It’s about assurance. It’s about establishing a degree of trust in a site’s legitimacy that’s sufficient for you to confidently transmit and receive data with the knowledge that it’s reaching its intended destination without being intercepted or manipulated in the process. Last week I wrote a (slightly) tongue-in-cheek post about the Who’s who of bad password practices [https://www.troyhunt.com/2011/01/whos-who-of-bad-password-practices.html]. I was critical of a number of sites not implementin...

Ah, passwords. Love ‘em or hate ‘em, they’re a necessary evil of the digital age. The reality is we all end up with an alphabet soup of passwords spread over dozens of various sites and services across the internet. Whilst we might not always practice it, we all know the theory of creating a good password; uniqueness, randomness and length. The more of each, the better. Of course we frequently don’t do this because of all sorts of human factors such as convenience, memory or simple unawareness...

Late last year I got all excited about continuous deployment with TeamCity when I wrote a five part series [https://www.troyhunt.com/2010/11/you-deploying-it-wrong-teamcity.html] on using it in conjunction with web deploy. I then went on to write about Continuous code quality measurement with NDepend and TeamCity [https://www.troyhunt.com/2010/12/continuous-code-quality-measurement.html] and Continuous project statistics with StatSVN and TeamCity [https://www.troyhunt.com/2010/12/continuous-proj...

Here’s the thing about securing credentials in web apps; you’re not just responsible for securing your application, you’re also responsible for securing your customer’s identities. Let me demonstrate: 123456, password, 12345678, qwerty, abc123, 12345, monkey, 111111, consumer, letmein, 1234, dragon, trustno1, baseball, gizmodo, whatever, superman, 1234567, sunshine, iloveyou, fuckyou, starwars, shadow, princess, cheese These 25 passwords were used a total of 13,411 times by people with Gawker...

Yesterday I wrote about Continuous code quality measurement with NDepend and TeamCity [https://www.troyhunt.com/2010/12/continuous-code-quality-measurement.html] where I looked at nightly builds that assessed code quality using the very excellent NDepend. These reports are great and it’s easy to configure but you need to make both a dollar investment in the software and an education investment to really understand the metrics and how they relate to code quality. What’s nice about StatSVN [http:...

I love a good set of automatically generated code metrics. There’s something about just pointing a tool at the code base and saying “Over there – go and do your thing” which really appeals to the part of me that wants to quantify and measure. I think part of it is the objectiveness of automated code analysis. Manual code reviews are great, but other than the manual labour issue, there’s always that degree of subjectiveness the human bring with them. Of course code reviews are still important, b...

This content is now available in the Pluralsight course "OWASP Top 10 Web Application Security Risks for ASP.NET" [http://www.pluralsight.com/courses/owasp-top10-aspdotnet-application-security-risks] If your app uses a web server, a framework, an app platform, a database, a network or contains any code, you’re at risk of security misconfiguration. So that would be all of us then. The truth is, software is complex business. It’s not so much that the practice of writing code is tricky (in fact I’...

I’ve previously written about Rocking your SQL Source Control world with Red Gate [https://www.troyhunt.com/2010/07/rocking-your-sql-source-control-world.html] and was bullishly optimistic about the potential for finally providing the means for simple, effective version control of database objects. It turns out the post struck a chord with the folks at Red Gate and they asked me if I’d like to contribute to an article in Simple-Talk [http://www.simple-talk.com], a fantastic bi-monthly newsletter...

I GOT A LOT OF PROBLEMS WITH YOU PEOPLE! Now, you’re gonna hear about ‘em. Let’s begin the tradition of Festivus [http://www.youtube.com/watch?v=c8g4Ztf7hIM] with the airing of grievances, in particular, corporate meeting etiquette gone bad. Love ‘em or hate ‘em, meetings are a part of everyday life for many of us. However, some people just seem hell-bent on making them miserable for everyone. To be fair, I suspect the full impact of seemingly innocuous behaviour isn’t always evident to the pe...

I’m a big fan of Red Gate’s SQL Source Control [http://www.red-gate.com/products/SQL_Source_Control/index.htm], I really am. I raved about it [https://www.troyhunt.com/2010/07/rocking-your-sql-source-control-world.html] earlier in the year and I still think it’s the best solution going for getting your databases under source control with Subversion. However, I’ve hit a glitch which unless I’m wrong, appears to be a bit of a design flaw; versioning changes in case. Let’s say I have a table, crea...