Let’s Encrypt offers free SSL certificates to protect the traffic between your website and the visitors. They are as good as the expensive commercial ones, but they need to be renewed every three months – thanks to automation, this is not a problem. I use Let’s Encrypt for all my sites and never had any …
We recently run into a strange problem when we tried sign a message using a private and public key pair. Everything worked as expected on the developer machine, yet in the test environment the same code only throws this exception: System.Security.Cryptography.CryptographicException: Keyset does not exist Our key pair is inside the certificate store on a …
Would it not be great if we as developer of a site could warn our users when their passwords are part of a data breach? There is a simple API we can use thanks to Troy Hunt’s “Have I been pwned?” site. This post is part of the Protecting Passwords series. You can find the …
With nearly every application and website demanding an account, most developers will sooner or later have to store passwords. It is incredible how bad that can be implemented and how dire the consequences can be for the users. Take a quick look at the long list of sites taking part in “Have I been pwned?” …
Last week I blogged about password managers and how much help they are. However, not everyone can or want to use a service like LastPass and 1Password. Today I show you how KeePass manages all your passwords on your local machine. This post is part of the Protecting Passwords series. You can find the other …
A year went by since I blogged about “How many of your Accounts have been Compromised in a Data Breach?“. At this time there where ~4 billion usernames and passwords collected on the site “Have I been pwned?” (or short HIBP). Since then, Troy Hunt could add another 1,500,000,000 accounts to the list. That is …
If you want to check your dependencies for security vulnerabilities right in Visual Studio, then the approach with Dependency-Check and SonarQube is not good enough. In this case, you should try Audit.Net. This post is part three of a small series on finding security vulnerabilities in your project dependencies: Finding Security Vulnerabilities in your …
Welcome to the second part on Dependency-Check. Please make sure that you have read part one and got a working suppression file. Otherwise, you will get a lot of vulnerabilities reported in SonarQube. In this post, I use Visual Studio Team Services (VSTS) for my build pipeline. You can use different services to reach the …
The Open Web Application Security Project (OWASP) may be best known for its top 10 list of the most critical web application security risks. However, the project not only talks about problems; they offer a wide range of documentation to fix those problems (like the .NET Security Cheat Sheet) and publish tools like the OWASP …
No week passes by without a big announcement of stolen account data. Usernames with their corresponding passwords and email addresses are “lost” on a regular basis. This is not only a problem of small sites: LinkedIn, Adobe and MySpace alone add up to more than 600 Million leaked accounts. Given the fact that passwords are …