Remembering How We Should Manage Open Source

A DevSecOps best practice is root cause analysis, so that we can learn from live site incidents and prevent their recurrence. Equifax made news recently with the exfiltration of data from half the US population. This is a sobering opportunity to look at the root cause. The Equifax attack used Apache Struts, a popular open…


Start a new technical practice with Microsoft Enterprise Mobility & Security

This 4 day practice enablement training explores how to better understand and deploy key Microsoft capabilities such as hybrid identity and access management with Azure Active Directory, application and data management with Intune, information protection with Azure Information Protection, data protection with Azure Advanced Threat Analytics, and cloud security with Cloud Application Security. This training…


Role Based Access Control in ASP.NET MVC

In this post, Premier Developer consultant Lizet Pena De Sola explains Role Based Access Control in ASP.NET MVC. Role Based Access Control in MVC is pretty straight forward. There is also a way to do claims access control, but the most common way is based on roles. To show or hide action links in a view depending…

1

HTTP Secure, Part II. Is Diffie-Hellman always used in the HTTPS key exchange?

In this post, Premier Developer consultant Lizet Pena De Sola explains Diffie-Hellman in the HTTPS key exchange. I got a question right after I had spent a week in training classes for the COMPTIA Security+ exam: to describe how HTTP Secure (HTTPS) modifies the HTTP traffic between a client browser and the server.  At the end of my explanation,…


Release notes – August 23, 2017

On Wednesday, August 23, 2017, we started deploying a regular service update. We upgrade production service instances in batches, and it usually takes about a week for the rollout to complete. Below is the list of improvements and bug fixes in this release. New functionality Versions and revisions (yay!) give you flexibility in how you manage change and your API lifecycle….


Claims augmentation with OWIN but outside of Startup code

This post on authentication and authorization is from Premier Developer consultant Marius Rochon. Claims list included in the ClaimsPrincipal usually originate from the security token received by the application as part of user authentication (SAML, OpenIDConnect id token) or access authorization (OAuth2 bearer access token).  However, sometimes there is a need to modify that list…


The MVP Show In Australia: An Interview With MVP Troy Hunt

The MVP Show never disappoints. Each episode, Senior Technical Evangelist Seth Juarez takes us to another corner of the globe to meet an MVP on the cutting-edge, and plunge into the technology that drives them. Today, we’re headed to the Gold Coast in Australia! In this episode, Seth hangs out with Visual Studio and Development…


Azure App Service IP Based SSL and SNI Based SSL configuration

Sometimes you experience something and just want to share.  This is very corner case, but it threw me for a loop.  In this case there was an Azure App Service Web App that had 1 web site running on it.  This one site had 2 custom domains bound to it.  One of domains used IP…


Leveraging Exploit Guard in Windows Insider Build to Easily Audit Your Code

If you are a software developer and are looking to improve upon the security compliance of your software, there is a feature in the current Windows 10 Enterprise Insider Preview (as of 10.0.16253 – I can’t guarantee this will make it or make it unchanged into future builds) that could be very useful to you. …


Microsoft Encryption of Data-at-Rest White Paper

There are essentially 3 types of encryption you want to think about when working with a cloud service provider: Encryption at Rest Encryption in Flight (network encryption) Encryption in processing (application data encryption) Encryption at rest is about protecting data on disk. You need to make sure that an attacker who might to acquire a…