10 illustrated examples of Visual Studio 11(www.troyhunt.com)

submitted by troyhunt(831) 1 month, 9 days ago

Visual Studio 11: it’s new and it’s grey but there’s more to it than just a dour monotone veneer. Here are 10 things that make it a step forward from the old. read more...

2 comments |category: Visual Studio |Views: 487

tags: VisualStudio another

67% of ASP.NET websites have serious config related vulnerabilities(www.troyhunt.com)

submitted by troyhunt(831) 1 month, 25 days ago

Actually, it’s even worse than that – it’s really 67.37%. It’s an alarmingly high number for what amounts to very simple configuration vulnerabilities. The numbers come courtesy of ASafaWeb, the Automated Security Analyser for ASP.NET Websites which is a free online scanner at asafaweb.com. Let me walk you through these results and offer a bit of insight as to where things are going wrong when ASP.NET web sites are published. Hopefully this will be a bit of a “call to action” which helps developers understand where they might need to do a bit of tweaking in their apps. read more...

1 comment |category: ASP.NET |Views: 396

tags: ASP.NET another

Shhh… don’t let your response headers talk too loudly(www.troyhunt.com)

submitted by troyhunt(831) 3 months ago

Response headers are those little titbits of information your app is letting loose into the wild that you probably hadn’t even given a second thought. On the surface, this is innocuous data of no use to anyone, but dig a little deeper and suddenly it becomes quite useful to evildoers. Here’s a quick overview of what they are, why they can be a security concern, how to turn them off and also how to quickly test for them on your existing websites. read more...

3 comments |category: ASP.NET |Views: 188

tags: ASP.NET another

Making unit tests in SQL Server a first class citizen with Red Gate’s (www.troyhunt.com)

submitted by troyhunt(831) 3 months, 14 days ago

One area of unit testing that’s always been a little tricky is testing anything with a database dependency. In part, this is because those tests often end up being dependent on the data itself which, of course, can be highly volatile. But it’s also philosophically challenged in that if a unit test is to assess a discrete unit of code on the application tier then it probably shouldn’t have dependencies on the data tier. This is where Red Gate’s SQL Test comes in. It’s entirely self-contained within SSMS and all it does is tests business logic in the database, just like those first class cousins in Visual Studio. read more...

add a comment |category: SQL |Views: 3

tags: SQL another

ASP.NET session hijacking with Google and ELMAH(www.troyhunt.com)

submitted by troyhunt(831) 4 months, 18 days ago

ELMAH is one those libraries which is both beautiful in its simplicity yet powerful in what it allows you to do. Combine the power of ELMAH with the convenience of NuGet and you can be up and running with absolutely invaluable error logging and handling in literally a couple of minutes. Yet, as the old adage goes, with great power comes great responsibility and if you’re not responsible with how you implement ELMAH, you’re also only a couple of minutes away from making session hijacking of your ASP.NET app – and many other exploits – very, very easy. read more...

1 comment |category: Security |Views: 267

tags: Security another

Free eBook: OWASP Top 10 for .NET developers(www.troyhunt.com)

submitted by troyhunt(831) 5 months, 8 days ago

I decided to turn the whole OWASP Top 10 for .NET developers series into an eBook. Oh – and give it away for free. No strings attached. So here it is, 255 pages of .NET web development security goodness. Please share it generously, chuck it on your eBook reader, email it to your mates, quote me, force your developers to print and read every page – whatever – it’s all yours. read more...

1 comment |category: ASP.NET |Views: 432

tags: ASP.NET another

OWASP Top 10 for .NET developers part 10: Unvalidated Redirects(www.troyhunt.com)

submitted by troyhunt(831) 5 months, 15 days ago

In the final instalment of the OWASP Top 10 for .NET developers we look at the risk of unvalidated redirects and forwards. This practice allows an attack to use a legitimate, trustworthy URL to serve malicious content which could do anything from steal credentials to install malware. But mitigation is easy and this post shows the exploit in practice and how to prevent it in your .NET apps. read more...

add a comment |category: ASP.NET |Views: 7

tags: ASP.NET another

Beyond YSlow - Squeeeezing out website network performance(www.troyhunt.com)

submitted by troyhunt(831) 5 months, 20 days ago

How much improvement can be made on an already well-optimised site, I mean one that scores very well against existing performance yardsticks? How much faster can you go without spending dollars on a CDN? Turns out there are big gains to be made very quickly – and it costs just a tiny bit of development time. read more...

