Thursday, 19 February 2015

Stories from the trenches: Sizing and penny pinching with Azure websites

Thursday, 19 February 2015

How much capacity will you need for your app?

Or asked another way if wearing the vendor hat, how much money ya got?

We’re generally lousy at estimating infrastructure capacity requirements and even when a more scientific approach is taken (and it’s frequently not), we’re still lousy at estimating user behaviour in real world circumstances and the impact it will have on system performance.

Now, put that situation in a cloud environment and it has the potential to go a couple of ways. One is that you have underestimated and by courtesy of the glorious ability to increase resource very quickly, your bill goes nuts. Another is that you’ve overestimated and you end up paying for resources you really don’t need. I’ve recently gone through scaling challenges with both the website and the Azure SQL database on Have I been pwned? (HIBP). For me, it’s never about having access to enough scale (that’s pretty much limited by your wallet), rather it’s about trying to both keep the cost down and the perf up and frankly, I don’t really want to compromise on either! Here’s what I’ve done with the website and I’ll write more about the database another time.

Read more

Wednesday, 18 February 2015

App sec in Europe!

Wednesday, 18 February 2015

Through what I can only describe as enormously fortuitous circumstances (and I’ll better qualify that in a later post), I have the bandwidth to do a bunch of things over the next few months that previous commitments kept me from. One of the immediate things I’m now doing is saying “yes” when I previously had to decline. Yes to conferences. Yes to training. Yes to consulting and in the context of this blog post, yes to folks in the EU.

I’m off to Europe a couple of times over the coming months for two awesome events. The first is OWASP’s AppSecEU in the Netherlands in May:

OWASP AppSecEU 2015: 19-22 May 2015

Read more

Tuesday, 10 February 2015

Spec’ing, choosing and testing a UPS for the home office

Tuesday, 10 February 2015

I’ll keep this one pretty much to the point and let the pictures do most of the talking. In my kitchen cupboard, I have this:

Circuits in the kitchen cupboard

It may well be related to the vicinity of the chocolate, but the kids seem to like hitting those switches. For some reason, they particularly like doing it when I’m right in the middle of this:

Editing work in Camtasia

Editing Pluralsight courses is laborious work. I do it on my desktop so I get all four screens to look at and I invariably have a heap of other things open at once, each positioned in the right place on the right screen so I know exactly where to look for what and when. And then it all goes black. No warning, just a kid looking for chocolate.

Read more

Monday, 9 February 2015

Introducing my new weekly column, “Security Sense” on Windows IT Pro

Monday, 9 February 2015

Regular readers here will recognise that if there’s one thing I’m generally not short of, it’s security stuff to talk about and personal opinions on the whole thing (maybe that’s two things). Oh and there’s also the thing about spending a whole heap of time writing security training material for Pluralsight and maintaining Have I been pwned? which all keeps me rather immersed in what I reckon is a very exciting industry. I mean what’s not to love in an industry where the pendulum regularly swings from extremes such as attackers hacking modems to hijack traffic and buy Brazilian hookers through to Obama getting up and admonishing the Axis of Evil themselves for pwning Sony over a crappy movie. It’s non-stop infosec action.

The other day, Windows IT Pro asked me if I might like to start writing a weekly column on the wonderful world of cyber-security, cyber-hackers and cyber-sensationalism. Wait – what?! No really, my view is that all too often it is sensationalism and that amidst all the excitement we somehow lose track of the fundamentals. They gave me enough free reign to shape the column in a way that I thought would really resonate with people and so here it is – “Security Sense” – and the intro to it just went out today.

Unlike my frequently verbose and often highly technical blog posts, Security Sense will be closer to a one-pager each week and targeted at a broader audience. There’ll inevitably be parallels with other things I write or talk about, but I’ll keep it higher level and more consumable than a lot of my other material. It gives me a great platform to reach a broader audience and by all accounts, it addresses an areas where there’s a huge amount of interest at the moment.

For those unfamiliar with Windows IT Pro, it’s run by Penton who’ve been doing this sort of thing for 110 years. Not all of them on the web, of course, but they’ve got somewhat of a track record when it comes to publishing. The site serves a community of over 2.7 million IT pros, developers, partners and providers so there’s a good number of eyeballs on their content.

I really hope it appeals to my existing audience as well as appeals to a whole new one I don’t normally reach. My first column has already been submitted and will go out shortly. I’ll be communicating new articles via social media and engaging in discussion on the Windows IT Pro in context of the articles so I hope to see a bunch of you there in the future. Enjoy!

Thursday, 5 February 2015

Introducing AngularJS Security Fundamentals on Pluralsight

Thursday, 5 February 2015

If I’m honest, I always found it a bit unusual to get this question:

“How do I secure my Angular apps?”

I mean, Angular is just JavaScript that runs in the client and a few HTML directives. Ok, it’s very good JavaScript and I don’t mean to trivialise the framework in any way whatsoever, but all the security grunt work still needs to happen on the server. Angular will do nothing for your SQL injection or your lack of access controls on server resources or any of the other really nasty security stuff that tends to go wrong in web apps. Yet the question kept coming up and the more I thought about it, the more it made it sense to put Angular security in perspective. So I made this Pluralsight course:

Angular JS Security Fundamentals

The very fact alone that developers kept asking about Angular security was enough motivation to do a course on it. Let me explain how I’ve approached it.

