OWASP

Just a tad over 5 years ago, I released my first ever Pluralsight course - OWASP Top 10 Web Application Security Risks for ASP.NET [https://pluralsight.pxf.io/c/1196446/424552/7490?u=https%3A%2F%2Fapp.pluralsight.com%2Flibrary%2Fcourses%2Fowasp-top10-aspdotnet-application-security-risks%2Ftable-of-contents] . More than 32k people have listened to more than 78k hours of content in this course making it not just the most popular course I've ever released, but also keeping it as my most popular in...

How much really changes in only three short years in the world of application security? Ok, a few sites get owned and some nasty hackers come up with some new ways of making some poor developers lives a misery but that’s about the extent of it, right? Yeah, turns out it’s a lot more complex than that. The very first course I wrote for Pluralsight and the one that continues to be the most popular is the OWASP Top 10 Web Application Security Risks for ASP.NET [http://pluralsight.com/training/Cour...

And now for my fourth Pluralsight instalment: more OWASP [http://pluralsight.com/training/courses/TableOfContents?courseName=web-security-owasp-top10-big-picture] ! Wait – hasn’t this been done already?! Yes and no. My first course from April last year was OWASP Top 10 Web Application Security Risks for ASP.NET [http://pluralsight.com/training/Courses/TableOfContents/owasp-top10-aspdotnet-application-security-risks] and as the title suggests, it contains a heap of stuff on how OWASP applies to...

I’ve been a little bit busy the last few months and here’s why – my first Pluralsight course, the OWASP Top 10 Web Application Security Risks for ASP.NET [http://www.pluralsight.com/training/Courses/TableOfContents/owasp-top10-aspdotnet-application-security-risks] . Actually, if I’m honest, it’s been a lot longer than that in the making as my writing about the OWASP Top 10 goes all the way back to right on three years ago now. It begin with the blog series [https://www.troyhunt.com/2010/05/owasp...

This entire series is now available as a Pluralsight course! [http://pluralsight.com/training/Courses/TableOfContents/owasp-top10-aspdotnet-application-security-risks] Writing this series [https://www.troyhunt.com/2010/05/owasp-top-10-for-net-developers-part-1.html] was an epic adventure in all senses of the word: Duration – 19 months to complete a blog series, for crying out loud! Content – approaching 50,000 words, not including all the discussion in comments. Effort – some of the posts, su...

This content is now available in the Pluralsight course "OWASP Top 10 Web Application Security Risks for ASP.NET" [http://www.pluralsight.com/courses/owasp-top10-aspdotnet-application-security-risks] In the final part of this series we’ll look at the risk of an unvalidated redirect or forward. As this is the last risk in the Top 10, it’s also the lowest risk. Whilst by no means innocuous, the OWASP Risk Rating Methodology [https://www.owasp.org/index.php/OWASP_Risk_Rating_Methodology] has determ...

This content is now available in the Pluralsight course "OWASP Top 10 Web Application Security Risks for ASP.NET" [http://www.pluralsight.com/courses/owasp-top10-aspdotnet-application-security-risks] When it comes to website security, the most ubiquitous indication that the site is “secure” is the presence of transport layer protection. The assurance provided by the site differs between browsers, but the message is always the same; you know who you’re talking to, you know your communication is e...

This content is now available in the Pluralsight course "OWASP Top 10 Web Application Security Risks for ASP.NET" [http://www.pluralsight.com/courses/owasp-top10-aspdotnet-application-security-risks] As we begin to look at the final few entries in the Top 10, we’re getting into the less prevalent web application security risks, but in no way does that diminish the potential impact that can be had. In fact what makes this particular risk so dangerous is that not only can it be used to very, very...

So my conference presentation on the tyranny of evil is now done and dusted at DDD Sydney [http://www.dddsydney.com]. Given I’m writing this in advance with the intention of making the material available immediately afterwards, I’ll need to rely on others to comment on how it all went. The important bit is that the slides are now available here [http://dl.dropbox.com/u/8529390/Protecting%20your%20web%20applications%20from%20the%20tyranny%20of%20evil.ppsx] and all the code used in the examples...

This content is now available in the Pluralsight course "OWASP Top 10 Web Application Security Risks for ASP.NET" [http://www.pluralsight.com/courses/owasp-top10-aspdotnet-application-security-risks] Cryptography is a fascinating component of computer systems. It’s one of those things which appears frequently (or at least should appear frequently), yet is often poorly understood and as a result, implemented badly. Take a couple of recent high profile examples in the form of Gawker and rootkit.c...