This content is now available in the Pluralsight course "OWASP Top 10 Web Application Security Risks for ASP.NET" [http://www.pluralsight.com/courses/owasp-top10-aspdotnet-application-security-risks] As we begin to look at the final few entries in the Top 10, we’re getting into the less prevalent web application security risks, but in no way does that diminish the potential impact that can be had. In fact what makes this particular risk so dangerous is that not only can it be used to very, very...

What do you think of when you see this little guy on a webpage: You’re probably thinking something along the lines of “it means the page is secure”. The more tech savvy among you may suggest that it means HTTPS has been used to encrypt the content in transit. The problem is that it doesn’t mean anything of the kind. In fact it had absolutely nothing to do with website security. And therein lies the problem – the padlock lies to us, it implies things that it is not and it’s downright misleadi...

A little while back I took a look at some recently breached accounts and wrote A brief Sony password analysis [https://www.troyhunt.com/2011/06/brief-sony-password-analysis.html]. The results were alarming; passwords were relatively short (usually 6 to 10 characters), simple (less than 1% had a non-alphanumeric character) and predictable (more than a third were in a common password dictionary). What was even worse though was uniqueness; 92% of common accounts in the Sony systems reused password...

Today I had cause to take a slightly different direction with a database that had stood for many years providing a fairly critical business function. The change of direction involved dropping a few columns out of a core table with references across an unknown number of procedures and views. What could go wrong?! Let me start by saying that whilst I spend a lot of time in SQL Server, I’m no DBA and there may well be easier ways of doing this, but in years gone by I would have kicked off by tra...

So my conference presentation on the tyranny of evil is now done and dusted at DDD Sydney [http://www.dddsydney.com]. Given I’m writing this in advance with the intention of making the material available immediately afterwards, I’ll need to rely on others to comment on how it all went. The important bit is that the slides are now available here [http://dl.dropbox.com/u/8529390/Protecting%20your%20web%20applications%20from%20the%20tyranny%20of%20evil.ppsx] and all the code used in the examples...

This content is now available in the Pluralsight course "OWASP Top 10 Web Application Security Risks for ASP.NET" [http://www.pluralsight.com/courses/owasp-top10-aspdotnet-application-security-risks] Cryptography is a fascinating component of computer systems. It’s one of those things which appears frequently (or at least should appear frequently), yet is often poorly understood and as a result, implemented badly. Take a couple of recent high profile examples in the form of Gawker and rootkit.c...

So the Sony saga continues. As if the whole thing about 77 million breached PlayStation Network accounts [http://www.theage.com.au/digital-life/games/playstation-privacy-breach-77-million-customer-accounts-exposed-20110427-1dvhf.html] wasn’t bad enough, numerous other security breaches [http://attrition.org/security/rants/sony_aka_sownage.html] in other Sony services have followed in the ensuing weeks, most recently with SonyPictures.com [http://www.sonypictures.com/]. As bad guys often like t...

A series of discussions last week got me around to talking about the right way to test a system against a realistic set of data. The problem is simply this: without data in the test environment which is representative of what you’ll end up with in the production environment, it’s very difficult to properly simulate the way the app will behave after it rolls out. There are a whole bunch of counter-techniques for the empty database problem ranging from the tedious to the impractical to the downri...

How do I keep up with the latest tools and technologies? Who are my 5 favourite MVPs? And most importantly, what do I do when I’m not building software? All these questions and more are answered in my Microsoft Feed MVP Interview [http://web.archive.org/web/20111013031212/http://microsoftfeed.com/2011/meet-troy-hunt-developer-security-mvp-from-australia/] . I normally keep details about my day job and personal interests off the public timeline but I decided to share a little in this interview....

Ah source control, if there’s a more essential tool which indiscriminately spans programming languages without favour, I’m yet to see it. It’s an essential component of how so many of us work; the lifeblood of many development teams, if you like. So why do we often get it so wrong? Why are some of the really core, fundamentals of version control systems often so poorly understood? I boil it down to 10 practices – or “commandments” if you like – which often break down or are not properly underst...