Try publishing something to the internet - anything - and see how it long it takes before something nasty is probing away at it. Brand new website, new domain and it's mere hours (if not minutes) before requests for wp-admin are in the logs. Yes, I know it's not a Wordpress site but that doesn't matter, the bots don't care. But that's just indiscriminate scanning, nothing personal; how about deliberate and concerted attacks more specifically designed to get into your things? As the value of what you have increases, so do the attacks and there's absolutely nothing you can do about it. There's a lot you can do in terms of defences, but nothing you can do to stop randoms...

We're on a beach! It's the day after 3 pretty intense days of NDC conference and the day before Scott heads back to the UK so beach was an easy decision. The conference went fantastically well and, in all honesty, was the most enjoyable workshop I think I've done out of ~50 of them these last few years. NDC will be back on the Gold Coast next year, plus of course it will be in Oslo in a few weeks' time then Sydney in September where we'll both do it all again. This week, we talk a lot about EV certs. As I say in the video, neither of us have anything against commercial CAs or even EV certs per...

It's a new Pluralsight course! Yes, I know I said that yesterday too, but this is a new new Pluralsight course and it's the second part in our series on Creating a Security-centric Culture. As I wrote there back in Jan, we're doing this course on a quarterly basis and putting it out in front of the paywall so in other words, it's free! It's also a combination of video and screencast which means you see a lot of this: As for the topic in the title, shadow IT has always been an interesting one and certainly something I spent a great deal of time dealing with in the corporate environment. A quick definition for those who may not be...

Just a tad over 5 years ago, I released my first ever Pluralsight course - OWASP Top 10 Web Application Security Risks for ASP.NET. More than 32k people have listened to more than 78k hours of content in this course making it not just the most popular course I've ever released, but also keeping it as my most popular in the library even today by a long way. Developers have a huge appetite for OWASP content and I'm very happy to now give them even more Top 10 goodness in the course I'm announcing here - Play by Play: OWASP Top 10 2017. This time, I've teamed up with Andrew van der Stock who was an integral part of...

This week, Scott Helme is getting bitten by Aussie critters whilst working from a desert island. He's here on the Gold Coast for the NDC Security event next week so I thought we'd record the update together so we grabbed a couple of cold ones, wandered down to the backyard and recorded there. We cover off a bunch of bits and pieces related to things we're working on together (workshops and Report URI) as well as some (mostly) commonly held views about HTTPS, EV certs and visual indicators. Oh - and I forgot to mention killing off the non-anonymous endpoints for Pwned Passwords last week so that's in here this week too. Hope you enjoy the banter with Scott, he's...

Remember when web security was all about looking for padlocks? I mean in terms of the advice we gave your everyday people, that's what it boiled down to - "look for the padlock before entering passwords or credit card info into a website". Back in the day, this was pretty solid advice too as it gave you confidence not just in the usual confidentiality, integrity and authenticity of the web traffic, but in the legitimacy of the site as well. If it had a padlock, you could trust it and there's weren't a lot of exceptions to that. But as time has gone by and HTTPS has become increasingly ubiquitous and obtainable by all, the veracity of that...

It's a (new) weekly update! Lights are in, things are much brighter and... I think it was a bit too bright and the camera was pointed too high. This is all experimentation, folks, and I appreciate everyone's input as I tune things to try and get a consistent, quality result. Still, as someone said whilst I was mucking around with all this, the audio quality is great and that's what people are ultimately listening to so that's a fantastic start. You'll notice I've also changed the video thumbnail and removed the text in the opening frames, I hope that's an improvement. (Oh yeah - and there's a 4 min blank spot at the end due to a rogue element in...

Ah JavaScript, the answer to - and cause of - all our problems on the web today! Just kidding, jQuery has solved all our JS problems now... But seriously, JS is a major component of so much of what we build online these days and as with our other online things, the security posture of it is enormously important to understand. Recently, I teamed up with good mate and fellow Pluralsight author Aaron Powell who spends his life writing JS things. We spoke about managing auth tokens, identity persistence across sessions, service workers, CORS, third party libraries (and their vulnerabilities), client side validation considerations, anti-forgery tokens and much, much more. This is a 1 hour and 13 minute "Play...

A couple of months ago, I launched version 2 of Pwned Passwords. This is a collection of over half a billion passwords which have previously appeared in data breaches and the intention is that they're used as a black list; these are the "secrets" that NIST referred to in their recent guidance: When processing requests to establish and change memorized secrets, verifiers SHALL compare the prospective secrets against a list that contains values known to be commonly-used, expected, or compromised. In other words, once a password has appeared in a data breach and it ends up floating around the web for all sorts of nefarious parties to use, don't let your customers use that password! Now, as I...

The more time that goes by and the more deeply I give it thought, the more convinced I am that the web is held together with sticky tape. No - cyber-sticky tape! Because especially when it comes to security, there are fundamental and inherent shortcomings in everything from HTTP to HTML and many of the other acronyms that make the web work as it does today. We've been trying to get this right for 25 years as of yesterday too: Today: The 25th anniversary of the web: https://t.co/57NuBcpuqt Thanks CERN and Sir Tim Berners-Lee! #madeineurope— Mikko Hypponen (@mikko) April 30, 2018 Cross site request forgery is a perfect example; here we have a situation where the...