Troy Hunt

Here’s the thing about securing credentials in web apps; you’re not just responsible for securing your application, you’re also responsible for securing your customer’s identities. Let me demonstrate: 123456, password, 12345678, qwerty, abc123, 12345, monkey, 111111, consumer, letmein, 1234, dragon, trustno1, baseball, gizmodo, whatever, superman, 1234567, sunshine, iloveyou, fuckyou, starwars, shadow, princess, cheese These 25 passwords were used a total of 13,411 times by people with Gawker...

Yesterday I wrote about Continuous code quality measurement with NDepend and TeamCity [https://www.troyhunt.com/2010/12/continuous-code-quality-measurement.html] where I looked at nightly builds that assessed code quality using the very excellent NDepend. These reports are great and it’s easy to configure but you need to make both a dollar investment in the software and an education investment to really understand the metrics and how they relate to code quality. What’s nice about StatSVN [http:...

I love a good set of automatically generated code metrics. There’s something about just pointing a tool at the code base and saying “Over there – go and do your thing” which really appeals to the part of me that wants to quantify and measure. I think part of it is the objectiveness of automated code analysis. Manual code reviews are great, but other than the manual labour issue, there’s always that degree of subjectiveness the human bring with them. Of course code reviews are still important, b...

This content is now available in the Pluralsight course "OWASP Top 10 Web Application Security Risks for ASP.NET" [http://www.pluralsight.com/courses/owasp-top10-aspdotnet-application-security-risks] If your app uses a web server, a framework, an app platform, a database, a network or contains any code, you’re at risk of security misconfiguration. So that would be all of us then. The truth is, software is complex business. It’s not so much that the practice of writing code is tricky (in fact I’...

I’ve previously written about Rocking your SQL Source Control world with Red Gate [https://www.troyhunt.com/2010/07/rocking-your-sql-source-control-world.html] and was bullishly optimistic about the potential for finally providing the means for simple, effective version control of database objects. It turns out the post struck a chord with the folks at Red Gate and they asked me if I’d like to contribute to an article in Simple-Talk [http://www.simple-talk.com], a fantastic bi-monthly newsletter...

I GOT A LOT OF PROBLEMS WITH YOU PEOPLE! Now, you’re gonna hear about ‘em. Let’s begin the tradition of Festivus [http://www.youtube.com/watch?v=c8g4Ztf7hIM] with the airing of grievances, in particular, corporate meeting etiquette gone bad. Love ‘em or hate ‘em, meetings are a part of everyday life for many of us. However, some people just seem hell-bent on making them miserable for everyone. To be fair, I suspect the full impact of seemingly innocuous behaviour isn’t always evident to the pe...

I’m a big fan of Red Gate’s SQL Source Control [http://www.red-gate.com/products/SQL_Source_Control/index.htm], I really am. I raved about it [https://www.troyhunt.com/2010/07/rocking-your-sql-source-control-world.html] earlier in the year and I still think it’s the best solution going for getting your databases under source control with Subversion. However, I’ve hit a glitch which unless I’m wrong, appears to be a bit of a design flaw; versioning changes in case. Let’s say I have a table, crea...

Earlier today I asked the question I know it's a bit of a religious debate, but control name prefixes (txt, lbl); useful practice or the devil's work? [http://twitter.com/#!/troyhunt/status/9051426315567104] and was a little surprised by the result. Actually, what surprised me was the unanimous “devil’s work” response when I expected some balanced arguments! What am I talking about? I’m talking about names that look like this: <asp:Label runat="server" ID="lblFirstName" /> <asp:TextBox runat="...

<< Part 4: Continuous builds with TeamCity [https://www.troyhunt.com/you-deploying-it-wrong-teamcity_25/] In the first four parts of this series we got config transforms playing nice, command line builds and packaging ticking along, Web Deploy happily receiving our application and TeamCity continuously building the entire solution on every commit. The last thing to do is to harmonise everything so that we can actually automate the deployment. Breaking down the build and deploy processes First...

<< Part 3: Publishing with Web Deploy [https://www.troyhunt.com/you-deploying-it-wrong-teamcity_24] Part 5: Web Deploy with TeamCity >> [https://www.troyhunt.com/you-deploying-it-wrong-teamcity_26/] Over the last three posts in this series, we got to the point where all the Microsoft bits are working really nicely together. Config transforms, packaging and Web Deploy are great stable mates in the world of web application deployment. The bit that’s missing though is automation. Actually there a...