Security

It’s about assurance. It’s about establishing a degree of trust in a site’s legitimacy that’s sufficient for you to confidently transmit and receive data with the knowledge that it’s reaching its intended destination without being intercepted or manipulated in the process. Last week I wrote a (slightly) tongue-in-cheek post about the Who’s who of bad password practices [https://www.troyhunt.com/2011/01/whos-who-of-bad-password-practices.html]. I was critical of a number of sites not implementin...

Ah, passwords. Love ‘em or hate ‘em, they’re a necessary evil of the digital age. The reality is we all end up with an alphabet soup of passwords spread over dozens of various sites and services across the internet. Whilst we might not always practice it, we all know the theory of creating a good password; uniqueness, randomness and length. The more of each, the better. Of course we frequently don’t do this because of all sorts of human factors such as convenience, memory or simple unawareness...

Here’s the thing about securing credentials in web apps; you’re not just responsible for securing your application, you’re also responsible for securing your customer’s identities. Let me demonstrate: 123456, password, 12345678, qwerty, abc123, 12345, monkey, 111111, consumer, letmein, 1234, dragon, trustno1, baseball, gizmodo, whatever, superman, 1234567, sunshine, iloveyou, fuckyou, starwars, shadow, princess, cheese These 25 passwords were used a total of 13,411 times by people with Gawker...

This content is now available in the Pluralsight course "OWASP Top 10 Web Application Security Risks for ASP.NET" [http://www.pluralsight.com/courses/owasp-top10-aspdotnet-application-security-risks] If your app uses a web server, a framework, an app platform, a database, a network or contains any code, you’re at risk of security misconfiguration. So that would be all of us then. The truth is, software is complex business. It’s not so much that the practice of writing code is tricky (in fact I’...

This content is now available in the Pluralsight course "OWASP Top 10 Web Application Security Risks for ASP.NET" [http://www.pluralsight.com/courses/owasp-top10-aspdotnet-application-security-risks] If you’re anything like me (and if you’re reading this, you probably are), your browser looks a little like this right now: A bunch of different sites all presently authenticated to and sitting idly by waiting for your next HTTP instruction to update your status, accept your credit card or email...

Finally they’ve delivered! Earlier today the much awaited padding oracle patch was released by Microsoft. As usual, Scott Guthrie has written about it and you can find all the info in ASP.NET Security Update Now Available [http://weblogs.asp.net/scottgu/archive/2010/09/28/asp-net-security-update-now-available.aspx] . It’s not a moment too soon either. According to Thai Duong [http://vnhacker.blogspot.com/], half of the duo responsible for bringing the vulnerability in ASP.NET to public awarenes...

The last week hasn’t been particularly kind to ASP.NET, and that’s probably a more than generous way of putting it. Only a week ago now, Scott Guthrie wrote about an Important ASP.NET Security Vulnerability [http://weblogs.asp.net/scottgu/archive/2010/09/18/important-asp-net-security-vulnerability.aspx] ; the padding oracle exploit. I watched with interest as he was flooded with a barrage of questions (316 as of now) and realised that whilst he’d done his best to explain the mitigation, he obvio...

You’ve gotta feel a bit sorry for Scott Guthrie. Microsoft’s developer division VP normally spends his time writing about all the great new work his team is doing and basking in the kudos of loyal followers. But not this weekend. Unfortunately his latest post [http://weblogs.asp.net/scottgu/archive/2010/09/18/important-asp-net-security-vulnerability.aspx] has been all about repeating the same dire message; ASP.NET has a major security flaw posing a critical vulnerability to millions of websites...

This content is now available in the Pluralsight course "OWASP Top 10 Web Application Security Risks for ASP.NET" [http://www.pluralsight.com/courses/owasp-top10-aspdotnet-application-security-risks] Consider for a moment the sheer volume of information that sits out there on the web and is accessible by literally anyone. No authentication required, no subversive techniques need be employed, these days just a simple Google search can turn up all sorts of things. And yes, that includes content wh...

A couple of Saturdays back I had a chat with Richard Banks [http://www.richard-banks.org] on the Talking Shop Down Under [http://www.talkingshopdownunder.com] podcast about web application security while at “Developer Developer Developer!” in Sydney [http://www.dddsydney.com/]. It’s now online here: Episode 22 - Troy Hunt on Developers and Security [http://www.talkingshopdownunder.com/2010/07/episode-22-troy-hunt-on-developers-and.html] It’s a funny thing, podcasts; there are no second takes...