It already seems like a lifetime ago, but it was only last month that I was over in Seattle at the 2012 MVP Summit. While I was there, I had a short chat on video with Dave Giard [https://twitter.com/#!/DavidGiard] for his Technology and Friends blog. We predominantly spoke about ASP.NET security and in particular, cryptographic storage of credentials and transport layer security so it’s a little more focussed than many of my talks. The original post is over on Dave’s blog under Episode 207: Tr...

This is a rant; an unapologetic, no holds barred rant on why something that I hold in such high esteem – my iOS devices – could have come from the evildoers who created this spawn of Satan: iTunes. I love my Apple TV, my iPad, my iPhone, my wife loves her iPhone, heck, even our two year old loves his hand-me-down iPhone. They all rock – big time. They’re the best damn devices I’ve ever owned, without exception. But the otherwise joyous experience of ownership is continually crippled by the sear...

Fresh from the 2012 MVP summit with lots of enthusiasm and grand ideas, I thought it would be worthwhile repeating my 25 illustrated examples of Visual Studio 2010 and .NET 4 post [https://www.troyhunt.com/2009/10/25-illustrated-examples-of-visual.html] with the technologies of today (or should that be tomorrow?) albeit a few weeks later than I had planned. There are some very, very exciting new things in the pipeline which I’d like to share while they’re fresh in my mind and analogous with that...

A few weeks back there was a great document released by Verizon (yep, the big American telco) titled Verizon 2012 Data Breach Investigations Report [http://www.verizonbusiness.com/resources/reports/rp_data-breach-investigations-report-2012_en_xg.pdf] . This weekend at the OWASP Appsec Asia Pacifica Conference [https://www.owasp.org/index.php/AppSecAsiaPac2012], I sat in on a talk from Mark Goudie from Verizon [https://www.owasp.org/images/6/65/Mark_goudie.pdf] who helped put the whole report in...

A couple of days back I wrote about how 67% of ASP.NET websites have serious configuration related security vulnerabilities [https://www.troyhunt.com/2012/04/67-of-aspnet-websites-have-serious.html]. In the post, I drew on figures collected by ASafaWeb [https://asafaweb.com] and observed that small misconfigurations in config files could very easily disclose information that could be leveraged to exploit the application. Quite a bit of discussion ensued through the comments, via Twitter and on...

Let me pose a question: What’s the difference between these two URLs: 1. http://[mydomain]/?foo=<script> 2. http://[mydomain]/?foo=<script> Nothing, right? Let’s plug that into two different browsers and see what they think: Ok, now it’s just getting weird and this brings me to the topic of the day: Recently a friendly supporter of ASafaWeb [https://asafaweb.com] contacted me and said “Hey, how come ASafaWeb isn’t correctly identifying that my site is throwing custom errors?” Naturall...

Actually, it’s even worse than that – it’s really 67.37% – but let’s not split hairs over that right now. The point is that it’s an alarmingly high number for what amounts to very simple configuration vulnerabilities. The numbers come courtesy of ASafaWeb [http://asafaweb.com], the Automated Security Analyser for ASP.NET Websites which is a free online scanner at asafaweb.com [http://asafaweb.com]. When I built ASafaWeb, I designed it from the ground up to anonymously log scan results. The anon...

Around this time last year I was talking about becoming an accidental MVP [https://www.troyhunt.com/2011/04/accidental-mvp.html]. Not this year; instead of it sneaking up on me, I – like many I know – was counting down the days. My now annual April Fool’s Day email made its way through last night: > Congratulations! We are pleased to present you with the 2012 Microsoft® MVP Award! This award is given to exceptional technical community leaders who actively share their high quality, real world e...

Do you ever get that sense that [insert culture here] seems to totally dominate everything to the total oblivion of everyone else out there? This sort of thing usually gets people a bit cranky but it turns out I’ve kind of being doing it a little bit myself with ASafaWeb [https://asafaweb.com]. You see, ASafaWeb works by looking at how a website responds to certain requests then and from those responses it draws some conclusions about how the thing is configured. For example, if ASafaWeb sees a...

[http://tv.ssw.com/] There’s an excellent home-grown Aussie free learning resource which I suspect is a bit new to a lot of developers: SSW TV [http://tv.ssw.com/]. SSW is a local Sydney development shop headed up by Adam Cogan [http://www.adamcogan.com/], a Microsoft Regional Director and ALM MVP. I offered to talk a little about web app security to their user group a couple of months back and we recorded Protecting your Web Apps from the Tyranny of Evil with OWASP [http://tv.ssw.com/1492/pr...