How to prevent cross site scripting (XSS) attack due to html editors.

Article to remove unwanted response headers in the http response. includes a walk through of using registry setting and a walk through of using URLScan to remove the Server header.

Working in a financial domain over the last year, it was only a matter of time before I would be confronted with one of the variations of the two-man rule: the four-eye principle. Satisfying the principle is simple enough; an extra pair of eyes needs to approve of requested changes before they're ap...

ASP.NET 4.5 brings some notable security improvements, but you'll need to enable them in config. This blog post gives an overview of the improvements and instructions on how to enable them!

The SecureString class holds confidential information in an encrypted format, reducing the risk that the information could be obtained by reading a computer's memory directly. However, there is no easy way to obtain the secure information from a user.

Much like having a good backup and restore plan, being able to filter and scan log files for what you need to help draw conclusions on how a situation occurred or by whom it was conducted, is an important part of your security plan. However if you have a heavily traffic’d website, network share or p...

I had an interesting question pop up on my “SSL is not about encryption” blog post this weekend: "I have a question about logging to site like StackOverflow which doesn't use SSL at all. If I am login to SO via Google. Is this secure in this case?" This is actually a very good questi...

This blog post explains how you can generate Guids based on random numbers from the RngCryptoServiceProvider, including a code sample.

Last month I wrote about our password hashing having no clothes which, to cut to the chase, demonstrated how salted SHA hashes (such as created by the ASP.NET membership provider), offered next to no protection from brute force attacks. I’m going to assume you’re familiar with the background story o...

Many of us rely on the use of salt in the belief it will make our passwords “secure” when hashed with a variant of the SHA algorithm. Unfortunately, processing power has progress to the point where even salted hashes are now near useless, particularly when using a GPU in an attempt to crack them. ...

The use of passwords as a security measure is increasingly common for technical and non-technical users alike. Generating passwords that are both strong and memorable can be difficult. This article describes one method to alleviate this problem.

ELMAH is one those libraries which is both beautiful in its simplicity yet powerful in what it allows you to do. Combine the power of ELMAH with the convenience of NuGet and you can be up and running with absolutely invaluable error logging and handling in literally a couple of minutes. Yet, as t...

High level view of what happens on software projects that leads to software insecurity

This security update resolves one publicly disclosed vulnerability and three privately reported vulnerabilities in Microsoft .NET Framework. The most severe of these vulnerabilities could allow elevation of privilege if an unauthenticated attacker sends a specially crafted web request to the target ...