Episode 046 – Information Security with Troy Hunt

Troy Hunt is an Australian Microsoft Regional Director and Microsoft MVP for Developer Security.

He’s also the creator of Have I Been Pwned and speaks around the world on web security.

To catch up on the Tweet mentioned in this episode, please visit the following link:

Jon Ash – 00:51 – So before we get started, would you just tell us a little bit about yourself and maybe how you got started?

Troy Hunt – 00:58 – Well, I guess in addition to what you just said, uh, I think he said I’m Australian. People can probably hear that I got started, uh, I guess in sort of my modern day career in terms of building stuff for the web back in a bit 95 I remember it was one of uh first year of university first of the web. And I went, wow, this is awesome. You can view source on a web page and then create your own site. That’s amazing. So I started building a Web apps in, uh, in 1995 and things just sort of went from there. And at some point I kind of pivoted a little bit and went into the App sec side of things and, and yeah. Now here I am today.

Jon Ash – 01:37 – Awesome. Awesome. So what are you doing today?

Troy Hunt – 01:40 – Too much. Well, you know, I say too much. It’s all good fun. But I’d like to see my family a little bit more. So it’s a combination of things. So I’m still doing a lot of travel. That’s one thing. I’m cutting back on a lot, some on travelling a lot to do talks at conferences, so I’ll be off to Europe again in a couple of weeks talking info sec a year in London, going to Norway and doing the NDC conferences there. I’m doing a lot of workshops on my travels as well. So I do a workshop first where I either run them as part of conferences like NDC, uh, or a gun and see organizations and spent a couple of days in there. Fiction developers had to break their things, which is good fun. Doing a lot of, a lot of other sort of commercial toxic spend. A databank tomorrow scaring people, which is fun. I’m still doing a lot of plural, sought writing little courses they are running. Have I been postponed as you mentioned,

Troy Hunt – 02:37 – that’s been a cheekily busy period last few days because I got some cool stuff in the pipeline there. Uh, yeah. And blogging trying to try to actually write blogs as well because this was the whole sort of genesis of a lot of this. So I don’t do like to keep up the blogging as well.

Jon Ash – 02:53 – How’d you first get interested in information security?

Troy Hunt – 02:56 – When I was seeing other people continually do it badly. Uh, so that the context they’re in. And you mentioned earlier on my heck your career talk and I talk about this a bit in the heck your career talk at the context. For me it was that I was working in a, in a large enterprise. They were outsourcing everything in terms of the development work and I had an architectural role and I would just see people build things that would come back and I’ll just look and go, what are you thinking? And you have no idea. Have no idea. Like what is going to get wrong as a result of this and there’s this one moment that just kind of mind which, which I think is the epitomizes that the problem where we had some work done by some Chinese developers with a mobile APP and I grabbed this mobile app and I proxied my device through Fiddler and I had to look at the API calls. It was making a long story short. The one of these API calls was to some method called something like get users. And it did exactly what it sounds like it would do. It just pulled all the users and all their plain text passwords and everything back.

Troy Hunt – 03:56 – And I, uh, I emailed this guy and said, look, I just proxied my device through Fiddler and he, he’s everyone’s accounts. Uh, and he said, look, that’s okay. I use this. Don’t use Fiddler. Alright, okay. I see where the problem is here. Uh, so yeah, that’s what really set me on this pub

Clayton Hunt – 04:16 – with a focus on security. You do tend to talk about a lot of scary things that somebody could expose in their website pretty easily. How much responsibility would you say is on the, um, the typical developer to dig into security? I mean, it’s, it’s a really, really deep topic with, with so many things that could trip somebody up and, and, uh, cause uh, a security issue. Uh, so, so how deep should a normal developer get into it?

Troy Hunt – 04:50 – Well, you know, first of all, I think security is one of these things. It’s a shared responsibility where we all have a little role to play, whether you’re the developer or the architect will the testers and frankly, although up to the top of the management chain and organization, yeah, you’ve all got a role to play in making sure these things to secure and for developers frankly, they are often where the rubber hits the road. I mean, they’re the ones that are writing the code which has the sequel injection vulnerability that still keep it at the number one position or the, I was top 10 at the moment. Uh, you know, they have an enormously important role to play here. And I, uh, I would obviously love to see people get better educated at what a solid good, secure coding practices are and frankly with my biased interest in terms of creating training material that’s like the best possible bang for your buck as well as an organization, you know, it’s not the firewalls and the expensive penetration tests and all the stuff that comes after the bad codes written. It’s the stuff that helps you avoid the problem in the first place.

