Finally they’ve delivered! Earlier today the much awaited padding oracle patch was released by Microsoft. As usual, Scott Guthrie has written about it and you can find all the info in ASP.NET Security Update Now Available [http://weblogs.asp.net/scottgu/archive/2010/09/28/asp-net-security-update-now-available.aspx] . It’s not a moment too soon either. According to Thai Duong [http://vnhacker.blogspot.com/], half of the duo responsible for bringing the vulnerability in ASP.NET to public awarenes...

The last week hasn’t been particularly kind to ASP.NET, and that’s probably a more than generous way of putting it. Only a week ago now, Scott Guthrie wrote about an Important ASP.NET Security Vulnerability [http://weblogs.asp.net/scottgu/archive/2010/09/18/important-asp-net-security-vulnerability.aspx] ; the padding oracle exploit. I watched with interest as he was flooded with a barrage of questions (316 as of now) and realised that whilst he’d done his best to explain the mitigation, he obvio...

You’ve gotta feel a bit sorry for Scott Guthrie. Microsoft’s developer division VP normally spends his time writing about all the great new work his team is doing and basking in the kudos of loyal followers. But not this weekend. Unfortunately his latest post [http://weblogs.asp.net/scottgu/archive/2010/09/18/important-asp-net-security-vulnerability.aspx] has been all about repeating the same dire message; ASP.NET has a major security flaw posing a critical vulnerability to millions of websites...

I got a little stumped this week and turned to the fountain of software knowledge, also known as Stack Overflow [http://stackoverflow.com], with a question about Missing popout class in ASP.NET menu for nodes without a URL [http://stackoverflow.com/questions/3697634/missing-popout-class-in-asp-net-menu-for-nodes-without-a-url] . The problem is simply this; let’s take the following Web.sitemap file: <?xml version="1.0" encoding="utf-8" ?> <siteMap xmlns="http://schemas.microsoft.com/AspNet/SiteM...

This content is now available in the Pluralsight course "OWASP Top 10 Web Application Security Risks for ASP.NET" [http://www.pluralsight.com/courses/owasp-top10-aspdotnet-application-security-risks] Consider for a moment the sheer volume of information that sits out there on the web and is accessible by literally anyone. No authentication required, no subversive techniques need be employed, these days just a simple Google search can turn up all sorts of things. And yes, that includes content wh...

Internet Explorer 6; will this thing ever die?! Now 9 years old – and superseded for almost half that time – it remains the bane of web developers’ lives the world over. Even YouTube and Google have jumped on the anti-IE6 bandwagon [http://mashable.com/2010/02/23/youtube-ie6/] but the browser people love to hate remains the cockroach of the nuclear fallout that is standards-compliant ire. There have been glimpses of hope and reports of it waning into obscurity [http://mashable.com/2010/06/01/i...

Yes, it’s the new iPhone 4. No, I didn’t camp outside Apple all night, there’s nothing wrong with the signal quality and yes, I hold it any damn way I like! Now that we’ve covered off all the usual questions, let me get to the heart of the matter. I picked up a couple of new iPhones (because I’m a caring husband!) a few hours after they launched in Australia. Exclusivity doesn’t last long and whilst the novelty factor is still high, a lot of friends and family are asking “why?”. Why move from...

A couple of Saturdays back I had a chat with Richard Banks [http://www.richard-banks.org] on the Talking Shop Down Under [http://www.talkingshopdownunder.com] podcast about web application security while at “Developer Developer Developer!” in Sydney [http://www.dddsydney.com/]. It’s now online here: Episode 22 - Troy Hunt on Developers and Security [http://www.talkingshopdownunder.com/2010/07/episode-22-troy-hunt-on-developers-and.html] It’s a funny thing, podcasts; there are no second takes...

I knew it was going to be good before even seeing it. After all, SQL Source Control [http://www.red-gate.com/products/sql_source_control/index.htm] is from the guys who brought us SQL Compare [http://www.red-gate.com/products/SQL_Compare/index.htm] and Data compare [http://www.red-gate.com/products/SQL_Data_Compare/index.htm], two of my all-time favourite tools in the “stuff that would be a real pain to do without” category. They’re tools I tend to berate developers for not having and have regul...

This content is now available in the Pluralsight course "OWASP Top 10 Web Application Security Risks for ASP.NET" [http://www.pluralsight.com/courses/owasp-top10-aspdotnet-application-security-risks] Authenticating to a website is something most of us probably do multiple times every day. Just looking at my open tabs right now I’ve got Facebook, Stack Overflow, Bit.ly, Hotmail, YouTube and a couple of non-technology forums all active, each one individually authenticated to. In each case I trust...