Every week here and in our newsletter, we feature a new developer/blogger from the DZone community to catch up and find out what he or she is working on now and what's coming next. This week we're talking to Troy Hunt, Software Architect and Microsoft MVP for Developer Security. Some of his recent DZone posts include:
- With Great Azure VM Comes Great Responsibility (Which is Why You Really Want an Azure Web Site)
- Your API Versioning is Wrong
- 40 Inappropriate Actions to Take Against an Unlocked PC
1. What have you been working on lately?
Lots! Primarily creating more web security Pluralsight courses and I’ve got way more ideas than I have time. I’ve also been spending a lot of time in Windows Azure both writing about it and building stuff on it. Speaking of which, I launched Have I been pwned? on Azure a few months ago which lets people search across multiple data breaches to see if they’ve had an account compromised. This was a really challenging exercise as it meant loading 154M records into table storage and I managed to get it querying in as little as 4ms which I reckon is pretty impressive!
2. You've written a lot about security in software development (SQL injection, DDoSing, and so on). Are there any security issues that you feel developers fail to understand or properly address?
Yes! Security is very frequently an afterthought; it’s not trained into developers, it’s not funded, it’s not assessed on an ongoing basis but when it goes wrong, suddenly it’s the most important thing in the world and the consequences of a breach can be dire. I always like to direct developers to the OWASP Top 10 as a starting point, in fact I’ve just pushed out a course that will help anyone involved in delivering software (not just developers) get to grips with these important web security concepts.
3. Are there any particular developer tools or resources you couldn't live without?
For me, one of the most important resources is m my podcasts as it gives me an opportunity to stay abreast of what’s happening in the industry as I’m driving to and from work. This is invaluable learning time for me. On learning, I also use Pluralsight extensively for anything from trying to learn something entirely new through to referencing just a single behaviour within a product. Other tools I like in include Fiddler for HTTP proxying and seeing what’s going on across the wire and of course being a .NET guy, Visual Studio.
4. Do you have a favorite open source project (or projects) that you've contributed to recently?
I’ve tended to err more towards building free services than getting involved in open source. I mentioned “Have I been pwned?” earlier, I’ve also been running another project for a few years called ASafaWeb – the Automated Security Analyser for ASP.NET Websites.
5. Do you follow any blogs or Twitter feeds that you would recommend to developers?
Most of the people I follow are related to either security (Brian Krebs, Jeremiah Grossman, Mikko Hypponen) or Microsoft Technologies (“The Scotts” – Gu and Hanselman, Jon Galloway, Damian Edwards). I find my following habits have tended to shift more towards broader aggregation and content people refer to me rather than just focussing on a few individuals.
6. Did you have a coding first love -- a particular program, gadget, game, or language that set you on the path to life as a developer?
HTML. No really, I know people get a bit uppity and say “Oh, but it’s not a programming language” but I got right into HTML in ’95 and it was the best thing I ever did. How many other technologies have remained so relevant for so long?!
7. Is there anything else you'd like to mention?
Perhaps some advice for readers – get involved. Engage with your fellow developers. Go to events. Start a blog. Share a project on GitHub. I wrote about The Ghost Who Codes a while back and that sums up what I’m talking about more eloquently that what I can here, but certainly in my experience, only good things come from broadening your horizons and becoming an active participant in the software community.