Clayton Hunt – 05:51 – So you mentioned the OWASP. OWASP Top 10 is, is that a shortlist of like if you, if you don’t know anything else about security?

Troy Hunt – 05:59 – No, these things and how to protect yourself against them? Well, the OWASP Top 10 is a great starting point sides. It’s content which is made for developers. And then there’s a really important nuance here as well as a lot of content out there from security prize. It just speaks a different language. And that was, uh, frankly large part of the reason why I started reading all this material. So the top 10 is very targeted towards developers and explains in a case like injection, which is actually a super set of sequel injection. Sequel injection is one form injection, but it’s probably the most common. So it’ll say, hey look, here’s the injection, these are the potential risks, this is the impact if it goes wrong here, the defensive patterns and here’s a whole bunch of resources that are useful and they’re in your language as a choice as well. He’s had to do it in php and asp.net and whatever else. So OWASP is a very easily consumable resource and it certainly talks about the most fundamental risks, but of course there’s more than just 10 classes of risk out there.

Troy Hunt – 06:55 – We’ve got to deal with, uh, and in fact, uh, I was just updated their top 10 late last year and they dropped cross site request for jury off that list, which doesn’t mean it’s gone away by any means. It just means, hey, there’s other stuff that’s even worse now. The top 10 is like, start here and then keep going. But, uh, look, I guess humans like consumable lists that they can compartmentalize and their brains and, and it actually does a very good job with that.

Jon Ash – 07:21 – So one of the things that I have, I kind of struggle with is, or have seen people struggle with is you security tends to be if it, if it is even dealt with, with hopefully hopefully that that is the case, but uh, it sort of is ratcheted on at the end of the or, or sort of after the code. It’s like, well, let’s, let’s get this working first and then let’s make sure that it gets secured. Let’s check for some of these are sort of the different types of vulnerabilities, um, you know, but is there some methodologies to kind of or you know, frameworks of thinking or kind of where are the approaches for actually developing securely, kind of from the ground up. So knew we were taking this whole, whole thing on before we’ve written any sort of code, uh, you know, we’re going, we’re going to take that secure approach.

Troy Hunt – 08:11 – Yeah. So don’t do that. And, and I like, this is actually what really got me involved in security as well either. I guess there are multiple different things, but one of the things was that in this corporate environment I was in, we would be waiting until the very end where all the code had been built over time, you’re over budget and the product managers breathing down your neck saying where’s my application? And then that guy, we should security tests this. Just make sure it’s okay. I guess what, it’s never. Okay. Something, uh, it turns out there’s quite a few things when you always outsourced to the lowest cost market as well, but that’s not the story. So you know, leaving it too late is not not smart for, for many different reasons. Now you mentioned one there at a time out of money. What tends to happen, and certainly this is very, very common. So what tends to happen is you have a list of security deficiencies and they prioritize, you know, the critical stuff and this stuff, the medium stuff.

Troy Hunt – 09:10 – And you go down the list from the worst to the best until you run out of time. And money and then the product manager signs off on the rest of them as an acceptable risk. So there’s this person who, in our case I used to work for Pfizer pharmaceutical company, so there’s this person who all they’re interested in doing is selling Viagra and they have signing off on the CSRF risks. There are things you know about, which we went over bit here and they are not CSRF. Uh, so yeah, that’s not a good position. And then we think about some of the sort of a, I guess a immutable empirical evidence of software development and where it makes sense to fixed a fixed. So many people probably heard or read of the mythical man month and one of the things they talk about there is the cost of the effects over time. And that the TLDR version is the longer you go from the point of writing the defect to the point of fixing it, the more expensive it becomes a yeah.

