My last post was a bit of a joke and I should explain why after only a few hours of playing with EF that I think it is a horrible technology. Some might say that a few hours is not enough time to completely write off a technology but I have to disagree. I spent a few hours with nHibernate and loved it. a few hours with EF and I wanted to start drinking. First the good things about it: It is integrated into Visual Studio so the whole team is already able to start...

My mother always said that if you can’t say anything nice then don’t say anything at all………         </endPost>

Had an interesting thought today. If someone tries to brute force your login screen then why not after so many failed logins redirect them to a page that looks legitimate. This would cause the tool they are using to report that they cracked the password and logged in. The attacker would then have physically verify the login only to see some garbage page and start all over again. This would probably make a script kiddie attack some other site as they would probably not have the programming knowledge to alter the brute forcing engine. I would have it so...

Many times we need to have a way for users to authenticate with a system and that is usually done with a username/password combination. A lot of times we have to build our own or use some pre built system (i.e. Forms Authentication). Now I am not a fan of passwords. I find that they are usually easy to guess and brute forcing them has become faster and faster. Passwords are dying and there are other options but they will differ from implementation to implementation. If you have to build a password based authentication system then...

Talking with other developers and clients it amazes me how many people store credit card numbers in their systems. There is usually no need to store a full credit card number in your own database. It should be forwarded on to the processing gateway and then the information should be purged from your system the instant the transaction is complete. The Credit Card Companies Stances Contrary to popular believe you are allowed to store credit card information. The companies do have standards that you need to follow if you are storing this information. More information on this standard...

Thanks all for coming out to my presentations. Here are the slides and other files from the talks Threat Modeling: ThreatModeling.zip  Passwords Are Dying: PasswordsAreDying.zip

I will be doing two talks at Victoria Code Camp this weekend Passwords Are Dying – A talk about the problems with passwords, how they are currently attacked, and alternatives to password based authentication Threat Modeling – Learn how to model your applications under different lenses to find security vulnerabilities and potential weaknesses in your application More info on the Victoria Code Camp Site