Pluralsight

It's a new Pluralsight course! Yes, I know I said that yesterday too, but this is a new new Pluralsight course and it's the second part in our series on Creating a Security-centric Culture. As I wrote there back in Jan, we're doing this course on a quarterly basis and putting it out in front of the paywall so in other words, it's free! It's also a combination of video and screencast which means you see a lot of this: As for the topic in the title, shadow IT has always been an interesting one and certainly something I spent a great deal of time dealing with in the corporate environment. A quick definition for those who may not be...

Just a tad over 5 years ago, I released my first ever Pluralsight course - OWASP Top 10 Web Application Security Risks for ASP.NET. More than 32k people have listened to more than 78k hours of content in this course making it not just the most popular course I've ever released, but also keeping it as my most popular in the library even today by a long way. Developers have a huge appetite for OWASP content and I'm very happy to now give them even more Top 10 goodness in the course I'm announcing here - Play by Play: OWASP Top 10 2017. This time, I've teamed up with Andrew van der Stock who was an integral part of...

Ah JavaScript, the answer to - and cause of - all our problems on the web today! Just kidding, jQuery has solved all our JS problems now... But seriously, JS is a major component of so much of what we build online these days and as with our other online things, the security posture of it is enormously important to understand. Recently, I teamed up with good mate and fellow Pluralsight author Aaron Powell who spends his life writing JS things. We spoke about managing auth tokens, identity persistence across sessions, service workers, CORS, third party libraries (and their vulnerabilities), client side validation considerations, anti-forgery tokens and much, much more. This is a 1 hour and 13 minute "Play...

I was chatting to some folks at a bank just the other day about a bunch of modern web security standards. Whilst this blog post is about a Pluralsight course I created with Lars Klint, it only really hit me during that bank conversation just how much there is to take onboard when it comes to securing things in the browser today. Let me paraphrase: Bank: We're thinking of using SRI to protect malicious modification of scripts we load in from a partner. Me: Ok, but be conscious that means they can never change those scripts without you first modifying the integrity attribute on your script tags and you need time to push that out so as not to break...

Usually when we talk about information security, we're talking about the mechanics of how things work. The attacker broke into a system due to a reused password, there was SQL injection because queries weren't parameterised or the company got ransomware'd because they didn't patch their things. These are all good discussions - essential discussions - but there's a broader and perhaps even more important one that we need to have and that's about the security culture within organisations. This is something that's been on my mind for a while, but it really hit me back in September when I was over in Salt Lake City for Pluralsight's LIVE conference. I did a bunch of customer meetings which essentially meant saying...

Regular readers will know I create a lot of Pluralsight courses. It's now 5 years ago I started writing my first one which incidentally, is still my highest rated course every month (apparently the OWASP Top 10 as it relates to ASP.NET is still a big thing). Most of the time, the courses I create are on topics I know well, primarily on security but occasionally with a bit of cloud and development practices sprinkled in for variety. This one, however, is different. Per the title of this blog, my latest course is on using virtual machines for development and the main reason it's "my" course is because Orin Thomas has done all the work! This is...

As many followers know, I run a workshop titled Hack Yourself First where I spend a couple of days with folks running through all sorts of common security issues and, of course, how to fix them. I must have run it 50 times by now so it's a pretty well-known quantity, but there's one module more than any other that changes at a fierce rate - HTTPS. I was thinking about it just now when considering how to approach this post launching the new course because let's face it, I've got a lot of material focusing on the topic already. But then I started thinking about the rate of change; just since the beginning of last year, here's a bunch...

It's another Pluralsight course! I actually recorded Emerging Threats in IoT with Lars Klint back in June whilst we were at the NDC conference in Oslo. It's another "Play by Play" course which means it's Lars and I sitting there having a conversation like this: We choose to talk about IoT because frankly, it's fascinating. There's just so many angles to security in otherwise everyday devices, for example: The collection of never-before digitised data (adult toys are a perfect example) Vulnerabilities in the cloud services behind IoT (they're just websites, after all) Risks in the devices themselves that expose data (such as Bluetooth PINs) Risks which expose the network (LIFX leaked the wifi password) Risks which result in...

I've been really actively involved with building things on Microsoft's Azure cloud for probably about 4 or 5 years now. Many of you will know already that Have I been pwned (HIBP) was built from the ground up on Azure (in fact, one of the reasons I built the service was to play with Azure "in anger"!), what less people know is the work I'd been doing before that. In my previous life looking after Pfizer's software architecture in this corner of the world, I was pushing hard to move apps we were building into Azure, in particular the PaaS constructs they have available. Time and time again, the discussion would go like this: Vendor: (Pfizer outsourced all...

It's a great time for HTTPS. Actually, there's never been a better time and as each day goes by, we see constant reminders of how important it is. Someone sent me a great example of this just the other day by virtue of a bug that had been lodged with Mozilla: Your notice of insecure password and/or log-in automatically appearing on the log-in for my website, Oil and Gas International is not wanted and was put there without our permission. Please remove it immediately. We have our own security system and it has never been breached in more than 15 years. Your notice is causing concern by our subscribers and is detrimental to our business. If this sounds a...