Robert Hurlbut's Blog

Thoughts on .NET, Security, Architecture, Agility, and Databases.


.Company / Other Sites / Other Blogs

.NET Links

.NET Local Boston Events

.NET User Groups in New England

Blogs - .NET

Blogs - Agile

Blogs - Architecture

Blogs - CLR

Blogs - Security

Blogs - SQL Server

Blogs - System.Transactions

Enterprise Services (COM+) Resources

Indigo Resources

Microsoft Security Resources

Presentation resources

Recommended Books

Rotor Resources

Security Resources

I will be speaking at the Connecticut .NET Developers Group that will be held at the Microsoft offices in Farmington, CT on September 14, 2010.

Here is my topic:

ASP.NET MVC 2: Best Practices

Level: Intermediate / Advanced
Abstract: ASP.NET MVC 2 was released earlier this year as an update to ASP.NET MVC 1 with several improvements. This talk will briefly review what ASP.NET MVC 2 is and then will dive into some best practices for using the tool to build great web applications. We will cover the best usage of controllers, models, views, routing, testing, security, and deployment.

Depending on time, we will also briefly look at some new features of ASP.NET MVC 3 Preview 1.

After the talk, I will make slides and code available on my website here.

I haven't spoke at a conference for awhile but I plan to offer several sessions at the New England Code Camp 14 that will be held at the Microsoft offices in Waltham, MA on October 2, 2010.

Here are my topics:

Introduction to ASP.NET MVC 2

Level: Introductory
Abstract: MVC has been a big buzzword for ASP.NET developers. We'll explore what it is, what problems it solves, and how to be effective with it. This is for beginners that have had no experience with MVC but have worked with ASP.NET Web Forms.

Advanced ASP.NET MVC 2

Level: Advanced
Abstract: In this talk, I'll cover advanced topics in the newly released ASP.NET MVC 2 framework, including customized display and editor templates, writing your own server- and client-side validators, writing your own validation and metadata providers, customizing the T4 templates used to generate views, asynchronous processing, and more.

Securing your Silverlight 4 Applications

Level: Advanced
Abstract: No exploration of Silverlight is complete without understanding both the security features it provides and generally how to ensure your Silverlight application has been developed with security in mind. This session will go over Silverlight’s security model and general techniques for understanding how to design for and develop secure Silverlight 4 applications.

After the talks, I will make slides and code available on my website here.

I have recently finished writing a comprehensive training course on ASP.NET MVC 2 with C#. I am now offering this 3-day course through my independent consulting company. Please check out my Training page on my company web site if you are interested.

(By the way, I updated my own website to run and use the .NET Framework 4.0 and ASP.NET MVC 2. It was a fun exercise to update my 10+ year old format I used for ages.)

Microsoft has announced two new Security Development Lifecycle (SDL) tools here:

MiniFuzz File Fuzzer

MiniFuzz is a basic testing tool designed to help detect code flaws that may expose security vulnerabilities in file-handling code. This tool creates multiple random variations of file content and feeds it to the application to exercise the code in an attempt to expose unexpected application behaviors.

Because fuzzing is effective at finding bugs, it is a required activity in the Verification Phase of the Microsoft Security Development Lifecycle (SDL). With the release of MiniFuzz, we have made a simple file fuzzer available to assist developer efforts to find and address more bugs in code before it ships to customers.

BinScope Binary Analyzer

The BinScope Binary Analyzer is a Microsoft verification tool that analyzes binaries to ensure that they have been built in compliance with Microsoft’s Security Development Lifecycle (SDL) requirements and recommendations.  BinScope checks that SDL-required compiler/linker flags are being set, strong-named assemblies are in use, and up-to-date build tools are in place.

BinScope also reports on dangerous constructs that are prohibited or discouraged by the SDL (e.g. read/write shared sections and global function pointers).  For a more detailed enumeration of the checks performed by BinScope, please see the BinScope documentation.  BinScope is available in two forms: as a standalone executable and as a Visual Studio add-on.

 Jeremy Dallman, of Microsoft, explains both tools in this post.


Posted by RHurlbut

I have spent a great deal of time over the last year and a half on a couple of projects architecting solutions using NHibernate and Fluent NHibernate as the preferred ORM (object relational mapper). It has really matured into a great set of products with the release of NHibernate 2.1 (especially with System.Transaction support) and Fluent NHibernate 1.0. I have also used LINQ to NHibernate 1.0 and like how that works as well, but it could be tweaked some more.

