Databases have long been the poor cousin of the application tier when it comes to many of the processes we take for granted in the .NET world. Source control management, for example, is near ubiquitous for application files and there are several excellent VCS products which make versioning a breeze. Continuous integration is another practice which although not as common, is still frequently present in a robust application lifecycle. Of course the problem is that database objects don’t exist as...

Who remembers what it was like to build web apps on a shared development server? I mean the model where developers huddled around shared drives mapped to the same UNC path and worked on the same set of files with reckless abandon then fired them up in the browser right off the same sever. Maybe this is an entirely foreign concept to you but I certainly have vivid memories from the late 90s of building classic ASP apps (ye olde VB script) in Dreamweaver, side by side my fellow developers working...

It’s about assurance. It’s about establishing a degree of trust in a site’s legitimacy that’s sufficient for you to confidently transmit and receive data with the knowledge that it’s reaching its intended destination without being intercepted or manipulated in the process. Last week I wrote a (slightly) tongue-in-cheek post about the Who’s who of bad password practices [https://www.troyhunt.com/2011/01/whos-who-of-bad-password-practices.html]. I was critical of a number of sites not implementin...

Ah, passwords. Love ‘em or hate ‘em, they’re a necessary evil of the digital age. The reality is we all end up with an alphabet soup of passwords spread over dozens of various sites and services across the internet. Whilst we might not always practice it, we all know the theory of creating a good password; uniqueness, randomness and length. The more of each, the better. Of course we frequently don’t do this because of all sorts of human factors such as convenience, memory or simple unawareness...

Late last year I got all excited about continuous deployment with TeamCity when I wrote a five part series [https://www.troyhunt.com/2010/11/you-deploying-it-wrong-teamcity.html] on using it in conjunction with web deploy. I then went on to write about Continuous code quality measurement with NDepend and TeamCity [https://www.troyhunt.com/2010/12/continuous-code-quality-measurement.html] and Continuous project statistics with StatSVN and TeamCity [https://www.troyhunt.com/2010/12/continuous-proj...

Here’s the thing about securing credentials in web apps; you’re not just responsible for securing your application, you’re also responsible for securing your customer’s identities. Let me demonstrate: 123456, password, 12345678, qwerty, abc123, 12345, monkey, 111111, consumer, letmein, 1234, dragon, trustno1, baseball, gizmodo, whatever, superman, 1234567, sunshine, iloveyou, fuckyou, starwars, shadow, princess, cheese These 25 passwords were used a total of 13,411 times by people with Gawker...

Yesterday I wrote about Continuous code quality measurement with NDepend and TeamCity [https://www.troyhunt.com/2010/12/continuous-code-quality-measurement.html] where I looked at nightly builds that assessed code quality using the very excellent NDepend. These reports are great and it’s easy to configure but you need to make both a dollar investment in the software and an education investment to really understand the metrics and how they relate to code quality. What’s nice about StatSVN [http:...

I love a good set of automatically generated code metrics. There’s something about just pointing a tool at the code base and saying “Over there – go and do your thing” which really appeals to the part of me that wants to quantify and measure. I think part of it is the objectiveness of automated code analysis. Manual code reviews are great, but other than the manual labour issue, there’s always that degree of subjectiveness the human bring with them. Of course code reviews are still important, b...

This content is now available in the Pluralsight course "OWASP Top 10 Web Application Security Risks for ASP.NET" [http://www.pluralsight.com/courses/owasp-top10-aspdotnet-application-security-risks] If your app uses a web server, a framework, an app platform, a database, a network or contains any code, you’re at risk of security misconfiguration. So that would be all of us then. The truth is, software is complex business. It’s not so much that the practice of writing code is tricky (in fact I’...

I’ve previously written about Rocking your SQL Source Control world with Red Gate [https://www.troyhunt.com/2010/07/rocking-your-sql-source-control-world.html] and was bullishly optimistic about the potential for finally providing the means for simple, effective version control of database objects. It turns out the post struck a chord with the folks at Red Gate and they asked me if I’d like to contribute to an article in Simple-Talk [http://www.simple-talk.com], a fantastic bi-monthly newsletter...