Writing this series was an epic adventure in all senses of the word:
Duration – 19 months to complete a blog series, for crying out loud!
Content – approaching 50,000 words, not including all the discussion in comments.
Effort – some of the posts, such as transport layer security, probably approached 100 hours of reading, trialling, experimenting and finally, writing and proofing. This is why there was a four month “hiatus” before that post!
But most of all, it was an epic learning adventure for me. Writing the series forced me to know this content in depth, not just the depth that facilitates casual conversation and allows me to send people off to figure out how to fix their flaws, but the depth to really get to grips with these risks, ensure I could exploit them and then make sure I could fix them again.
For example, I knew – and many of us know – that unsalted hashes are vulnerable to a rainbow attack but I’d never actually executed one of these attacks myself. So I did. Same again on sniffing packets; knowing that lack of transport protection leaves network traffic vulnerable is one thing, sitting in the car outside McDonald’s and actually capturing wifi traffic and hijacking the session (my own, that is!) is another thing altogether.
Looking back on it, I’m really happy with what I’ve produced. It’s been a great experience for me and by all accounts, it’s been very well received by the .NET and OWASP communities as well. It turns out I might have actually produced something pretty useful!
So I decided to turn it into an eBook. Oh – and give it away for free. No strings attached. So here it is, 255 pages of .NET web development security goodness. Please share it generously, chuck it on your eBook reader, email it to your mates, quote me, force your developers to print and read every page – whatever – it’s all yours: