One of the things people often ask me about in regards to software security is “Are there any standards that these people should be following? Any governing bodies? Any recourse for screwing things up?” Ok, that’s three things but you get the idea and people are usually pretty surprised when they learn that for the most part, no. No standards, no governing bodies, no recourse. You can go and create a new website today storing everyone’s credentials in the clear, send them around willy nilly via...

Remember view state? For that matter, do you even remember web forms?! I kid because although MVC is the new hotness in the world of building ASP.NET websites, web forms remains the predominant framework due to both the very long tail of sites already built on it and the prevalence of developers with skills in this area who haven’t made the transition to MVC (indeed some people argue that they can happily cohabit, but that’s another discussion for another day). Anyway, back to view state. When...

These real world experiences with Azure are now available in the Pluralsight course "Modernizing Your Websites with Azure Platform as a Service" [http://www.pluralsight.com/courses/modernizing-websites-microsoft-azure]Note: In this blog post I show how to load a certificate from StartCom into Azure. They've subsequently had some pretty serious issues related to WoSign [https://blog.mozilla.org/security/2016/10/24/distrusting-new-wosign-and-startcom-certificates/] and I would not recommend getti...

Over the last few weeks I’ve been working on a piece with 4 Corners titled In Google We Trust [http://www.abc.net.au/4corners/stories/2013/09/09/3842009.htm] which went to air last night. For international readers (or local folk who just don’t watch the ABC), 4 Corners has been around for decades and has always been high quality journalism on thoroughly investigated stories without the sensationalism we get used to in many other current affairs programs. Seeing it all come together it was obvio...

Apparently the average number of apps someone has on their smartphone is 41 [http://www.networkworld.com/community/blog/average-us-smartphone-user-has-41-apps-their-device] . It sounds like a lot but do the maths on how long you’ve had the phone (or a predecessor) and it you realise it’s a pretty low frequency of taking something new from the app store. A significant proportion of these apps allow you to share sensitive personal information with them; your home address, phone number, email and p...

Well that’s my first TechEd down as both a speaker and a delegate and what better place to have it than in my home town of the Gold Coast. For international readers, think of it as having all the best bits of what you know of Australia (beaches, good weather, scantily clad [insert preference here]) whilst all the bad bits you know of cities (pollution, bad traffic, angry people) get left behind in Melbourne and Sydney. Clearly this is an entirely unbiased view. You never quite know what to expe...

No really, that’s the whole idea and it goes back to my post from a couple of days ago about my new Pluralsight course [https://www.troyhunt.com/2013/08/its-time-to-hack-yourself-first-with.html]. You see what normally happens when you create a course is that you hand over all the code used in the videos and then if you’re a plus subscriber [http://pluralsight.com/training/Products/ExerciseFiles] you get to download it and have a play. That’s just great, but the thing with my Hack Yourself First...

I’ve had some very interesting web security discussions recently: how many rounds of various hashing algorithms should be used for modern day password storage, if response header obfuscation is pointless in a world of easy HTTP fingerprinting and some of the deficiencies in the X-Frame-Options header, to name but a few. But every now and then I see something that brings me back down to earth and reminds me of the level that requires the most attention security wise. Allow me to present Exhibit A...

Earlier this year I was doing my usual trick of browsing websites and writing about things that were readily observable with regards to some rather ordinary security practices. When I say “readily observable” I’m talking about things such as cookies not flagged as HttpOnly [https://www.troyhunt.com/2013/03/c-is-for-cookie-h-is-for-hacker.html] or SSL login forms embedded into HTTP pages [https://www.troyhunt.com/2013/06/the-security-futility-that-is-embedding.html]. This stuff is just so easy to...

Earlier this year I wrote about 5 ways to implement HTTPS in an insufficient manner (and leak sensitive data) [https://www.troyhunt.com/2013/04/5-ways-to-implement-https-in.html]. The entire premise of the post was that following a customer raising concerns about their SSL implementation, Top CashBack went on to assert that everything that needed to be protected, was. Except it wasn’t, at least not sufficiently and that’s the rub with SSL; it’s not about having it or not having it, it’s about un...