Security

So I’m at the DevSum conference in Stockholm [http://www.devsum.se/speaker/troy-hunt/] and yesterday afternoon was busily preparing for my talk, Hack Yourself First. It’s a talk I’ve done many times before and it always rocks not just based on the attendee feedback, but because frankly I just have a lot of fun doing it (you can watch a recording from Yow! in December [https://yow.eventer.com/yow-2014-1222/hack-yourself-first-go-on-the-cyber-offence-before-online-attackers-do-by-troy-hunt-1698]...

I love it when a whole bunch of different bits play really nice together, especially when it’s making things more secure. Today I decided to properly implement a content security policy (CSP) on Have I been pwned? (HIBP) and managed to tie in a whole bunch of nice bits to create what I reckon is a pretty neat implementation. Firstly, if CSP is new to you, go and read Scott Helme’s overview [https://scotthelme.co.uk/content-security-policy-an-introduction/] which is excellent. The tl;dr version...

There was a bit of discussion down here recently about how the National Australia Bank (NAB) has requested their SSL stats be withheld from showing up in the SSL Labs test [https://www.ssllabs.com/ssltest] that which has become so popular in recent times. It’s a great way of identifying what’s good and what bad about an SSL implementation and indeed, it appears that NAB has pulled their stats: Which, of course, looks enormously suspicious. You don’t pull your stats when you have a good result...

Sometimes, good ideas take a while to materialise. The penny only dropped on just how long some of them take when I was going back through my Pluralsight notes just the other day and found this: That was March last year and an awful lot of water has gone under the bridge since then. But it seemed like a really good idea at the time and inevitably, it was. I’d find a willing “muse” with a suitable website then go to town on it, critiquing everything that could possibly we wrong with it. This w...

I’m not often astounded by the woefulness of a security practice any more, but every now and then there’s a notable exception. Take this one, for example: > @BetfairHelpdesk [https://twitter.com/BetfairHelpdesk] Is it right that all one needs to change their password is their username and date of birth? — Paul Sawers (@psawers) April 23, 2015 [https://twitter.com/psawers/status/591279641828143104] Yes, that’s exactly what it looks like and just for the sake of posterity should those Betfair r...

I was preparing for a talk last weekend where I wanted to show the sorts of bad mobile app behaviours you can readily find using Telerik’s Fiddler [http://www.telerik.com/fiddler]. Now I’ve spent quite a bit of time over the years looking at the behaviour of the apps we use every day on our phones, in fact it was nearly four years ago that I wrote Secret iOS business; what you don’t know about your apps [https://www.troyhunt.com/2011/10/secret-ios-business-what-you-dont-know.html] and called out...

This content is now available in the Pluralsight course "Getting Started with CloudFlare Security" [http://www.pluralsight.com/courses/cloudflare-security-getting-started]As you may be well aware by this, Microsoft’s Azure gets me rather excited [https://www.troyhunt.com/search/label/Azure]. That’s not without merit IMHO, it’s a sensational product for all the reasons you can read about in the blog posts at the end of that link. Almost without exception, when I get a question about Azure I have...

Back in December, I was privileged enough to be asked along to the Yow! Conference [http://yowconference.com.au/] road show down here in Australia. I say “road show” as myself and a bunch of speakers from around the world spent a couple of days in Melbourne, a weekend up in sunny Queensland, a couple of days in Brisbane then jetted down to Sydney and spent a couple of days there. It was pretty much the same content in each city, but obviously different audiences. This was my first Yow! and it w...

A little while back I wrote about The Conversation [https://www.troyhunt.com/2015/01/introducing-secure-account-management.html], that’s the one I often have with developers looking to build web applications which need to manage accounts but who perhaps haven’t quite thought through all the ins and outs of it. That was also the launch of a new Pluralsight course Secure Account Management Fundamentals [http://www.pluralsight.com/courses/secure-account-management-fundamentals] which goes through...

If I’m honest, I always found it a bit unusual to get this question: “How do I secure my Angular apps?” I mean, Angular is just JavaScript that runs in the client and a few HTML directives. Ok, it’s very good JavaScript and I don’t mean to trivialise the framework in any way whatsoever, but all the security grunt work still needs to happen on the server. Angular will do nothing for your SQL injection or your lack of access controls on server resources or any of the other really nasty security...