I’ve long been a proponent of “hacking yourself first”, that is the idea of building up some offensive skills such that you can actually take a good shot at ethically breaking apps for the betterment of society. Whether they’re you’re own apps that you’ve built or ones you’re testing part of a dev team doesn’t really matter, it’s the same skills and the same end result – you find bad stuff before bad people do. What I can now share with everyone is that over the last few months, I’ve been work...

So the dust has finally settled. A month ago I wrote about </pfizer> [https://www.troyhunt.com/2015/04/today-marks-two-important-milestones.html] which marked my departure from the corporate world after spending the last 14 years building and managing their software things across a good whack of the world. With that chapter now formally closed, it’s time to talk about the next phase. It’s time to talk about Pluralsight [http://www.pluralsight.com/]. The path to Pluralsight It was 2012 when I...

I love it when a whole bunch of different bits play really nice together, especially when it’s making things more secure. Today I decided to properly implement a content security policy (CSP) on Have I been pwned? (HIBP) and managed to tie in a whole bunch of nice bits to create what I reckon is a pretty neat implementation. Firstly, if CSP is new to you, go and read Scott Helme’s overview [https://scotthelme.co.uk/content-security-policy-an-introduction/] which is excellent. The tl;dr version...

There was a bit of discussion down here recently about how the National Australia Bank (NAB) has requested their SSL stats be withheld from showing up in the SSL Labs test [https://www.ssllabs.com/ssltest] that which has become so popular in recent times. It’s a great way of identifying what’s good and what bad about an SSL implementation and indeed, it appears that NAB has pulled their stats: Which, of course, looks enormously suspicious. You don’t pull your stats when you have a good result...

Sometimes, good ideas take a while to materialise. The penny only dropped on just how long some of them take when I was going back through my Pluralsight notes just the other day and found this: That was March last year and an awful lot of water has gone under the bridge since then. But it seemed like a really good idea at the time and inevitably, it was. I’d find a willing “muse” with a suitable website then go to town on it, critiquing everything that could possibly we wrong with it. This w...

I’m not often astounded by the woefulness of a security practice any more, but every now and then there’s a notable exception. Take this one, for example: > @BetfairHelpdesk [https://twitter.com/BetfairHelpdesk] Is it right that all one needs to change their password is their username and date of birth? — Paul Sawers (@psawers) April 23, 2015 [https://twitter.com/psawers/status/591279641828143104] Yes, that’s exactly what it looks like and just for the sake of posterity should those Betfair r...

I was preparing for a talk last weekend where I wanted to show the sorts of bad mobile app behaviours you can readily find using Telerik’s Fiddler [http://www.telerik.com/fiddler]. Now I’ve spent quite a bit of time over the years looking at the behaviour of the apps we use every day on our phones, in fact it was nearly four years ago that I wrote Secret iOS business; what you don’t know about your apps [https://www.troyhunt.com/2011/10/secret-ios-business-what-you-dont-know.html] and called out...

Today marks two important milestones for me – it’s the first time I’ve ever mentioned Pfizer [http://www.pfizer.com] on this blog and after 14 years, it’s my last day working for them. Both those milestones are significant and in their own ways, mark a pivotal point in my career. For those that are interested, I’d like to tell you what I’ve been doing in recent years and give a hint of what will come next. “Architect” There’s this odd thing that tends to happen in many peoples’ careers and I...

I’ve been having a few sleepless nights lately worrying about the big one. The big “what”, you ask? I mean another massive data breach the scale of Adobe back in 2013, you know, the one where they had a 153 million user accounts wander out the door. If I had to load those into Have I been pwned? [https://haveibeenpwned.com/] (HIBP), frankly I’m not sure how I’d do it. Or at least I wasn’t sure. When I first wrote about how I built the system [https://www.troyhunt.com/2013/12/working-with-154-mi...

This content is now available in the Pluralsight course "Getting Started with CloudFlare Security" [http://www.pluralsight.com/courses/cloudflare-security-getting-started]As you may be well aware by this, Microsoft’s Azure gets me rather excited [https://www.troyhunt.com/search/label/Azure]. That’s not without merit IMHO, it’s a sensational product for all the reasons you can read about in the blog posts at the end of that link. Almost without exception, when I get a question about Azure I have...