.
• Building and leading teams at companies like CoStar and Virtuous Software.
The Reluctant Manager Transition
Dan discusses the challenges of moving from an individual contributor to management, focusing on the struggle to find new ways to measure success and the initial reluctance to take on leadership responsibilities.
• Discovering satisfaction in mentoring and enabling team success.
• Differences between technical wins and people-oriented victories.
• Importance of defining clear roles and responsibilities.
• Lessons learned from managing through uncertainty and resistance.
Navigating Career Path Options
The team debates whether to grow into management within an existing company or seek leadership roles elsewhere, emphasizing the importance of mentorship and personal alignment.
• Balancing technical and managerial responsibilities effectively.
• Challenges of transitioning into management in familiar versus new environments.
• The value of mentorship and support systems in career growth.
• Recognizing when management might not align with personal goals.
The Role of AI and Technology in Engineering
Exploring the evolving role of AI in software development, Dan highlights its potential as a tool for enhancing productivity rather than replacing engineers.
• Practical applications of AI, like automating repetitive tasks and generating ideas.
• Addressing concerns about AI replacing human creativity and problem-solving.
• The importance of maintaining a people-centric approach in technology roles.
• Using AI for brainstorming and augmenting decision-making processes.
Advice for Aspiring Managers
Dan offers advice for those curious about management, stressing the importance of aligning career choices with personal joy and motivations.
• Trying out mentorship and team lead roles before committing to management.
• Leveraging books, podcasts, and thought leaders for continuous learning.
• Staying curious and focusing on people-centric problem-solving.
• Cultivating a supportive workplace that values both management and IC career paths.
Ben and Ryan Show Episode 9 In this episode your hosts, Ben Nadel and Ryan Brown, talk with Shawn Gorrell and explore diverse topics ranging from AI applications to organizational psychology and ethics, emphasizing practical tools and thoughtful strategies for teams and individuals.
Key points:
• AI as a spectrum: Some embrace it as life-changing, while others fear its implications.
• Early AI exploration focused on ethics and societal impacts.
• Ethical frameworks often lag behind technological advancements.
AI's practical applications, such as automating tedious tasks, were highlighted, with Shawn discussing potential benefits for developers:
• Automating unit testing could save time and increase efficiency.
• AI's role as an assistant or "intern" to augment but not replace human expertise.
• Validation remains critical to ensure output reliability.
Shawn emphasized the importance of prompts and domain knowledge for effective AI use.
They explored organizational and individual growth, discussing how to create meaningful work environments:
• Helping others achieve goals can foster personal growth.
• Transparency in team dynamics, such as working agreements, improves collaboration.
• Intentionality in interactions, especially in remote or hybrid work setups, enhances effectiveness.
The ethics of AI, especially in decision-making, was examined:
• Past AI missteps, like biased hiring algorithms, underscore the need for accountability.
• Predictive policing and crime data illustrate potential for reinforcing systemic biases.
• Informing consent and transparency in algorithms are vital to building trust.
Shawn shared insights on soft skills and people management:
• People skills are a key differentiator for success in technology roles.
• The balance between technical expertise and empathy fosters better teams and outcomes.
• Team exercises, like identifying unnecessary tasks, can drive efficiency and morale.
The episode closes with reflections on creativity, evolving frameworks, and career motivations.
• Technology should alleviate mundane tasks, enabling more focus on innovation and enjoyment.
• Tools like AI can aid creativity but should complement, not replace, human ingenuity.
• Keeping foundational skills while adapting to tools like GPT ensures long-term success.
Ben and Ryan Show Episode 8 In this episode, your hosts Ben Nadel and Ryan Brown talk about learning throughout your life.
Key topics included:
• Plug in your laptop if you are recording a podcast • Dogs can keep you up more than kids • Ben and Ryan are ChatGPT celebrities • What are the limits of what AI can do for you • Code editing in ChatGPT • Ben gets wowed with live iterative ChatGPT-ing • Difference between single page and multi page applications • Compare MySQL, PostgreSQL, and MS SQL • When can you use the 5 second rule • Ben and Ryan Show Live is Born
Ben and Ryan Show Episode 7 In this episode, your hosts Ben Nadel and Ryan Brown are joined by Adobe Product Manager, Charvi Dhoot, and Semify CTO, Brian Sappey. The group discusses the upcoming ColdFusion 2025 release and how Adobe determines which features to include in the release. And as always, the guys go on their many tangents.
Key topics included:
• Feature Development: Charvi explained that ColdFusion development prioritizes user needs, stability, security, and performance, often influenced by customer feedback and industry trends. • Integration Enhancements: Brian highlighted a feature enabling seamless integration with Microsoft's Azure user store, enhancing security and scalability for enterprise applications. This feature originated from his team's work and broader community needs. • Plugins and Community Contributions: The idea of a plugin marketplace was discussed as a way to allow developers to share and monetize their ColdFusion plugins. While technically feasible, its implementation depends on community interest and resources. • Tags vs. Script Debate: A recurring challenge in ColdFusion development involves balancing support for legacy tag-based code with newer script-based implementations, ensuring compatibility while encouraging modern practices. • ColdFusion 2025 Features: The episode touched on the CSV parsing feature, conceptual compression benefits, and enhancements like streamlined Java object integration. Charvi emphasized the significant effort to address long-pending issues and modernize the platform.
Ben and Ryan Show Episode 6 In this episode, your hosts Ben Nadel and Ryan Brown discuss what they are thankful for from 2024 and what they are expecting from 2025. And as always, the guys go on their many tangents.
Ben and Ryan Show Episode 5
In this episode, your hosts Ben Nadel and Ryan Brown are joined by xByte Cloud Chief Technology Officer, Dakota Clum, to double click into cloud hosting.
What are people doing to deploy dev code into cloud hosted servers
• RDP and make file changes directly on server
• FTP and apply updates to files one at time
• Azure DevOps - CI/CD (being adopted more)
• Agent can be deployed and have code deployed to traditional VPS
Load balancing on clusters
• Cloud based NAS shared storage between cloud servers
• Master - child replication
• SQL can load balance synchronization
• SQL can do active/passive for geo-failover
• Load balacing web servers needed before SQL needed most of the time
Deployment strategies
• Tradeoffs between efficiency and risk appetite
• You can evolve your processes over time
• No right or wrong answer
Scaling
• Depends on your needs
• Possible to run into issues where nodes not available on AWS
• Need to do reserved instances to get performance needs
• If you can predict when you need more load, you can do short term scaled servers
• Determine what needs scaled instead of entire application - or offload these to a separate service
Risk Appetite
• DR options - is it ok to be down for 15 minutes
• Cost of going from 4 9's of availability versus 5 9's
• For smaller deployments, do you need a separate dev server - non 0% chance that dev takes down production
Shared Hosting
• You get a website
• Share all RAM, CPU, Disk with everyone
• Noisy neighbor can take you down
• Generally shared hosting don't allow support for all ColdFusion hotfixes
• If just HTML files, it may not be an issue compared to also needing SQL
• Risk appetite of noisy neighbors
Most Common Security Issues We Have Seen In Other Environments
• Supporting file types not needed by your app allowing PHP executions
• Too many ports open exposing attack vectors
• SQL Injection when form input not sanitized
• File upload to default directories (don't use /upload)
• Allowing file executions in upload directories