2 comments |category: Tips & Tricks |Views: 13

tags: Tips another

OWASP Top 10 for .NET developers part 9: Insufficient Transport Layer (www.troyhunt.com)

submitted by troyhunt(831) 5 months, 29 days ago

When it comes to website security, the most ubiquitous indication that the site is “secure” is the presence of transport layer protection. The assurance provided by the site differs between browsers, but the message is always the same; you know who you’re talking to, you know your communication is encrypted over the network and you know it hasn’t been manipulated in transit. But unfortunately we often find sites lacking and failing to implement proper transport layer protection. Sometimes this is because of the perceived costs of implementation, sometimes it’s not knowing how and sometimes it’s simply not understanding the risk that unencrypted communication poses. Part 9 of this series is going to clarify these misunderstandings and show to implement this essential security feature effectively within ASP.NET. read more...

add a comment |category: Security |Views: 33

tags: Security another

To the cloud! Performance testing ASafaWeb with AppHarbor (www.troyhunt.com)

submitted by troyhunt(831) 6 months, 13 days ago

AppHarbor – “the cloud” done right! Part of what makes it so right is a decent collection of great add-ons, one of which is Blitz for performance testing. What this means is that you can get your app up into the cloud then simulate some serious load in next to no time. And like all the good bits of AppHarbor, it’s completely free. read more...

add a comment |category: ASP.NET |Views: 10

tags: ASP.NET another

5 minute wonders: From zero to hero with AppHarbor(www.troyhunt.com)

submitted by troyhunt(831) 6 months, 26 days ago

AppHarbor is one of the hottest things to hit .NET since, well, just about ever. It packages up the entire app lifecycle of source control, build, deployment and hosting and makes it dead simple; in fact it couldn’t be easier. It then adds a comprehensive collection of add-ons to do everything from persisting data (MS SQL, MySQL, MongoDB) to caching services (Memcacher) to load testing (blitz). Here’s how to get up and running in only 5 minutes flat. read more...

2 comments |category: ASP.NET |Views: 52

tags: ASP.NET another

5 minute wonders: The ASP.NET membership provider(www.troyhunt.com)

submitted by troyhunt(831) 7 months, 24 days ago

Building an ASP.NET app with registration and log on features whilst securely protecting the data with a strong hashing algorithm and cryptographically random salt is easy. In fact it’s so easy, here’s how to do it in less than 5 minutes using the ASP.NET membership provider. read more...

add a comment |category: ASP.NET |Views: 22

tags: ASP.NET another

Overcoming SQL 08’s globally insensitive time zones using .NET(www.troyhunt.com)

submitted by troyhunt(831) 9 months, 17 days ago

When SQL 08 came along there seemed to be some new hope for making time zone aware apps a little easier through the introduction of a few new date and time related data types, particularly the datetimeoffset type. Unfortunately all that glitters is not gold in this case and the new data type can be a real “gotcha”. Here’s how to build in that geo-awareness from the ground up using the new datetime2 data type and without getting caught with your metaphorical pants down. read more...

add a comment |category: ASP.NET |Views: 0

tags: ASP.NET another

OWASP Top 10 for .NET devs part 8: Failure to Restrict URL Access(www.troyhunt.com)

submitted by troyhunt(831) 9 months, 26 days ago

What makes this particular risk so dangerous is that not only can it be used to very, very easily exploit an application, it can be done so by someone with no application security competency – it’s simply about accessing a URL they shouldn’t be. On the positive side, this is also a fundamentally easy exploit to defend against. ASP.NET provides both simple and efficient mechanisms to authenticate users and authorise access to content. In fact the framework wraps this up very neatly within the provider model which makes securing applications an absolute breeze. read more...

add a comment |category: Security |Views: 19

tags: Security another

The padlock icon must die(www.troyhunt.com)

submitted by troyhunt(831) 10 months, 8 days ago

What do you think of when you see the padlock icon on a webpage? You're probably thinking something along the lines of "it means the page is secure". The more tech savvy among you may suggest that it means HTTPS has been used to encrypt the content in transit. The problem is that it doesn't mean anything of the kind. In fact it had absolutely nothing to do with website security. And therein lies the problem – the padlock lies to us, it implies things that it is not and it's downright misleading. read more...

add a comment |category: Security |Views: 2

tags: Security another

Taking the pain out of database discovery with Red Gate’s SQL Search(www.troyhunt.com)

submitted by troyhunt(831) 10 months, 13 days ago

Today I had cause to take a slightly different direction with a database that had stood for many years providing a fairly critical business function. The change of direction involved dropping a few columns out of a core table with references across an unknown number of procedures and views. What could go wrong?! Enter Red Gate’s SQL Search. read more...

add a comment |category: Database |Views: 1

tags: Database another