Troy Hunt – 10:05 – If you can avoid writing this in the first place so you can get it right in the design, for example, it’s going to be a lot cheaper than if you have to fix it in a testing phase if you can fix in a testing phase is cheaper than after it’s already gone live. Uh, now I, I personally sometimes have trouble figuring out what it was I wrote yesterday and why I wrote it, you know, like I’ll look back at yesterday’s coat and I go, what was I thinking? If I can get that right to begin with, that is a really, really good ROI. So what we’re trying to do, and we often sorta hear this term shift left trying to shift security left in that software development life cycle. Like let’s fix it. And really, really early on. And that’s partly why I say it’s such a great ROI that the education piece,

John Callaway – 10:49 – so of those things that we’re talking about, we’re talking about the easy ones are they’re like no plain text passwords and communications over https and things like that. Or does he do, are we going farther than that?

Troy Hunt – 11:03 – Well, it’s certainly part of it. I mean that the plain text password thing is is very important. It’s also something which really only becomes a problem once you get owned one way or another. Anyway. It’s like, okay, you had sequel injection, you’re going to have a very bad day anyway, by the way, all your passwords plant takes that. There’s, there’s that, but there’s so many sort of nuanced things these days in terms of the wave vulnerabilities get exploited and very often they’re things like, look, you could be authenticated, but there is an endpoint somewhere which checks that the or unauthenticated user but doesn’t actually check that you have access to the resource you’re requesting. So yeah, you log onto your bank account and then you look at the number and go, I wonder what would happen if a plus one, someone else’s bank account. Now conversely on other side of, and another angle it’s very interesting these days is that we have so many new security constructs built for the web.

Troy Hunt – 12:00 – Those things that browsers understand that people have never heard of before, so we have things like sub resource integrity. The ability to to have a script and then load it from an external resource and make sure that it hasn’t been modified. We’ve got content security policies. The xss order to built into crime can report violations back to an endpoint that you specify as so you figure out when someone’s exploding success on your side. There’s all of these really, really super cool things that people have just never heard of before which are out there and can make a really fundamental difference. Your security posture.

John Callaway – 12:34 – There was a Twitter conversation about a month ago or so when it came to light that T-Mobile Austria was having an issue with plain text passwords that that seemed to have blown up around that time.

Troy Hunt – 12:44 – That was a funny one. I think I might’ve been a bit responsible for getting them into trouble there and I don’t apologize for that. There was a, I think it was a girl who caught up T-mobile in Australia and the discussion was something along the lines of a height, same mobile wallet. Can you say my password? It must made. You’re storing it in plain text now in their defense, and this is not really defensible. However all the other kids are doing it like a lot of telcos stole your passwords and retrievable format. A Virgin in, in the UK always gets pinged for this. I see constantly in my timeline or people calling them on it and, and I do it for customer service reasons and it’s not a good reason because there are better ways of doing it, but for the most part the T-Mobile situation with business as usual on the Internet. And what made it different was that whoever was behind that account started defending their position and this really like this should be social media account management one I want like don’t argue with the security people online.

Troy Hunt – 13:41 – In fact, I’d argue with anyone online, like if you’re heading down that path, take it offline, but this account, I’m sure you guys can dig out the original tweet and share the nights, but it will stuff like they can’t assign, but our security is really, really good. You know. And then at one point I think the original girl sort of said, ah, you know, what happens if you have like an insider go road a or something along those lines. They can’t. Was like, are you threatening us? And I look at this going, well I was going to say professional telco, but I might take back that first bit, you know, like you’re a telco, you can’t talk like this online because what’s going to happen is he going to get a bunch of free penetration tests and get a free penetration test. And there was all sorts of nasty stuff which was then discovered on, on T-Mobile. And it’s just like, this is just such a predictable pattern in. I like a company stands up and is a bit belligerent about security online.

Troy Hunt – 14:37 – Uh, the mess has go wild company keeps defending their position. A company site goes offline. That’s a fun times on the Internet.

John Callaway – 14:49 – So is that a kind of the premise on Have I Been Pwned was started or how did that come about?

