|
|
|
Browse by Tags
-
Thanks for those of you who attended my talks last week in London. The ASP.NET Attack and Defence talk covered SQL injection, cross-site scripting (XSS), and cross-site request forgery (CSRF). The first two have downloadable demos and labs as part of...
-
I've been thinking a lot lately about password management. I'm not talking about how a user manages the myriad of passwords she's stuck with, but rather how a system (e.g., a website) should go about accepting, storing, and protecting the...
-
From Coding Horror , originally from CWE/SANS , this is a list that every developer should review from time to time. If you work on software in any capacity, at least skim this list. I encourage you to click through for greater detail on anything you're...
-
I recently published Self-Cert , a tool that makes it really easy to generate self-signed certificates using the CryptoAPI. What's nice about it is that it has a .NET class library underneath it that makes it easy to do this programmatically from...
-
Mike Woodring sent me an email today. He was concerned that a website that he frequents wasn't doing such a good job storing passwords. He pointed out that by clicking a button, you could get your password emailed back to you. After talking with someone...
-
IIS is currently rejecting self-signed certs made with the Self-Cert tool . Actually, you can install the cert into IIS, but when a client connects, IIS will refuse to set up the SSL tunnel. So far I believe the problem is that my certs aren't getting...
-
It's a bit of a pain to create self-signed certs using MAKECERT. So here's a GUI-based tool that uses a combination of the .NET Framework and the CryptoAPI to create self-signed X.509 certificates. And it's factored so that you can use the...
-
Today I spent some time exploring WLID's new SDK that allows you to support WLID authentication in a website of your own. I got it working pretty quickly in a test website, and it works quite nicely. So now I'm a bit curious. There's a section...
-
Over the last couple of years, I've worked on websites that support both HTTP and HTTPS, and it's always tricky to find a balance between security and usability. Dominick wrote an excellent article about this awhile back, suggesting that allowing...
-
For those who didn't attend PDC, the Zermatt identity framework has been re-code-named Geneva Framework so that it fits in with the Geneva family of products : Geneva Framework : a .NET class library called Microsoft.IdentityModel (basically it's...
-
Chris Sells used to poke fun at me when we worked together in my former life . He used to call my security class, "Essential Access Denied". His point was a good one: when they aren't applied carefully, security countermeasures often just...
-
I've been rather dark over the last couple of months as I helped to finish up Pluralsight's online training offering, Pluralsight On-Demand . I'm psyched that we finally shipped! Be sure to check it out soon (you can preview bits of each course...
-
I've always looked at security questions used to automate user password recovery with quite a bit of skepticism . What's the point of requiring strong passwords if you allow anyone to reset the password on an account by answering a (potentially...
-
I'm about to embark on a mission to get Zermatt integrated into pluralsight.com as our single-sign-on solution, and a big part of that is getting our Community Server installation wired into that. I'm curious if anyone else has seen any work being...
-
We recently updated our website and some links have broken as a result. Here's the place you should go to get the latest version of Password Minder: http://mercury.pluralsight.com/tools.aspx Sorry for any inconvenience!
|
|
|
|
|