November 8, 2017

Get Schooled by Troy Hunt at Episerver #Ascend2018

It may be fair to say that most of the developer audience going to Episerver Ascend in 2018 is already familiar with Troy Hunt (@troyhunt) and his, in my opinion, amazingly valuable work. For anyone who may not be familiar, I’m happy to elucidate the reasons I recommended we seek Troy out to keynote our main event of the year.

I was first introduced to Troy’s work a few years ago when I had the pleasure of working through his Pluralsight course covering OWASP Top Ten vulnerabilities and how to address them in .NET. At the time, I was astounded at the ease with which Troy discussed a vulnerability, proceeded to exploit it, then educated his audience in how to protect against it. It seemed like magic to me, yet I walked away feeling like I could probably hack my own bank and then show them how to fix it. The course was, in a word, revelatory.

Since then, I’ve followed Troy on Twitter, read a substantive portion of his blogs (which are often educational and humorous tear-downs of poor security practices), and used some of the tools he’s put on the web, namely “Have I Been Pwned.”

In the following, I’ll explain a bit more about what Troy’s work has meant to me and others in the industry and why his presentation will impart critical knowledge to both the technical and business-oriented audiences at Episerver Ascend in March.


(Hint: You probably have. Go check it out and, by all means, buy Troy a coffee or a six-pack of beer for his hard work.)

Troy single-handedly operates Have I Been Pwned, a website with hundreds of thousands of subscribers and billions of data records to search dedicated to alerting internet users about hacks that have compromised their passwords or other critical information. I’ve been a subscriber to this (free) service from Troy for years and have received numerous emails about hacks of large organizations that compromised my information. The cases have often been hacks of which I was unaware until receiving Troy’s email.

But the alerts are only part of the magic of Have I Been Pwned (HIBP). The rest is in the fact that this service is self-hosted and self-managed by Troy using Azure technology – the same tech we employ for the Episerver Digital Experience Cloud Service. A good account of how Troy analyzes his own Azure usage and how it performs under immense stress comes in his analysis of traffic to the site just after the Ashley Madison hack of a couple of years ago. As you might imagine there were a great many people (and spouses / sig. others) who were interested in which accounts might have been part of that hack and Troy saw a pretty substantive surge in activity (according to his blog, about a 58,000% increase over “quiet” times).

I’ll let Troy’s highly informative post give the details, but to highlight a few points, his Azure setup for this service saw and handled growth of about 96 sessions / hour “quiet” status to 55,611 sessions during the busiest hour in his analytics (the approximate 58,000% surge). This meant serving more than 7,000 concurrent visitors. He also points out that during the surge, his ability to respond to web traffic remained about the same – no difficulties in response times at all! (Most transaction response times in the 10-60ms range.)

This was two years ago and the value and presence of HIBP has only grown in the intervening time. To me, that’s a pretty major achievement in technology.

He’s also happy to point out the “warts,” which includes the errors generated during this time. Once he weeded out errors to non-human scanners hitting the site and such, it turns out that during this insane peak, visitors saw less than 1 error per 100,000 requests.
The detailed analysis continues and I’ll note that the numbers of server-hours and transactions are definitely worth reading (250 million storage transactions in about 10 days). At this point it’s sufficient to say that Troy knows the advantages of working in the cloud and, more specifically, in Microsoft’s Azure. He understands the need for uptime and scale at levels that most of us have difficulty fathoming.

As a final two points:
  • Over this period, there was 100% uptime
  • Troy managed all of this from his phone, attending to services here and there as time allowed, while on a ski trip with his family.


Troy has many courses in Pluralsight and offers his knowledge freely through blogging and his ever-valuable and amusing Twitter stream. While he covers a range of topics, one of his more obvious passions lies in online security.

Through his advice and guidance, I’ve upped my secure development game as well as my own personal practices regarding passwords (I now use a password manager, my passwords are >20 characters, and I hardly know what any of them are). But one of the things I love most about what he shares is the way he shames folks who use poor security practices, often in the name of super-secret “good security practices” (read: they can’t substantiate their reasons for not following actual good practices).

You don’t have to dig far into his blog or his Twitter stream to find information about people making bad decisions – and often going to significantly more difficult lengths – to escape practicing actual security. I recommend these posts to developers and business users alike – the more you know.

(For the love of Pete, just put the table NEXT to the pool!)

Troy’s massive following of developers has helped to encourage many businesses and the teams they hire act in a more secure-by-default way of thinking – and thus protecting each and every one of us a bit more in the process. It would be a serious challenge to over-state the influence and impact Troy has had in the world of online security.

If Troy talks about security in his presentation (I consider it highly likely), then you can expect a great deal of humor paired with pragmatic information you can take home and implement right away. In all honesty, I’d be surprised if there aren’t people taking a hard look at their own applications immediately following the keynote.


His penchant for educating the masses – sometimes whether they like it or not and often with humorous anecdotes – is, to me, a shining beacon of what it means to be an MVP in the technology world. He’s able to take some of the most complicated subjects of our time – cloud and security – and help us approach them with greater surety that our actions will be successful and safe.

I am greatly looking forward to attending Troy’s keynote presentation and taking any opportunity I can get to hang out with him, buy him a beer (in real life, not just as a donation to Have I been pwned), get an autograph, and generally be a geeky fanboy. (Troy, if you read this, I promise to moderate the giddiness in your general vicinity.)

If you’re still looking for reasons to attend, this is a big one, and there are many more. Hope to see you there!

Happy coding.

No comments: