Software architect and Microsoft MVP, you’ll usually find me writing about security concepts and process improvement in software delivery.
Last week I had the pleasure of catching up with fellow Aussie MVP Robert Crane and recording an episode for his CIAOPS (the Computer Information Agency) “Need to Know” podcast. The podcast caters to those working in SMBs (small to medium businesses) and Robert and I have a good chat about a whole range of security considerations these folks should try to keep in mind.
You can find the podcast online at Episode 24 - Troy Hunt or grab it via iTunes.
When it comes to our personal security, we’ve all grown a bit accustomed to keeping things on the down-low. For example, we cover the keypad on the ATM when entering our PIN and we shred our sensitive documents rather than throwing them straight in the trash.
We do this not because any one single piece of information is going to bring us undone, but rather we try not to broadcast anything which may be used to take advantage of us. That PIN could be used with the card to withdraw cash if someone gets their hands on it (or has a skimming device) and that bank statement you throw in the trash could be used by someone as leverage for identity theft.
And so it is with response headers, those little titbits of information your app is letting loose into the wild that you probably hadn’t even given a second thought. On the surface, this is innocuous data of no use to anyone, but dig a little deeper and suddenly it becomes quite useful to the evildoers.
A few months back I got a call one evening which was clearly a virus call centre scam; you know, the ones that call you out of the blue, tell you your PC is infected with all sorts of nasties and offer to fix it for you? Or maybe you don’t know, which of course is why these scams have been going on for quite some time and are still very active today.
Fortunately I did know about such things so rather than summarily dismissing them with a level of disdain I normally reserve only for telemarketers, I recorded the audio of the call right up until the point where they were ready to take control of my PC. I published the whole episode in my post titled Anatomy of a virus call centre scam.
But I was left wondering; what exactly were they going to do to my PC once they got remote control? Try and squeeze some cash out of me for “fixing” things? Install their own variant of “antivirus”? Or just plain old enslave my PC into being part of a botnet? So I decided to find out by letting them do whatever they wanted whilst recording the audio and the screen so the entire experience could be shared.
Who here doesn’t write enough unit tests? I mean other than me? Somehow no matter how good my test coverage gets I always fell like there are some bits missing. Partly this is because unit testing practices tends to be one of those religious debates and you if you listen to enough people, it’s easy to convince yourself you’re doing it wrong.
One area that’s always been a little tricky is testing anything with a database dependency. In part, this is because those tests often end up being dependent on the data itself which, of course, can be highly volatile. But it’s also philosophically challenged in that if a unit test is to assess a discrete unit of code on the application tier then it probably shouldn’t have dependencies on the data tier.
The problem, of course, is that we’re still writing a lot of logic in the data tier. Fancy ORMs are fantastic and I advocate using them to the full extent that is practical, but there are still plenty of use cases for writing business logic in the database and you really want that to be testable. Plus of course there’s this whole other alternate universe of people who work entirely in database and don’t have access to the testing tools many of us regularly use within Visual Studio; let’s call them the “second class unit test citizens”.
This is where Red Gate’s SQL Test comes in. It’s entirely self-contained within SSMS and all it does is tests business logic in the database, just like those first class cousins in Visual Studio. And it totally rocks.
Today I had the pleasure of spending about an hour and a half talking to Peter Shaw from LIDNUG about security, security and, uh, security! If the LinkedIn .NET User Group is a little bit new to you, it’s the top LinkedIn group dedicated to .NET with a staggering 47,387 members at the time of writing.
This is a casual chat rather than a a full on interview and covers a bunch of the usual stuff I talk about such as the OWASP Top 10. Hope you enjoy the conversation:
Who here has become rather dependent on Visual Studio’s intellisense? C’mon, be honest, no matter hard-core you are or how impure you think intellisense is you always end up using it to some degree, even if it’s just for discovering object behaviours.
Back when Visual Studio 2010 launched we got some pretty nifty improvements in intellisense which were previously only available by way of third party tools like ReSharper. The improvements included the ability to partially match a string anywhere within the possible result set and the ability to match by Pascal and camel case. Today, Red Gate brings these features to SQL Prompt.
All original becuase I'm fussy and you just never quite get exactly what you want from a Blogger template. Besides, the left side of my brain rarely gets out these days and it needed the exercise.
Opinions expressed here are my own and may not reflect those of my employer, my colleagues, my mates, my wife, the dog and so on and so forth. Unless I'm quoting someone, they're my own opinions and may not necessarily be cohesive nor entertaining but hey, at least they're original.
This work is licensed under a Creative Commons Attribution 3.0 Unported License.