Troy Hunt – 14:55 – Well, the original premise of Have I Been Pwned and it was really sort of split objectives and part of the objective was to build a service which does what it does today. So yeah, aggregate data breaches together so you can search them because lots of people don’t know how far have been exposed. And the other part of it was I just liked building stuff. I had some downtime and I was like, ah, let’s build something on Azure, you know, like, I want to build some cool stuff on the cloud and I don’t just want it to be like some random hello world. Like let’s actually build something interesting. Uh, and that was a very important part of it is sort of four and a half years ago when I originally did it. In fact I had some downtime. I was traveling, I was in the Philippines. I remember I was bored in a hotel room and I was like, Oh, this will be fun. A four and a half years later, funnily enough, I was just thinking, I’ve spent most of this week in building new stuff, doing a lot of stuff with ego functions. At the moment, and I was having that feeling and it’s like, oh, that’s nice just to build stuff is funny I guess around.

John Callaway – 15:56 – Yeah. It seems to have kind of taken off. And how do you get the information that you get to facilitate that service or companies reaching out to you and just telling you, yeah, we had a breach. Here’s the data, or how does that, how does that work?

Troy Hunt – 16:10 – Surprisingly enough sometimes. Yes. So there’s actually three data breaches in Have I Been Pwned that were self submissions, so their organizations reaching out saying it, look, we go to and here’s the data now look a couple of days, a pretty small one of them is a, some sort of a truck, his gaming forum, uh, and I, I think it was sort of run by a couple of young blokes, so just having a bit of fun with it and sort of didn’t realize the ramifications of holding other people’s data. Uh, one of them though is the ethereum cryptocurrency forum know this is actually serious stuff. The official forum and I said, yeah, we got to. Here’s the data. Most of the time though, it, it comes from people who I guess support what I’m doing with Have I Been Pwned and come across data through various means now very frequently that they’re trading in a. So one of the things I’ve learned in running this service isn’t, there’s a really vibrant trading scene for data breaches now that sometimes tried it in a monetary fashion.

Troy Hunt – 17:09 – People pay for data very frequently. It is just people exchanging it and then often liken it to sort of baseball cards with someone to go, hey, you know, I’ve got this person who you got and they’ll go, right, well we’ll, we’ll swap this and now we’ve, you know, we’ve got different things except it’s digital such as replicates, right? Like the, you still have the original version. So we’ve just seen this, this sort of massive influx of data breaches being distributed, uh, in the period have been running, have I been paying or certainly centered uptake, ginormous. And, and now that this has just sort of something that people share around the web,

Clayton Hunt – 17:44 – that’s crazy, but you’re just, you’re actually getting data just freely given to you from people who have been breached.

Troy Hunt – 17:51 – Yeah, it is. And to be honest, like I often say, people will tweet, say after some major data breach, a little tweet out and they go, Hey, a company you should give troy hunt the data. If I Have I Been Pwned now, to be honest, I, I would not be encouraging organizations to do that simply because it’s one thing to have data illegally taken out of your system by someone who shouldn’t have been there in the first place. It’s another to sort of take your customer data and then handed off to a third party, which ultimately is, is sitting on a few billion records. So I would, I would not necessarily be encouraging that or certainly supporting the organizations who do. And certainly in the case of one of those, I ended up doing the bridge patients for them as well because I had the, the ability to actually send that number of emails. But I mean, let’s say it was Yahoo, I don’t think. Yeah. Who’s going to turn around tomorrow and go, yeah, troy look like here’s the billion or 3 billion or many accounts. It is now. Go for it.

Clayton Hunt – 18:52 – Well they’re, they’re already all owned.

Troy Hunt – 18:55 – Yeah. Well yeah, there are degrees of owned as well, you know, and that’s the thing with Yahoo is that I’ve never seen this data anywhere. Look, I’ve seen lots of people claim to have it in the, none of them have, but it’s not like say Ashley Madison, every single person who wants it can go and find that data and a few clicks. I mean, that data was designed to be distributed as far and wide as possible. Yahoo, whoever grabbed that hypothetically, the Russians, I held onto it very tightly and not redistributed it.

Jon Ash – 19:27 – I mean, I guess this kind of brings up an interesting like who, who is, who’s going after these, these, uh, your, your data. Who, who is it? And is it just, um, people looking collected? Baseball cards? I mean obviously we great black market, sort of A. People want to use your information to steal identities, to come from other information that they have. Is it a large group of people? Is that there’s a small group of people?

