I just had an absolutely tremendous trip over to Salt Lake City for the annual Pluralsight authors’ summit where 100 or so of us got together with the Pluralsight folks and talked about many wonderful things. Included in that time was a number of “lightening talks” or in other words, presos limited to 5 minutes during which you make as much impact as you possibly can. Clearly this called for me to break out the trusty wifi Pineapple [https://www.troyhunt.com/2013/04/the-beginners-guide-to-breaki...

As prophesised, it has happened – Tesco has had a serious security incident [http://www.bbc.co.uk/news/technology-26171130]. The prophecy, for new readers, was my piece on Lessons in website security anti-patterns by Tesco [https://www.troyhunt.com/2012/07/lessons-in-website-security-anti.html] from a couple of years back. The catalyst for that post was this now infamous tweet in response to my pointing out that they had mixed content on an otherwise secure page: [https://twitter.com/Tesco/sta...

These real world experiences with Azure are now available in the Pluralsight course "Modernizing Your Websites with Azure Platform as a Service" [http://www.pluralsight.com/courses/modernizing-websites-microsoft-azure]“The Cloud” is infinite. It can scale to eternity. It’s entirely redundant and resilient to any outage. Except when it isn’t: And when it isn’t, stuff kinda stops working: Why is it always at 2am that stuff goes offline?! Hey, it happens, even though there are those who d...

In the end, I decided the fairest, most balanced way was to piss everyone off equally. Of course I’m talking about API versioning and not since the great “tabs versus spaces” debate have I seen so many strong beliefs in entirely different camps. Imagine this: HTTP GET: https://haveibeenpwned.com/api/breachedaccount/foo Response: ["Adobe","Gawker"] This was just fine. When I built Have I been pwned? [https://haveibeenpwned.com] (HIBP) in late November, it was intended to be a simple, fas...

This content is now available in the Pluralsight course "Ethical Hacking: SQL Injection" [http://www.pluralsight.com/courses/ethical-hacking-sql-injection]Yes, yes, it’s happened again – OWASP’s number one risk in the Top 10 [https://www.troyhunt.com/2010/05/owasp-top-10-for-net-developers-part-1.html] has featured prominently in a high-profile attack this time resulting in the leak of over 40,000 records from Bell in Canada [http://o.canada.com/technology/bell-canada-security-breach-391451/]. I...

Let’s just start here [https://www.smashwords.com/about/supportfaq]: Allow me to provide a technical security perspective on this – it’s complete bullshit. More specifically, you’re seeing this because whoever designed the Smashwords site screwed up and embedded insecure content in a page loaded over a secure connection. So what does this look like? Here’s an example in Internet Explorer: But more importantly, what does it actually mean? Short answer: you can’t trust the page any more tha...

These real world experiences with Azure are now available in the Pluralsight course "Modernizing Your Websites with Azure Platform as a Service" [http://www.pluralsight.com/courses/modernizing-websites-microsoft-azure] Yesterday I wrote part 1 of this 2 part series [https://www.troyhunt.com/2014/01/azure-will-save-you-from-unexpected.html] and explained the Godzilla redundant approach of storage in Azure. Each bit of data you put into Azure storage gets replicated multiple times over within the...

These real world experiences with Azure are now available in the Pluralsight course "Modernizing Your Websites with Azure Platform as a Service" [http://www.pluralsight.com/courses/modernizing-websites-microsoft-azure]The other day I wrote about how I’d implemented the notification service behind Have I been pwned? [https://www.troyhunt.com/2014/01/behind-notification-service-of-have-i.html] and I pointed out how I’d used SQL Azure to manage the data associated with this part of the service. Ye...

These real world experiences with Azure are now available in the Pluralsight course "Modernizing Your Websites with Azure Platform as a Service" [http://www.pluralsight.com/courses/modernizing-websites-microsoft-azure]I’ve had a recurring discussion with a number of well-meaning people (WMPs) recently which has gone kind of like this: WMP: We’re going to build you a web site and we’re going to use Azure. Me: Awesome! So you’d use an Azure Web Site service then? WMP: No, even better, we’re goi...

These real world experiences with Azure are now available in the Pluralsight course "Modernizing Your Websites with Azure Platform as a Service" [http://www.pluralsight.com/courses/modernizing-websites-microsoft-azure]Azure Web Sites are not your father’s hosting. The big thing you need to wrap your head around is that this model of standing up web sites moves us away from the classic paradigm of just firing up files over FTP then not thinking about the hosting again to one where serving content...