Read more

Friday, 30 January 2015

Understanding Azure website auto-scale magic

Friday, 30 January 2015

I was helping out a consumer of Have I been pwned? (HIBP) earlier today as they were trying to build up a profile of the pwnage state of their client base. This mean firing a heap of requests at the API so that they could assess a very large number of accounts. I’m always interested in how far this service can be stretched and indeed what the thresholds are before Azure starts applying auto-scale magic.

First up, keep in mind that each request to the API is searching through 175 million records in Azure Table Storage. You can read about the story of HIBP for background on why I chose this data structure but one of the key reasons is scale – it’s massive!

Anyway, here’s what I started seeing early this morning courtesy of New Relic:

Requests per minute peaking at over 5k

Read more

Wednesday, 28 January 2015

Azure WebJobs are awesome and you should start using them right now!

Wednesday, 28 January 2015

No really, they’re totally awesome! I used Azure WebJobs in the very early days and whilst they served a purpose, I wasn’t blown away with them at the time. In fact I went on to use Worker Roles for the back end paste processing behind Have I been pwned? (HIBP) and whilst they served me well, there were also aspects that weren’t as slick as what the broader Azure ecosystem is.

Recently I had cause to build another back end process for HIBP (one I’ll talk more about in detail in a later post) so I thought I’d come back and visit WebJobs again. The extent of what I was able to do, the ease with which it all happened the time it took just totally blew me away. There were a few things in particular though that really struck me while building out this new feature using WebJobs and I wanted to capture and share those here.

What I ended up deciding to do is to rebuild a part of HIBP using a WebJob, namely the part that looks for new pastes in a queue then goes and retrieves them from Pastebin and sends out notification emails to those impacted. Converting this from a Worker Role really highlighted where WebJobs shine.

Read more

Friday, 23 January 2015

Automating web hosting creation in Azure with PowerShell

Friday, 23 January 2015

Here’s your situation: you’ve got a heap of websites on traditional hosting models. Shared tenancies on single logical machines, dedicated infrastructure or even worse, not really any idea because you just keep paying that $5 per month and stuff works. Most of the time.

But you’ve seen the light and you want to move things to Azure en masse. A small handful of sites isn’t a drama, there’s a bit of setup work to create the Azure resources for each one and so long as you follow a pre-defined set of steps just perfectly, you’re fine. But like most things that require manual steps, it’s highly error-prone in terms of getting everything just right every time and it’s also very laborious. Once that handful of sites becomes dozens, it starts to feel like a bit of hard work. Not only that, but you’re going to want new assets in Azure in the future and having a repeatable way of doing that near instantaneously would be kind of nice.

I had this challenge recently – “we want to migrate a heap of websites to Azure and they’ll all fit into basically the same pattern” – so rather than have people clicking links in the Azure Portal, I gave them a single PowerShell script and unleashed them. I’m going to give you all the steps here that explain how it all works and give you the entire PowerShell script so that you don’t have to work out all the nuts and bolts from scratch. Enjoy!

Tags:

Read more

Thursday, 15 January 2015

Have your customers been pwned? Would you like to know?

Thursday, 15 January 2015

For the past year and a bit I’ve been building out features on Have I been pwned? (HIBP) in response to things I think would be awesome and things I’m asked for. I’m constantly surprised at the ways people have found to use the data for good, which is a nice twist given that the data normally comes from very unpleasant circumstances. For some ideas on how the data has been used, have a look at the API consumers page: various mobile apps, security tools, an IFTTT recipe and even a browser plugin. All of these plug into the existing freely available API, the one with nothing to get in the way such as auth or rate limits or anything else that poses a barrier to just getting in there and using it, like money! It’s open and it’s free.

But there’s much more been going on to make this data more useful to people that can do good things with it. Almost a year ago to the day, I released the domain search feature which allows anyone to verify their ownership of a domain and then be notified when anyone with an email on that domain is pwned. It’s been great for people who manage their own domains (i.e. they create multiple emails @myname.com) and also for organisations that want to get alerts when their staff get pwned which is particularly useful given the potential for subsequent phishing attacks and direct impact to the organisation. There have been thousands of domain notifications already sent for both breaches and pastes that have impacted domains ranging from those managed by individuals for their family members right up to a number of Fortune 100 orgs with 100,000+ staff. It’s all working rather nicely :)

But there’s another really interesting use case for the service and that’s supporting people with dozens or even hundreds of domains they want to monitor. This is not something that’s really feasible to setup one by one; the existing verification process is fine for a few, but it’s not only laborious for large numbers, sometimes it’s not even possible. To that effect, over the last year I’ve had a number of people come to me and ask for a bulk load of domains. For example, a major bank who has assets spread out across many brands with unique domains. A telco who provides email services across dozens of domains. A financial services company that offers products under different names. And a really interesting one I can actually share with you publicly: XCentral.

Read more

Tuesday, 6 January 2015

Are your apps leaking your private details?

Tuesday, 6 January 2015

For many regular readers here, this is probably not overly surprising: some of your apps may do nasty things. Yes, yes, we’re all very shocked about this but all jokes aside, it’s a rather nasty problem that kids in particular are at risk of. There was a piece a few days back on Channel 4 in the UK about Apps, ads and what they get from your phone where a bunch of kids had their traffic intercepted by a security firm. The results were then shared with the participants where their shocked responses could then be observed by all.

I got asked for some comments on this by SBS TV here locally which went to air last night:

Read more