Troy Hunt – 19:55 – Yeah. Part of this in terms of those who might be redistributing data and there’s a question about intent here. So you know, what are people have to. Do they have to cause damage to accompany, are they curious, uh, or have they just become sort of a secondhand recipient of data? And frankly, most of the people I have discussions with are in that latter category. The earlier ones it, it’s uncomfortable because I don’t want particularly want to talk to people about illegal activities they’ve been involved in, but, but by the same token, you know, now they’re sitting on a million records of customer data and you kind of want those customers to know too. So it’s a bit of an uncomfortable spot. Yeah. Very. Typically we talk about sort of three different levels of threat actor, uh, when we’re talking about the defensive patents for building systems.

Troy Hunt – 20:41 – So we talk about level one, Bang you, your activist and your kids. And, and frankly they were on a lot because they don’t have good reasons for what they do. They’re very opportunistic and for everyone that goes, ah, yeah, they’re trying to change the world and do positive things like honestly go and have a look at the amount of stuff that’s done under the banner of activism. It’s just crazy. But, uh, yeah, they, they kids are the kids who were very, very young adults and they don’t have access to a particularly large amount of resources, but they are insidious little, uh, uh, I was going to say something, my vision on this podcast over the way, my kids want to get vindictive and they’re only five and eight, but they can, they can be very creative. They’ve got lots of spare time because they don’t have to go to work or do anything like this.

Troy Hunt – 21:25 – So kids on the Internet can be enormously effective at breaking into other things. Now that sort of level one. And then we go onto the next level, which would be a criminals, uh, criminals in terms of a monetary intent. So they are wanting to break in and steal credit cards, which they can sell still data breaches, which I can sell on the dark web or anywhere else and they do have a sense of ROI. So they’re saying, look, if I can get into this system, it has something of value which I can then monetize. And the thing about ROI is that if we raise that, that investment component high enough, we make it hard enough to get in. We’ll then that the ROI doesn’t look any good and they move on. And then finally we will often talk about nation states and now it’s a very, very different ball game because suddenly the amount of money involved is, is absolutely huge.

Troy Hunt – 22:15 – But the way you defend against an adversary like that is very different. And depending on what the sort of asset you have is, it may also be of no interest. If, if it’s an ecommerce site that might not be a lot of interest to let’s say the Russians or the Chinese. If it’s a messaging platform, very different.

John Callaway – 22:33 – So I guess you kind of have to take that into perspective when you’re looking at what your building and say when you’re developing those strategies to secure in that.

Troy Hunt – 22:42 – Yeah, and I guess there’s a bit of a threat modeling exercise to write whereas saying, okay, we were building this stuff, who do we need to be conscious of? Like, who do we have to worry about? Uh, and that’s probably pretty good exercise for everyone to go through.

John Callaway – 22:56 – So you mentioned that you were at Pfizer a while ago and you’ve since left and moved on and, and have made a pretty good career for yourself doing a lot of security consulting and talks and training you want to tell us about how you decided to make that move or, or what that looked like for you?

Troy Hunt – 23:12 – Oh yeah, they made it really easy. They got rid of me and three other people that the longest story. And, and this was also in my, my heck your career a talk now and anyone who is interested in these talks, troyhunt.talk/recorded-talks. They’re pretty much all up there. So the longest story was, uh, I was, was becoming, I guess a couple of different ways, looking at a number one, I, I became good as a developer, uh, and that’s when an organization says, Hey, you’re a good developer, you should stop doing that, you know, and you should go and manage people because that’s how you progress. Right? And, and I can hear everyone that’s listening, shaking or nodding their heads already because we go through and they will effectively wasn’t any sense of technical career progression. And so like if you want to move up in the world, you’ve got to stop being technical now. Certainly hands on technical. So that meant I was doing a lot of architectural stuff from dealing with the sorts of problems before. Oh, I mentioned before.

