Pluralsight

How much really changes in only three short years in the world of application security? Ok, a few sites get owned and some nasty hackers come up with some new ways of making some poor developers lives a misery but that’s about the extent of it, right? Yeah, turns out it’s a lot more complex than that. The very first course I wrote for Pluralsight and the one that continues to be the most popular is the OWASP Top 10 Web Application Security Risks for ASP.NET [http://pluralsight.com/training/Cour...

If I’m honest, I’ll admit to a certain degree of schadenfreude when Tesco got hacked recently [http://www.bbc.com/news/technology-26171130], I mean I did call these risks out a long time ago [https://www.troyhunt.com/2012/07/lessons-in-website-security-anti.html] and they did choose to largely ignore them. What struck a bit of a nerve though was not just that they got hacked after turning a blind eye to the issues I’d found, it’s that by all accounts, they were compromised by very well-known ri...

And now for my fourth Pluralsight instalment: more OWASP [http://pluralsight.com/training/courses/TableOfContents?courseName=web-security-owasp-top10-big-picture] ! Wait – hasn’t this been done already?! Yes and no. My first course from April last year was OWASP Top 10 Web Application Security Risks for ASP.NET [http://pluralsight.com/training/Courses/TableOfContents/owasp-top10-aspdotnet-application-security-risks] and as the title suggests, it contains a heap of stuff on how OWASP applies to...

I just had an absolutely tremendous trip over to Salt Lake City for the annual Pluralsight authors’ summit where 100 or so of us got together with the Pluralsight folks and talked about many wonderful things. Included in that time was a number of “lightening talks” or in other words, presos limited to 5 minutes during which you make as much impact as you possibly can. Clearly this called for me to break out the trusty wifi Pineapple [https://www.troyhunt.com/2013/04/the-beginners-guide-to-breaki...

Did you know that every time you submit a Web Forms page it sends a hash-based message authentication code with it so that the website can ensure the View State hasn’t been tampered with? Or that every time you use the MVC Razor syntax to emit anything to the page it HTML encodes it? Unless, of course, you’re using the Html.Raw helper – oh and that none of that does you any good in the JavaScript and CSS contexts or the HTML attribute context? Were you aware that ASP.NET limits the size of the...

It may sound like a Tintin adventure, but the Crystal Microphone is far from make believe and as it turns out, one of the fabled awards now adorns my desk: The engraving is self-explanatory and I’m enormously proud of the success of Hack Yourself First: How to go on the Cyber-Offense [http://pluralsight.com/training/Courses/TableOfContents/hack-yourself-first]. It went to the top 10 very quickly at a time when there were 700 other courses vying for eyeballs and several months on it’s rated 4...

No really, that’s the whole idea and it goes back to my post from a couple of days ago about my new Pluralsight course [https://www.troyhunt.com/2013/08/its-time-to-hack-yourself-first-with.html]. You see what normally happens when you create a course is that you hand over all the code used in the videos and then if you’re a plus subscriber [http://pluralsight.com/training/Products/ExerciseFiles] you get to download it and have a play. That’s just great, but the thing with my Hack Yourself First...

Earlier this year I was doing my usual trick of browsing websites and writing about things that were readily observable with regards to some rather ordinary security practices. When I say “readily observable” I’m talking about things such as cookies not flagged as HttpOnly [https://www.troyhunt.com/2013/03/c-is-for-cookie-h-is-for-hacker.html] or SSL login forms embedded into HTTP pages [https://www.troyhunt.com/2013/06/the-security-futility-that-is-embedding.html]. This stuff is just so easy to...

I’ve been a little bit busy the last few months and here’s why – my first Pluralsight course, the OWASP Top 10 Web Application Security Risks for ASP.NET [http://www.pluralsight.com/training/Courses/TableOfContents/owasp-top10-aspdotnet-application-security-risks] . Actually, if I’m honest, it’s been a lot longer than that in the making as my writing about the OWASP Top 10 goes all the way back to right on three years ago now. It begin with the blog series [https://www.troyhunt.com/2010/05/owasp...