I write a lot about website security. Sometimes I’ll publicly point out flaws in software but there are many, many other times where it remains a private conversation for various reasons. The one common thread across most of these incidents is that as developers, we often make bad security design decisions. It’s us – the organic matter in the software development process – that despite the best of intentions make bad choices that introduce serious risks. My belief – and one of the key reasons I...

It was a few months back now, but last year I spent a little time with fellow MVP Denny Cherry [http://twitter.com/mrdenny/] on his podcast People Talking Tech [http://peopletalkingtech.com]. We had a great talk about security in general with a lot of focus on SQL Injection in particular. It’s a nice light-hearted 24 minute chat that I enjoyed doing and I hope you enjoy listening to. You can listen online or download from People Talking Tech, Episode 18 – Troy Hunt [http://peopletalkingtech.com...

Last week something a bit unusual happened; Java was found to have a serious vulnerability. Ok, stop laughing, Java has obviously had many serious vulnerabilities over many years, what’s different this time though is that the US government’s Computer Emergency Response Team (CERT) took the unprecedented step of telling folks to stop using it altogether. Here’s the word from Homeland Security [http://www.ibtimes.com/department-homeland-security-advises-computer-users-disable-java-1010998] : >...

I was at the Web Directions South conference [http://south12.webdirections.org/] the other day and you know what really struck me? There is a lot of very cool, very connected stuff either here now or coming very soon. Hackable stuff! So there’s this term going around which is The Internet of Things [http://en.wikipedia.org/wiki/Internet_of_Things] (it has its own Wikipedia page so it must be real), or in human speak, stuff that’s connected to the web. Unusual stuff like domestic appliances and...

So someone sends you a link to the latest Gangnam parody / cat meme / man jumping on frozen pool video and the link looks something like this: http://bit.ly/10PMelv Nothing unusual about this, every second link shared these days uses a bit.ly or t.co (or comparable) URL shortener. Because you have an insatiable desire to participate in the latest social phenomenon, you click through and see this: There’s also nothing unusual about Facebook asking you for credentials, let’s log in. Aw c’mon,...

It happened again – someone tweeted me about a negative security experience and I just had to take a look: [https://twitter.com/andrew_barratt/status/285343903874428928] C’mon, really? This can’t be for real. But a little more investigating and here we are: [https://twitter.com/EE/status/285305896358256640] This is bad (for reasons I’ll discuss shortly), but it’s far from isolated: [https://twitter.com/EE/status/285045909287497730] EE is over in the UK and they’re “the new network for y...

This content is now available in the Pluralsight course "Ethical Hacking: SQL Injection" [http://www.pluralsight.com/courses/ethical-hacking-sql-injection]Everybody knows the easiest way to save yourself from SQL injection is to use object relational mappers (ORMs such as Entity Framework) or stored procedures, right? Often I see this becoming a mantra: “You don’t need to worry about SQLi if you’re using [Entity Framework | stored procedures]”. I also see the mantra blindly repeated and it’s wro...

Three and a bit years on and it’s time for a change. Blogging has been good to me – very good – but I was starting to feel a bit like the plumber whose own house was full of leaky pipes. Heavy markup burdened by Blogger’s propensity for in-page CSS, completely mobile unaware and as I’ve written before, not real friendly for those half a billion Chinese internet users [https://www.troyhunt.com/2012/03/browsing-broken-web-software-developer.html]. Plus of course, several years of design weariness...

One of the things I’ve really enjoyed about blogging and engaging with the development and security communities is some of the opportunities it’s opened up simply by doing thing I really enjoy. I’m talking about opportunities like the MVP award, joining up with the Friends of Redgate and numerous other perks and rewards that seem to pop up out of the woodwork. I’m very happy to now be joining the ASPInsiders [http://aspinsiders.com]: The who now?! > The ASPInsiders is a select group of int...

It happened again. Well actually, it happens all the time but I got inadvertently drawn into it again. I’m referring to this: [https://twitter.com/wishgenie/status/273396847802974208] Totally secure! Not just “pretty” secure or “really” secure but totally secure! I need to learn how to do that. Now this was in response to the following tweet: [https://twitter.com/scampreturns/status/273103876075421697] This is a familiar banter; a concerned customer raises a valid point about the technica...