Troy Hunt – 24:07 – So, you know, things like just continually bad quality security floor riddled software, which, which was making things quite frustrating for me. Um, so, so that was certainly part of it, that the other side of things was I was getting a lot of traction with my independent life. So independent life then really meant loads of blogging increasingly speaking. Uh, and pluralsight, so I’d been writing pluralsight courses and the, the long and short of it was the pluralsight was becoming very successful. I was making a lot more money from pluralsight and what I was going into an office doing a job I didn’t enjoy and I really wanted to get out of the place and fortunately they, they made four different jobs that were based in Australia, but we’re looking after the Asia Pac region are redundant primarily because we’re here in, uh, in sort of the most expensive country within the region. We’re looking after the cheapest countries and you had places like China growing very rapidly in places like Australia contracting. It just didn’t make sense.

Troy Hunt – 25:05 – So, uh, we got uh, redundancies, which is fantastic because a redundancy, they actually paid leave. So I got a, I’ve got a nice payout after being there for 15 years in total. And that gave me loads of flexibility to then go and do whatever I wanted to do a. and it turns out that the stuff I wanted to do is actually quite in demand as well. So it worked out very well.

Jon Ash – 25:28 – So could you, could you speak a little bit more about the heck your heck your career talk that you recently gave?

Troy Hunt – 25:34 – Yeah, we’ll look at a lot of the premise of the talk was to sort of say to people having online identities is a smart career move. And in fact I start off the talk by by saying, look, here’s the first blog posts I ever wrote. This was when I was in Pfizer. This was 2009. I wrote this blog post, uh, and that was literally the title of the blog post. I’m a online how online identities are smart career moves. And my premise at the time was that I’d been interviewing people to hire them as developers and I’d interview someone and they’d say, ah, I’m awesome. No, not me. But they themselves were awesome and I’d sort of go, okay, show you. And again, I look at my CV, my CV says I’m awesome. So that you wrote it. Of course it says you’re awesome. And then that’s our. Yeah, I’ve got references. Go and speak to my references and I’ll sort of guy. Well it. But you chose the references that you like, you’re going to choose people that are going to say you’re awesome.

Troy Hunt – 26:29 – And the thing that struck me was that it was very hard to kind of independently gauge who these people were and I will be out there looking for say anything from a LinkedIn profile to a stack overflow account to contributions on GetHub or anything to sort of establish that this person is who they say they are. And usually I couldn’t find anything at all. And frankly part of the problem was a lot of the people I was hiring were in in other parts of Asia too. And that they just had a different approach to being public and having social profiles. But my premise was that I would like to have a profile such that if I ever want to leave the organization I’m in or if they ever want me to leave, which is of course eventually what happened. Then I want to have this independence and it’s not something that you do overnight either. Like you have to work away at this for years. So this is really what the talk is about. It’s like here are the things that you can do to start establishing a profile and that that may mean that it’s going to give you independence one day.

Troy Hunt – 27:30 – It may mean that when you go for another job, it’s going to help you get that job. It may mean that you’re going to get better access to people and information within your current job and then you sort of choose how far you dial it up. You know, maybe it’s just some code contributions and some stackoverflow answers might be you do what I did you, you kinda choose.

Jon Ash – 27:50 – Awesome. That kind of leads into one of the questions that we ask everyone a is do you have some specific advice to people that are just getting started and it’s sounds like it would be pretty close to that, but I’ll let you elaborate.

Troy Hunt – 28:04 – Yeah. Well I guess part of it is going to have a look at that talk because that’s, that’s sort of very specifically designed to do this. You know, things for you to think about in an interestingly, lots of Paypal account and spoken to me after that tour and said, hey look, I’ve been doing this now and it’s making a really big difference in the I often say it referenced, which is very nice. I don’t sort of get that feedback from my technical talks. So I think part of it as well as that you don’t have to necessarily know the end goal. I certainly didn’t know the end goal. Uh, I, I just went, look, this feels like the right thing to do now it’s just a blog. It’s like it’s easy to go and get afraid template, pay ghost pro, something like a fraction of a dollar a day and a and get yourself set up and running and then just see where it leads you. And I’ve found that I tended to drift in different directions and, and I, I guess pivot as they say here and there and I still do that today as well. I don’t necessarily have an end goal or a plan. I’m just doing what feels right.

Jon Ash – 29:01 – Uh, do you have any upcoming talks? I think you mentioned a few.

