This content is now available in the Pluralsight course "OWASP Top 10 Web Application Security Risks for ASP.NET" [http://www.pluralsight.com/courses/owasp-top10-aspdotnet-application-security-risks] When it comes to website security, the most ubiquitous indication that the site is “secure” is the presence of transport layer protection. The assurance provided by the site differs between browsers, but the message is always the same; you know who you’re talking to, you know your communication is e...

If we can get over Microsoft’s cheesy catchphrase [http://www.microsoft.com/en-us/showcase/details.aspx?uuid=8f01d2e5-0c99-4780-9d1d-e40000179b0e] for a moment, the whole idea of “to the cloud” is actually pretty cool. It’s the promise of taking things that used to be both labour and capital intensive, commoditising them and serving them up on demand. This can very easily sound like PowerPoint presentation rhetoric so let’s move past the warm and fuzzies and actually see it in action. A couple...

Let me start this post by acknowledging that firstly, I screwed up and that secondly, Virgin Blue were very helpful after the aforementioned screw up. But they’ve still got a major usability issue and it’s one we website folks often face: defaults. Would you like fries with that? The problem with booking airline flights is that they’re always trying to upsize you. Would you like to pay for baggage (remember when that used to be free)?  Would you like to choose your seat (and pay for the privile...

Let me preface everything I’m about to write by saying this: I am not a designer. I enjoy design, but I tend to hack away at it a bit. Actually I’ve gone a bit to and from in my career moving from pure code roles to front end roles to web roles where you kind of need a bit of everything, and that’s probably where I’m most comfortable now. So treat everything that followers as the designer-by-default comments of a developer :) Fixed or variable No, not interest rates, web page layouts. Somewhere...

In case you’ve been living under a rock this year, AppHarbor [https://appharbor.com/] is one of the hottest things to hit .NET since, well, just about ever. It packages up the entire app lifecycle of source control, build, deployment and hosting and makes it dead simple; in fact it couldn’t be easier. It then adds a comprehensive collection of add-ons [https://appharbor.com/addon] to do everything from persisting data (MS SQL, MySQL, MongoDB) to caching services (Memcacher) to load testing (blit...

In the beginning, there was the web and you accessed it though the browser and all was good. Stuff didn’t download until you clicked on something; you expected cookies to be tracking you and you always knew if HTTPS was being used. In general, the casual observer had a pretty good idea of what was going on between the client and the server. Not so in the mobile app world of today. These days, there’s this great big fat abstraction layer on top of everything that keeps you pretty well disconnect...

This is an online reproduction of the letter sent to First State Super today. I was disturbed to read about First State Super’s response to the ethical disclosure of a serious vulnerability in your financial software by Patrick Webster last month. As a fellow Australian software security professional, I’m worried by the dangerous precedent that this sets. As you’d be aware by now, this incident has gained worldwide attention and as you’d also be aware, the public response hasn’t exactly been i...

I just had a call from a very nice women who appeared to be from the subcontinent and wanted to help me remove viruses from my computer. Normally I’d dispense of such callers in a pretty quick, ruthless fashion but given the nature of this one I thought it was worth recording and sharing. It all unravels and the gig is finally up at the 23 minute mark. Enjoy! TL;DR: Here are the steps they wanted followed: 1. Open the event viewer then establish there are errors and warnings (there as v...

Back in part 1 of Birth of a UX [https://www.troyhunt.com/2011/09/birth-of-ux-asafaweb-gets-identity-part.html] I talked about identifying styles that I liked, the head start the default MVC 3 template gives you, the eternal battle of Photoshop first versus CSS first, CSS resets then actually making a start on styling one central element of ASafaWeb and making it all play nice across browsers. And that was it – phew! This time around it’s about debugging the markup, building the nav and then co...

Consider this guidance now deprecated! The membership provider stored passwords as a salted SHA1 hash which is insufficient by today's standards and easily cracked [https://www.troyhunt.com/2012/06/our-password-hashing-has-no-clothes.html]. Refer instead to ASP.NET identity [http://www.asp.net/identity] which is a sufficient stronger and more modern implementation. -------------------------------------------------------------------------------- Often times I’ll have a discussion with a softwa...