I’m used to seeing short-sighted responses on Twitter when it comes to security, but admittedly this one took me by surprise: [https://twitter.com/vBZachery/status/471161211401555968] This was from a vBulletin “Tech Support Guy” as part of a thread about the security profile of the website MMO Champion [http://www.mmo-champion.com/], a World of Warcraft discussion site. This is a site that allows you to register with a username and password, store your date of birth (and hide it from public v...

Be honest now – how many of you are metaphorically shackled to your PCs day in and day out? Keeping in mind that I largely speak to an audience that earns a living by spending the majority of their day in front of screens, a great deal of people reading this just aren’t making enough time to literally see the light of day. Admittedly, I’m one of those screen-bound people that puts in a whole lot of hours coding, blogging, recording, emailing and partaking in all sorts of other byte-driven activi...

Last month I headed over to the totally awesome conference that was Codemania in Auckland, New Zealand (for international readers, it’s like Australia but with stranger accents and more hobbits). I spoke on… security! Imagine that? More specifically, I spoke about “Hacking Yourself First” which is all about teaching developers to identify risks in their own software before someone else does! If this sounds interesting (and if you’re building software for the web, it should), the talk is based...

Here’s how it usually works: someone big gets hacked or a serious risk gets disclosed then all sorts of articles pop up with journos quoting people like myself on all the same questions that inevitably get asked. I’ve been doing a bit of that today in the wake of the eBay attack so I thought that rather than just have these one on one conversations which then get dispersed all over the place, I’d capture a bunch of responses from discussions I’ve had here. Just one more thing – it’s very early...

Back in the day when the British had a penchant for conquering the world, they ran into a little problem on the subcontinent; cobras. Turns out there were a hell of a lot of the buggers wandering around India and it also turned out that they were rather venomous which didn’t sit well with the colonials. Ingenious as the British were, they decided to offer the citizens a bounty – you hand in dead cobras that would otherwise have bitten some poor imperialist and you get some cash. Problem solved....

Remember view state? This was the massive kludge of hidden input data in an ASP.NET web forms page which tried to create quasi-persistence between requests in what is otherwise the stateless world of HTTP. Actually saying “was” isn’t that fair as indeed web forms apps make up the vast majority of ASP.NET sites out there today, but Microsoft’s implementation of MVC tends to be viewed as the new shiny thing that many of us have gravitated towards in recent years. That said, when I created my recen...

Ever notice how in hindsight, most of the online attacks we see could have been easily prevented? Granted, we tend to have 20:20 vision when we’re looking back, but take something like the Bell telco in Canada and their SQL injection attack the other day [https://www.troyhunt.com/2014/02/heres-how-bell-was-hacked-sql-injection.html]. Guys, it’s a simple matter of validating the untrusted data and parameterising the SQL statements. We know this – we’ve (the software community) had this discussion...

How much really changes in only three short years in the world of application security? Ok, a few sites get owned and some nasty hackers come up with some new ways of making some poor developers lives a misery but that’s about the extent of it, right? Yeah, turns out it’s a lot more complex than that. The very first course I wrote for Pluralsight and the one that continues to be the most popular is the OWASP Top 10 Web Application Security Risks for ASP.NET [http://pluralsight.com/training/Cour...

Day 16: The news headlines continue. Conspiracy theories keep emerging. The FUD evolves as people take further liberties with the truth (no mate, you didn’t get done by Heartbleed, you just chose a crap password). A few days ago I caught up with Richard Campbell of RunAs Radio fame to talk about Heartbleed [http://www.runasradio.com/default.aspx?showNum=365]. You may remember Richard from such .NET Rocks episodes as talking security with Carl, Richard and Troy [https://www.troyhunt.com/2012/01/...

If I’m honest, I’ll admit to a certain degree of schadenfreude when Tesco got hacked recently [http://www.bbc.com/news/technology-26171130], I mean I did call these risks out a long time ago [https://www.troyhunt.com/2012/07/lessons-in-website-security-anti.html] and they did choose to largely ignore them. What struck a bit of a nerve though was not just that they got hacked after turning a blind eye to the issues I’d found, it’s that by all accounts, they were compromised by very well-known ri...