Friday, 13 March 2015

On being a Pluralsight author

Friday, 13 March 2015

I’ve just come back from spending some time over in Utah with Pluralsight and a bunch of fellow authors and as I was last year, I’m all excited and full of great ideas. A bunch of people asked me what it was all about and what it means to be a Pluralsight author so rather than continually giving short responses to individuals, I thought I should articulate things a little more clearly because frankly, it’s all rather exciting. Let me explain.

Entry to the Authors Summit

Read more

Thursday, 12 March 2015

Yow! Conference talk – Hack yourself first

Thursday, 12 March 2015

Back in December, I was privileged enough to be asked along to the Yow! Conference road show down here in Australia. I say “road show” as myself and a bunch of speakers from around the world spent a couple of days in Melbourne, a weekend up in sunny Queensland, a couple of days in Brisbane then jetted down to Sydney and spent a couple of days there. It was pretty much the same content in each city, but obviously different audiences.

This was my first Yow! and it was a little different to most of the events I’d attended before. Very little Microsoft, lots of functional programming and Java plus a lot of higher level talks about software development in general and some particularly insightful talks. Lot of diversity too with a good mix of depth, speaker experience, gender and nationalities.

Whilst this wasn’t a new talk for me, I made a number of variations to my very popular “Hack Yourself First” talk which covers a heap of content from my Pluralsight course of the same name. By all accounts, it was enormously successful talk with this one shot in Brisbane scoring 97% green cards and a few yellow ones.

(If you want player controls and full screen capability, head over to the Yow! site and watch it there.)

Saturday, 7 March 2015

Secure Account Management with .NET Rocks!

Saturday, 7 March 2015

A little while back I wrote about The Conversation, that’s the one I often have with developers looking to build web applications which need to manage accounts but who perhaps haven’t quite thought through all the ins and outs of it. That was also the launch of a new Pluralsight course Secure Account Management Fundamentals which goes through a heap of things that usually come up in these conversations. I’d like to think that at the very least, it’s thought provoking but it’ll also potentially save you from some rather serious ramifications should things all go wrong.

A couple of weeks back I caught up with Carl and Richard on .NET Rocks as I’ve now done many times before and as always, had a great chat about security things. It was mostly about the security implications of managing accounts but as always, the conversation sort of steers itself in various directions and equally as always, I just had fun speaking with the guys.

Episode 1109 is now up on the .NET Rocks website or you can listen to it directly below:

Thursday, 19 February 2015

Stories from the trenches: Sizing and penny pinching with Azure websites

Thursday, 19 February 2015

How much capacity will you need for your app?

Or asked another way if wearing the vendor hat, how much money ya got?

We’re generally lousy at estimating infrastructure capacity requirements and even when a more scientific approach is taken (and it’s frequently not), we’re still lousy at estimating user behaviour in real world circumstances and the impact it will have on system performance.

Now, put that situation in a cloud environment and it has the potential to go a couple of ways. One is that you have underestimated and by courtesy of the glorious ability to increase resource very quickly, your bill goes nuts. Another is that you’ve overestimated and you end up paying for resources you really don’t need. I’ve recently gone through scaling challenges with both the website and the Azure SQL database on Have I been pwned? (HIBP). For me, it’s never about having access to enough scale (that’s pretty much limited by your wallet), rather it’s about trying to both keep the cost down and the perf up and frankly, I don’t really want to compromise on either! Here’s what I’ve done with the website and I’ll write more about the database another time.

Read more

Wednesday, 18 February 2015

App sec in Europe!

Wednesday, 18 February 2015

Through what I can only describe as enormously fortuitous circumstances (and I’ll better qualify that in a later post), I have the bandwidth to do a bunch of things over the next few months that previous commitments kept me from. One of the immediate things I’m now doing is saying “yes” when I previously had to decline. Yes to conferences. Yes to training. Yes to consulting and in the context of this blog post, yes to folks in the EU.

I’m off to Europe a couple of times over the coming months for two awesome events. The first is OWASP’s AppSecEU in the Netherlands in May:

OWASP AppSecEU 2015: 19-22 May 2015

Read more

Tuesday, 10 February 2015

Spec’ing, choosing and testing a UPS for the home office

Tuesday, 10 February 2015

I’ll keep this one pretty much to the point and let the pictures do most of the talking. In my kitchen cupboard, I have this:

Circuits in the kitchen cupboard

It may well be related to the vicinity of the chocolate, but the kids seem to like hitting those switches. For some reason, they particularly like doing it when I’m right in the middle of this:

Editing work in Camtasia

Editing Pluralsight courses is laborious work. I do it on my desktop so I get all four screens to look at and I invariably have a heap of other things open at once, each positioned in the right place on the right screen so I know exactly where to look for what and when. And then it all goes black. No warning, just a kid looking for chocolate.

Read more

Monday, 9 February 2015

Introducing my new weekly column, “Security Sense” on Windows IT Pro

Monday, 9 February 2015

Regular readers here will recognise that if there’s one thing I’m generally not short of, it’s security stuff to talk about and personal opinions on the whole thing (maybe that’s two things). Oh and there’s also the thing about spending a whole heap of time writing security training material for Pluralsight and maintaining Have I been pwned? which all keeps me rather immersed in what I reckon is a very exciting industry. I mean what’s not to love in an industry where the pendulum regularly swings from extremes such as attackers hacking modems to hijack traffic and buy Brazilian hookers through to Obama getting up and admonishing the Axis of Evil themselves for pwning Sony over a crappy movie. It’s non-stop infosec action.

The other day, Windows IT Pro asked me if I might like to start writing a weekly column on the wonderful world of cyber-security, cyber-hackers and cyber-sensationalism. Wait – what?! No really, my view is that all too often it is sensationalism and that amidst all the excitement we somehow lose track of the fundamentals. They gave me enough free reign to shape the column in a way that I thought would really resonate with people and so here it is – “Security Sense” – and the intro to it just went out today.

Unlike my frequently verbose and often highly technical blog posts, Security Sense will be closer to a one-pager each week and targeted at a broader audience. There’ll inevitably be parallels with other things I write or talk about, but I’ll keep it higher level and more consumable than a lot of my other material. It gives me a great platform to reach a broader audience and by all accounts, it addresses an areas where there’s a huge amount of interest at the moment.

For those unfamiliar with Windows IT Pro, it’s run by Penton who’ve been doing this sort of thing for 110 years. Not all of them on the web, of course, but they’ve got somewhat of a track record when it comes to publishing. The site serves a community of over 2.7 million IT pros, developers, partners and providers so there’s a good number of eyeballs on their content.

I really hope it appeals to my existing audience as well as appeals to a whole new one I don’t normally reach. My first column has already been submitted and will go out shortly. I’ll be communicating new articles via social media and engaging in discussion on the Windows IT Pro in context of the articles so I hope to see a bunch of you there in the future. Enjoy!

Thursday, 5 February 2015

Introducing AngularJS Security Fundamentals on Pluralsight

Thursday, 5 February 2015

If I’m honest, I always found it a bit unusual to get this question:

“How do I secure my Angular apps?”

I mean, Angular is just JavaScript that runs in the client and a few HTML directives. Ok, it’s very good JavaScript and I don’t mean to trivialise the framework in any way whatsoever, but all the security grunt work still needs to happen on the server. Angular will do nothing for your SQL injection or your lack of access controls on server resources or any of the other really nasty security stuff that tends to go wrong in web apps. Yet the question kept coming up and the more I thought about it, the more it made it sense to put Angular security in perspective. So I made this Pluralsight course:

Angular JS Security Fundamentals

The very fact alone that developers kept asking about Angular security was enough motivation to do a course on it. Let me explain how I’ve approached it.

Read more

Friday, 30 January 2015

Understanding Azure website auto-scale magic

Friday, 30 January 2015

I was helping out a consumer of Have I been pwned? (HIBP) earlier today as they were trying to build up a profile of the pwnage state of their client base. This mean firing a heap of requests at the API so that they could assess a very large number of accounts. I’m always interested in how far this service can be stretched and indeed what the thresholds are before Azure starts applying auto-scale magic.

First up, keep in mind that each request to the API is searching through 175 million records in Azure Table Storage. You can read about the story of HIBP for background on why I chose this data structure but one of the key reasons is scale – it’s massive!

Anyway, here’s what I started seeing early this morning courtesy of New Relic:

Requests per minute peaking at over 5k

Read more

Wednesday, 28 January 2015

Azure WebJobs are awesome and you should start using them right now!

Wednesday, 28 January 2015

No really, they’re totally awesome! I used Azure WebJobs in the very early days and whilst they served a purpose, I wasn’t blown away with them at the time. In fact I went on to use Worker Roles for the back end paste processing behind Have I been pwned? (HIBP) and whilst they served me well, there were also aspects that weren’t as slick as what the broader Azure ecosystem is.

Recently I had cause to build another back end process for HIBP (one I’ll talk more about in detail in a later post) so I thought I’d come back and visit WebJobs again. The extent of what I was able to do, the ease with which it all happened the time it took just totally blew me away. There were a few things in particular though that really struck me while building out this new feature using WebJobs and I wanted to capture and share those here.

What I ended up deciding to do is to rebuild a part of HIBP using a WebJob, namely the part that looks for new pastes in a queue then goes and retrieves them from Pastebin and sends out notification emails to those impacted. Converting this from a Worker Role really highlighted where WebJobs shine.

Read more