Here’s the thing about security – you can’t just “do it” then move on. What I mean by this is that it’s a continuous process and thinking that you only need to just implement some secure coding standards or scan the website once before go live leaves a great big hole in your process. For example, the other day I wrote about how insecurity is easy [https://www.troyhunt.com/2013/05/security-is-hard-insecurity-is-easy.html] where I talked about how Black and Decker had exposed ELMAH logs. This is...

Ever see one of these? Or these? Or maybe this one? It means something is wrong with the website – very wrong – yet somehow we seem to keep building websites that do this. The problem, as you’ll see in the video below, is that it jeopardises the security of traffic going backwards and forwards over what otherwise appears to be a secure site, at least in terms of implementing SSL. This can lead to issues such as the theft of identity data, potentially including such personal information...

Cross site scripting (henceforth referred to as XSS) is one of those attacks that’s both extremely prevalent (remember, it’s number 2 on the OWASP Top 10 [https://www.troyhunt.com/2010/05/owasp-top-10-for-net-developers-part-2.html]) and frequently misunderstood. You’ll very often see some attempt at mitigating the risk but then find it’s easily circumvented because the developers weren’t fully aware of the attack vectors. Last week someone flicked me over a great example of this after having r...

There’s this debate that goes round and round about a process that’s commonly known as responsible disclosure or in other words, notifying the owner of a system that their security sucks and giving them the opportunity to fix it rather than telling the great unwashed masses and letting them have at a vulnerable system. The theory goes that responsible disclosure is the ethical thing to do whilst airing website security dirty laundry publicly makes you an irresponsible cowboy, or something to th...

One could argue that security is hard. Not all aspects of it, mind you, but the prevalence of website hacks would seem to indicate that plenty of people are struggling to get it right. On the other hand, insecurity can be very easy. What I mean by this is that sometimes it can be the smallest change to a website that blows the security wide open. Last week someone passed me a private note about Black and Decker, or more to the point, they passed me a link to an unsecured ELMAH log. For the uni...

For many of you, Scott Hanselman [http://www.hanselman.com/] will need no introduction and is a very familiar face, voice and writer. Among the many good things that Scott does to support the web development community (and that’s not just the Microsoft folks either), he’s also the man behind the Hanselminutes podcast [http://www.hanselminutes.com/372/are-you-secure-wifi-honeypots-pineapples-and-ssl-with-troy-hunt] which I was very happy to join him on recently. In fact this remains one of the v...

Here’s an often held conversation between concerned website user and site owner: User: “Hey mate, your website isn’t using SSL when I enter my password, what gives?!” Owner: “Ah, but it posts to HTTPS so your password is secure! We take security seriously. Our measures are robust.” (and other random, unquantifiable claims) Loading login forms over HTTP renders any downstream transport layer security almost entirely useless. Rather than just tell you what’s wrong with this, let me show precise...

The unfortunate reality of the web today is that you’re going to get hacked. Statistically speaking at least, the odds of you having a website without a serious security risk are very low – 14% according to WhiteHat’s State of Web Security [https://blog.whitehatsec.com/the-state-of-web-security/#.UY77SrVTDL9] report from a couple of weeks ago. Have enough websites for long enough (as many organisations do), and the chances of you getting out unscathed aren’t real good. There’s this great TEDx...

XSS protection: check! No SQL injection: check! Proper use of HTTPS: check! Clickjacking defences: uh, click what now?! This is one of those risks which doesn’t tend to get a lot of coverage but it can be a malicious little bugger when exploited by an attacker. Originally described by Jeremiah Grossman [http://jeremiahgrossman.blogspot.com.au/2008/10/clickjacking-web-pages-can-see-and-hear.html] of WhiteHat Security fame back in 2008, a clickjacking attack relies on creating a veneer of...

A couple of days ago I wrote about Why I am the world’s greatest lover (and other worthless security claims) [https://www.troyhunt.com/2013/05/why-i-am-worlds-greatest-lover-and.html] and it  really seemed to resonate with people. In short, whacking a seal on your website that talks about security awesomeness in no way causes security awesomeness. Andy Gambles gets that and shared this tweet with me: [https://twitter.com/andygambles/status/332065425485611008] So let’s check out exactly what’s...