Troy Hunt – 29:04 – Yeah. So, uh, always faking it. and they say it’s like in June, I think it’s around about the week of June 12, thereabouts. Uh, if you’re listening to this after that, it was a great event. We all had a lot of fun. Drink a lot of, be a good time, uh, in, in terms of other things that are coming up down the right hand side of my blog. I have a list which just made me think I should actually say what it is that have committed to, to try and plan for, uh, the things that I sort of get prepared for the next thing and leave it at that. So, um, in terms of what I would have coming up, then I’ve got the fraud and prevention summit in Sydney in July. I’m going to a sell point conference in Sydney in a. was it in August? Uh, we’ve got NDC, say Australia also in Sydney in September. So we’ve, we’ve taken into, they see around the world and a couple of other things that I’m committing to, but haven’t yet announced in other parts of the world. Not a bit carefully managed how much I do when and where.

Jon Ash – 30:11 – And then, uh, I know you heavily heavy, right? A contributor. And what, what? Uh, I think you mentioned that you might have something coming up.

Troy Hunt – 30:20 – So yeah, over the last four days I think I’ve released one new course every day. A lot of stuff there. So in the chronology of things, the last one I replaced was a course about bug bounties for companies. So if you’re a company and you’re interested in getting involved in bug bounties, I recorded what they call a play by play course with a, with a mate of mine called KCLS. He started the company bad crowd, so that just went out a couple of days ago and then during this week we’ll have one for researchers as well. So if you’re interested in getting involved and finding bugs and then getting paid for it, there’ll be course coming out for you too. And then actually after, after that were the only pluralsight stuff we have planned as I’m doing a quarterly course that’s free in front of the pay wall called trading security century culture.

Troy Hunt – 31:09 – And we just released one about dealing with shadow it within the organization and if you don’t know what shadow it is, you really should go and watch the course. So, uh, in fact I just got an email from them today going, hey, what are we going to do next? So I got to think about that and we’re also planning to record another few play by plays when I’m in London and a couple of weeks time I’m a, I won’t say what they are just yet because they haven’t all been locked in. But hopefully by the time this goes out we’ll be getting close to having those courses live too.

Jon Ash – 31:35 – And uh, also I think I’d be remiss if we didn’t ask which course would you recommend to someone who’s just getting started into security.

Troy Hunt – 31:44 – Right? So if you are an asp.net development. And my recommendation would be my first ever pluralsight course, which is still my most popular course every single month and one of the most popular in the library. And it’s called the ISP. The uh, OWASP top 10 for asp.net developers and that was a light 2012 course, but it is still extremely relevant today. In fact, I’m scratching my head trying to think about what would not be relevant today and that’s why it keeps writing so. Well actually it all still works with today’s deck, so that would be great if you are not a, a, a dominant person then there is an. OWASP top 10 big picture, uh, which is for the effort invested versus how much it was watched is also my number one. And that’s, that is uh, that’s sort of an, I think it’s been an hour and a half and that explains what the OWASP top 10 is, what each of the risks are, why they’re important but doesn’t get down into the code level.

Troy Hunt – 32:38 – So it’s, it’s a bit technology agnostic in that way. Oh actually one other one. I’ll give you another one to plug because this is really important today in about Jan last year I think it was, I pushed one out called whatever you develop us now about https. So https is massively important today. It is still underutilized. You need to get this happening because even even next week, so we’re still in May, so even later in my there are changes coming to crime in particular way. If you don’t have https it’s going to start to get very embarrassing.

Jon Ash – 33:10 – So other than pluralsight and following you in your speaking engagements, how else might might our listeners follow you?

Troy Hunt – 33:18 – Yeah, looked at Twitter’s probably my most prolific sort of channel, so a find me at, @troyhunt on Twitter and you can. You can usually see it on doing there, but look between @troyhunt and troyhunt.com. You’ll find everything you need.


“Tempting Time” by Animals As Leaders used with permissions – All Rights Reserved


Subscribe now! Never miss a post, subscribe to The 6 Figure Developer Podcast!
Are you interested in being a guest on The 6 Figure Developer Podcast? Click here to check availability!


Please Consider Sharing This Post: