Tuesday, 27 July 2010

My security podcast chat on Talking Shop Down Under

Tuesday, 27 July 2010

A couple of Saturdays back I had a chat with Richard Banks on the Talking Shop Down Under podcast about web application security while at “Developer Developer Developer!” in Sydney. It’s now online here:

Episode 22 - Troy Hunt on Developers and Security

It’s a funny thing, podcasts; there are no second takes and no chances to double-check facts before releasing to the outside world (made me realise how much I do this when blogging). You’re just talking off the top of your head and trying to recall facts that hopefully won’t erode too much of your credibility!

My angle for the chat was as someone with a development background who’d started to pay a lot more attention to application security in recent times. My blog series on the OWASP Top 10 for .NET developers had prompted a friendly well-wisher (or perhaps he just enjoyed putting me on the spot – I’m not entirely sure), to respond to Richard’s request for someone to chat to during the event.

If you’re a security pundit, you’re not going to learn anything new and you’ll spot the (multiple) times I made incorrect statements. Listening to it just now, there were a few incomplete answers and some terms and products I interchanged a bit too loosely.

If you’re a developer, I hope there’s something useful in there for you. One thing I think everyone will agree on is that there needs to more discussion about web app security and any forum which encourages that is a good thing.

On that basis alone, I hope this podcast is well received. Enjoy :)

Monday, 19 July 2010

Rocking your SQL Source Control world with Red Gate

Monday, 19 July 2010

I knew it was going to be good before even seeing it. After all, SQL Source Control is from the guys who brought us SQL Compare and Data compare, two of my all-time favourite tools in the “stuff that would be a real pain to do without” category. They’re tools I tend to berate developers for not having and have regularly waxed lyrical about in the past, albeit it within 140 characters; until now.

Versioning database objects very much fits into the same realm in that it’s a nightmare to do without a dedicated tool. The simplicity with which we version other applications files – HTML, images, classes, etc – hasn’t been readily achievable in the database world. Sure, there are various mechanisms out there to script objects out into the file system and version those but it’s a real pain to actually synchronise back into other environments.

To make database versioning practical it needs to integrate seamlessly into the development process, that is it needs to align to the tools and practices developers use. In the database world that means it has to play nice with SQL Server Management Studio (henceforth known only as SSMS), just as tools like VisualSVN or AnkSVN play nice with Visual Studio.

Given my previous positive experiences with Red Gate products I thought I’d write this blog a little differently. Rather than try and learn it inside out then come across as all knowledgeable, I‘m going to write about the process as I experience it for the first time. I think it will give a little more real world context to how other people approach the tool, let’s see how it pans out.

Read more

Thursday, 15 July 2010

OWASP Top 10 for .NET developers part 3: Broken authentication and session management

Thursday, 15 July 2010

Authenticating to a website is something most of us probably do multiple times every day. Just looking at my open tabs right now I’ve got Facebook, Stack Overflow, Bit.ly, Hotmail, YouTube and a couple of non-technology forums all active, each one individually authenticated to.

In each case I trust the site to appropriately secure both my current session and any persistent data – such as credentials – but beyond observing whether an SSL certificate is present, I have very little idea of how the site implements authentication and session management. At least not without doing the kind of digging your average user is never going to get involved in.

In some instances, such as with Stack Overflow, an authentication service such as OpenID is used. This is great for the user as it reuses an existing account with an open service meaning you’re not creating yet another online account and it’s also great for the developer as the process of authentication is hived off to an external service.

However, the developer still needs to take care of authorisation to internal application assets and they still need to persist the authenticated session in a stateless environment so it doesn’t get them entirely out of the woods.

Read more

Friday, 2 July 2010

Subversion’s mysterious malformed or missing path

Friday, 2 July 2010

I hit a couple of little hurdles with Subversion this week which I thought I’d share simply because I couldn’t find much public information about it and it was only through trial and error it got resolved. The context was I was adding an externals to a project from another repository and there were two little barriers that threw a spanner into the works.

For the sake of simplicity, here’s a recreation of the scenario:

image

Read more