So my conference presentation on the tyranny of evil is now done and dusted at DDD Sydney [http://www.dddsydney.com]. Given I’m writing this in advance with the intention of making the material available immediately afterwards, I’ll need to rely on others to comment on how it all went. The important bit is that the slides are now available here [http://dl.dropbox.com/u/8529390/Protecting%20your%20web%20applications%20from%20the%20tyranny%20of%20evil.ppsx] and all the code used in the examples...

This content is now available in the Pluralsight course "OWASP Top 10 Web Application Security Risks for ASP.NET" [http://www.pluralsight.com/courses/owasp-top10-aspdotnet-application-security-risks] Cryptography is a fascinating component of computer systems. It’s one of those things which appears frequently (or at least should appear frequently), yet is often poorly understood and as a result, implemented badly. Take a couple of recent high profile examples in the form of Gawker and rootkit.c...

So the Sony saga continues. As if the whole thing about 77 million breached PlayStation Network accounts [http://www.theage.com.au/digital-life/games/playstation-privacy-breach-77-million-customer-accounts-exposed-20110427-1dvhf.html] wasn’t bad enough, numerous other security breaches [http://attrition.org/security/rants/sony_aka_sownage.html] in other Sony services have followed in the ensuing weeks, most recently with SonyPictures.com [http://www.sonypictures.com/]. As bad guys often like t...

A series of discussions last week got me around to talking about the right way to test a system against a realistic set of data. The problem is simply this: without data in the test environment which is representative of what you’ll end up with in the production environment, it’s very difficult to properly simulate the way the app will behave after it rolls out. There are a whole bunch of counter-techniques for the empty database problem ranging from the tedious to the impractical to the downri...

How do I keep up with the latest tools and technologies? Who are my 5 favourite MVPs? And most importantly, what do I do when I’m not building software? All these questions and more are answered in my Microsoft Feed MVP Interview [http://web.archive.org/web/20111013031212/http://microsoftfeed.com/2011/meet-troy-hunt-developer-security-mvp-from-australia/] . I normally keep details about my day job and personal interests off the public timeline but I decided to share a little in this interview....

Ah source control, if there’s a more essential tool which indiscriminately spans programming languages without favour, I’m yet to see it. It’s an essential component of how so many of us work; the lifeblood of many development teams, if you like. So why do we often get it so wrong? Why are some of the really core, fundamentals of version control systems often so poorly understood? I boil it down to 10 practices – or “commandments” if you like – which often break down or are not properly underst...

I’ve spent quite a bit of time writing about Red Gate products over the last year, particularly SQL Source Control which is simply the best damn way to finally get those pesky databases into VCS. The fact that it now plays nice with first cousins SQL Compare and SQL Data Compare means the dream of VCS sourced automated deployments of data and schema for the masses is finally a reality. What I like about the Red Gate products in general is that they take traditionally laborious, low-value tasks...

A couple of different friends sent me over a link to an article about The Usability of Passwords [http://www.baekdal.com/tips/password-security-usability] this weekend, clearly thinking it would strike a chord. Well, let’s just say I was enthralled before I even finished the second line: > Security companies and IT people constantly tells us that we should use complex and difficult passwords. This is bad advice The crux of the article (and subsequent FAQ), is that so long as a password is s...

An unexpected email was waiting for me when I got off the plane from a recent work trip to Thailand on Saturday: > Congratulations! We are pleased to present you with the 2011 Microsoft® MVP Award! This award is given to exceptional technical community leaders who actively share their high quality, real world expertise with others. We appreciate your outstanding contributions in Developer Security technical communities during the past year. Given this was sent out on April 1st, one could be...

Edit (6 Oct 2020): It looks like the WCSA website has disappeared since originally writing this article and the domain is now parked on a porn site. The Google Code archive still exists so the blog post is still relevant, just be conscious that this project has obviously gone unloved for some time now and make take you to unexpected places. Ah, automation. Any time I find myself doing the same thing more than once, I get the inclination to bundle it all up into something that can begin happenin...