Thoughts on .NET, Security, Architecture, Agility, and Databases.
I am speaking tonight at the Western Mass Microsoft Technology Users Group on Securing your ASP.NET MVC Application. I have added a few new items since my talk in Boston in August.
I am speaking tonight on ASP.NET MVC Security at Microsoft DevBoston.
I will be speaking at the Connecticut .NET Developers Group that will be held at the Microsoft offices in Farmington, CT on September 14, 2010.
I haven't spoke at a conference for awhile but I plan to offer several sessions at the New England Code Camp 14 that will be held at the Microsoft offices in Waltham, MA on October 2, 2010.
I have recently finished writing a comprehensive training course on ASP.NET MVC 2 with C#. I am now offering this 3-day course through my independent consulting company. Please check out my Training page on my company web site if you are interested.
(By the way, I updated my own website to run and use the .NET Framework 4.0 and ASP.NET MVC 2. It was a fun exercise to update my 10+ year old format I used for ages.)
Microsoft has announced two new Security Development Lifecycle (SDL) tools here:
MiniFuzz is a basic testing tool designed to help detect code flaws that may expose security vulnerabilities in file-handling code. This tool creates multiple random variations of file content and feeds it to the application to exercise the code in an attempt to expose unexpected application behaviors.
Because fuzzing is effective at finding bugs, it is a required activity in the Verification Phase of the Microsoft Security Development Lifecycle (SDL). With the release of MiniFuzz, we have made a simple file fuzzer available to assist developer efforts to find and address more bugs in code before it ships to customers.
The BinScope Binary Analyzer is a Microsoft verification tool that analyzes binaries to ensure that they have been built in compliance with Microsoft’s Security Development Lifecycle (SDL) requirements and recommendations. BinScope checks that SDL-required compiler/linker flags are being set, strong-named assemblies are in use, and up-to-date build tools are in place.
BinScope also reports on dangerous constructs that are prohibited or discouraged by the SDL (e.g. read/write shared sections and global function pointers). For a more detailed enumeration of the checks performed by BinScope, please see the BinScope documentation. BinScope is available in two forms: as a standalone executable and as a Visual Studio add-on.
I have spent a great deal of time over the last year and a half on a couple of projects architecting solutions using NHibernate and Fluent NHibernate as the preferred ORM (object relational mapper). It has really matured into a great set of products with the release of NHibernate 2.1 (especially with System.Transaction support) and Fluent NHibernate 1.0. I have also used LINQ to NHibernate 1.0 and like how that works as well, but it could be tweaked some more.
As Jason Hogg mentions in his blog post, the Geneva Identity Management Framework (renamed from Zermatt) was announced yesterday at PDC 2008.
- Geneva Framework - A .NET framework for writing interoperable, claims aware applicatoins
- Geneva STS - An STS integrated with AD. Supports issuance (finally) and consumption of Cardspace Cards.
- CardSpace Geneva - A federation client
In addition to these framework like components, there are also a couple of services (biult using Geneva) including:
Microsoft Federation Gateway - Provides the basis for the Microsoft Services Identity backbone - brokering access to Microsoft cloud applications and developre services
Microsoft Connector Services - Federates AD to the Microsoft Federation Gateway. Provides lightweight access to the federation gateway.
.NET Access Control Service - Next generation service (STS) that performs claims transformation. It receives authentication information and issues authz decisions. This includes a management portal and API's for managing and writing authz policies.
You can get the bits here.
I have recently been working with a client to set up a STS and stumbled upon Zermatt and was very excited to see this direction. If you are looking to build/deploy a claims-aware application and need an STS over WCF, take a look at Geneva.
NOTE: Requirements are Vista and/or Windows 2003/2008 for the installation of the Geneva Framework and Windows 2008 for installation of the Geneva STS.
I got notice today, as others did, I have once again been named a Microsoft MVP for 2008 in the area of Visual Developer - Security. Thanks again, Microsoft, and my MVP lead Rafael Munoz, and all those who have been very supportive of my community work this past year (with my speaking at several conferences, speaking at user groups, and leading a user group as well).
Like Dominick Baier and Christian Weyer of Thinktecture, I also wondered why I couldn't use a UsernameToken with Transport Security in WCF v.1. I wanted to put together a simple demo for a client and that feature just wasn't there. Dominick mentions in this post it will finally be available in WCF 3.5. Great!