Browsing Posts in Security

I was recently asked how to configure a site to redirect automatically from HTTP to HTTPS. By this I mean when the user types in,* the browser will automatically redirect to You can do it through code, but with a little ingenuity, you can do it strictly through IIS configuration. Let’s walk through the setup… […]

Ian Griffiths has an excellent post on why UAC exists and why we as developers shouldn’t turn it off in frustration. Like Ian, I ran Windows XP as a non-admin and UAC is welcome relief to the tedium of switching between accounts to configure things.* Now I’m not claiming that UAC is perfect. Notably Vista […]

Ever had the trial version of an application run just fine, but fail horribly when you register a license key? I’ve had this happen with two different and completely unrelated software products – FLStudio (awesome music authoring application) and FinalBuilder (a NAnt/MSBuild replacement). In both cases, the cause was a Data Execution Prevention (DEP) violation. (DEP is on […]

I must bid a fond farewell to a fellow plumber, Dan Sellers. Today was Dan’s last day in the Big House. He is stepping into a well-deserved, early retirement. Dan and I have worked together many times over the years especially on Plumbers @ Work and more recently on the Canadian Developer Security Virtual Team. […]

What is is a community-based news site edited by our members. It specialises in security information for developers, including writing secure code, authentication and authorization techniques, cryptography, and related topics. Individual users of the site submit and review stories, the most popular of which make it to the homepage. Users are encouraged to […]

Thanks to everyone who attended my talk on Introducing Windows CardSpace. It was one of the liveliest talks I’ve given. I had lots of great questions throughout the presentation and some great discussions with people during and after. I’ve posted the slidedeck here (5086 KB). Following is a list of resources (reproduced from the slidedeck) […]

Presenting at EDMUG last week was a blast. The audience was great and people asked some fantastic questions. I presented Enterprise Architecture for Mere Mortals: Authentication where I discussed the major authentication mechanisms for enterprise applications – basic, NTLM, and Kerberos – and authentication topologies – trusted subsystem, delegation, constrained delegation, and protocol transition. It […]

For our first event, the Calgary Code Camp was a huge success, if I do say so myself. We had over 80 developers attend and both tracks were constantly buzzing with great discussions. Thanks to everyone who presented for generously sharing their time and knowledge! Thanks also to everyone who attended and made the day […]

In the previous two parts (Part 1 and Part 2), I introduced the ImpostorHttpModule as a way to test intranet applications that use role-based security without having to modify your group memberships. (I’ll assume that you know what I’m talking about. If not, go back and re-read the first two parts.) In the final part, […]

In our last cliff-hanger episode, I introduced the ImpostorHttpModule. I’m going to show how you can use it to implement and test a sitemap and navigation menu in ASP.NET. We’ll use the new ASP.NET 2.0 Master Pages feature because it’s the easiest way to ensure that the same menu ends up on every page. We’ll […]