I’ve just published my eighth Pluralsight course – Secure Account Management Fundamentals [http://www.pluralsight.com/courses/secure-account-management-fundamentals] – and it’s all about the things we need to do to properly look after the valuable customers that use the services we developers build. Normally when I launch a new course I’d write up a bunch of detail on what it’s all about but this time, I thought I’d reproduce a collection of the discussions I’ve had with many people over many ye...

It was the story that got weirder and weirder and will likely remain the high water mark for impactful security breaches for, well, probably not very long given this industry! Be that as it may, the Sony saga was unprecedented in many ways and it provoked some really interesting discussions. A couple of weeks back I suggested that many of us are working for the next Sony Pictures [https://www.troyhunt.com/2014/12/are-you-working-for-next-sony-pictures.html] insofar as a lot of the atrocious pr...

Clearly, Sony Pictures has had a rather bad time of it lately. First there were the threats from the alleged attackers, then the beginning of internal data dumps that now total tens of GB already, then the embarrassing internal email leaks, then the threats of 9/11 style attacks and now pulling the launch of “The Interview” because allegedly, the North Koreans don’t share their sense of humour. This is, without a doubt, the bizarrest of hacks in an industry where bizarre is par for the course....

These real world experiences with Azure are now available in the Pluralsight course "Modernizing Your Websites with Azure Platform as a Service" [http://www.pluralsight.com/courses/modernizing-websites-microsoft-azure] Remember the good old days when a website used to be nothing more than a bunch of files on a web server and a database back end? Life was simple, easy to manage and gloriously inefficient. Wait – what? That’s right, all we had was a hammer and we consequently treated every challen...

The phone rings from a concealed number and you pick up: Hello? Silence. More silence. Eventually a foreign voice enters: Hi, this is your bank, we need you to verify some details. This is the point where you should be disclosing absolutely nothing, at least nothing that is not known already which is probably just your phone number and perhaps your name if they’ve greeted you with it. No, I’m not revealing my address or my account numbers or my password because frankly, I don’t trust you....

I heard about this guy, walked into a federal bank with a portable phone, handed the phone to the teller, the guy on the other end of the phone said: “We got this guy’s little girl, and if you don’t give him all your money, we’re gonna kill ‘er.” Did it work? F**kin’ A it worked, that’s what I’m talkin’ about! Knucklehead walks in a bank with a telephone, not a pistol, not a shotgun, but a f**kin’ phone, cleans the place out, and they don’t lift a f**kin’ finger. Did they hurt the little g...

As feature releases go, this is not exactly a killer, but to my surprise it was one that was requested quite frequently. It turns out that people really wanted to be able to keep abreast of new breaches and pastes in Have I been pwned? [https://haveibeenpwned.com/] (HIBP) via RSS. Not only is that a perfectly reasonable request, but it was also an easy one to get on top of so here it is! There are two RSS feeds both linked in from various places on the site including in the navigation. For your...

Here’s a conundrum for you: would you trust this page with your credit card? It has HTTPS and it has a GoDaddy logo with a padlock (if the significance of this is lost on you, my thoughts on both GoDaddy [https://www.troyhunt.com/2014/06/moving-from-godaddy-to-dnsimple.html] and padlock icons [https://www.troyhunt.com/2011/07/padlock-icon-must-die.html] are well documented), so from a casual glance, it’s ok, right? But what if the SSL implementation looked like this [https://www.ssllabs.com/s...

These real world experiences with Azure are now available in the Pluralsight course "Modernizing Your Websites with Azure Platform as a Service" [http://www.pluralsight.com/courses/modernizing-websites-microsoft-azure]It seems like every time I turn around there’s something I haven’t seen in Azure. If I’m honest, it leaves me in a perpetual state of “Oh man, there is so much stuff I don’t know”. I suspect that resonates with many readers of this blog because there’s just so much stuff to keep on...

I’ve been doing a lot of talking about API security recently because frankly, there’s a lot to talk about. Those little web services that sit behind the rich client apps on our devices and increasingly behind our Internet of Things have a nasty habit of having some really serious vulnerabilities in them. I’m talking about everything from leaking data to allowing unauthorised users to perform actions they shouldn’t be allowed to all the way through to entirely useless SSL implementations because...