I have decided to turn that experience into training classes offered through my independent consulting company. Please check out my Training page on my company web site if you are interested.

As Jason Hogg mentions in his blog post, the Geneva Identity Management Framework (renamed from Zermatt) was announced yesterday at PDC 2008.

Genvea includes:

  • Geneva Framework - A .NET framework for writing interoperable, claims aware applicatoins
  • Geneva STS - An STS integrated with AD. Supports issuance (finally) and consumption of Cardspace Cards. 
  • CardSpace Geneva - A federation client

In addition to these framework like components, there are also a couple of services (biult using Geneva) including:

  • Microsoft Federation Gateway - Provides the basis for the Microsoft Services Identity backbone - brokering access to Microsoft cloud applications and developre services
  • Microsoft Connector Services - Federates AD to the Microsoft Federation Gateway. Provides lightweight access to the federation gateway.
  • .NET Access Control Service - Next generation service (STS) that performs claims transformation. It receives authentication information and issues authz decisions. This includes a management portal and API's for managing and writing authz policies.  

You can get the bits here.

I have recently been working with a client to set up a STS and stumbled upon Zermatt and was very excited to see this direction. If you are looking to build/deploy a claims-aware application and need an STS over WCF, take a look at Geneva.

NOTE: Requirements are Vista and/or Windows 2003/2008 for the installation of the Geneva Framework and Windows 2008 for installation of the Geneva STS.

I got notice today, as others did, I have once again been named a Microsoft MVP for 2008 in the area of Visual Developer - Security. Thanks again, Microsoft, and my MVP lead Rafael Munoz, and all those who have been very supportive of my community work this past year (with my speaking at several conferences, speaking at user groups, and leading a user group as well).

 Happy New Year everyone!

Posted by RHurlbut | 3 comment(s)
Filed under: , ,

Like Dominick Baier and Christian Weyer of Thinktecture, I also wondered why I couldn't use a UsernameToken with Transport Security in WCF v.1. I wanted to put together a simple demo for a client and that feature just wasn't there. Dominick mentions in this post it will finally be available in WCF 3.5. Great!

Once again, for the 4th year in a row, I enjoyed the one conference I make sure to book well in advance. I haven't traveled to conferences as much this year, instead focused on client-related work. This was one conference, however, I was really looking forward to attending and presenting. I am originally from the mid-west (Oklahoma) and have lived in Massachusetts for 12 years now but I always feel more at home when I go to HDC than anywhere I have visited. The layout of the area, the local convenient stores, the people, and the atmosphere remind me a great deal of what I remembered most about growing up in the mid-west.

I gave two talks (which will be posted here later today); one on Service Oriented Design Patterns and my old standby SQL Server Service Broker. My service-oriented talk was packed (and was the first talk right after Ron Jacob's keynote). I wasn't sure the best way to present the talk (as it was a first time topic for me), but my purpose was to separate out real service-orientation from sample web services and to stress you really need a good business reason to build out full SOA implementations. From the comments I heard the next morning, I seemed to have got the message across. The Service Broker talk was a little lighter in number of people, mainly because most people were attending Scott Guthrie's Orcas talk, but I was glad to see everyone in the room for my talk were new to SB and were willing to take a look. There are some nice new features in SQL Server 2008 that have been needed for awhile to make SB more mainstream so I am looking forward to see what kind of applications are developed with the technology.

I also attended Ron Jacob's talk on security. I was originally hoping to do a security talk but I saw Ron already had one slated. He did an excellent job getting everyone interested in taking a serious look at their own issues and not simply blame Microsoft or another vendor if security goes wrong. One very interesting note was Ron mentioned threat modeling but he didn't have time to speak on it at great length yet there were many questions on threat modeling (process, tools, etc.) from the audience. He asked how many have built a threat model before; I was one of two people in a packed room who held up their hand. I would have loved to have given my talk on threat modeling at this conference and will plan on submitting more security-focused topics next time. Speaking with some people at my table at breakfast the next morning, it seemed the primary interest was around threat modeling and security testing.

I would like to thank Joe and Phil for putting on another great show. Both of these guys were so busy those two days (and months before this in preparation). Like last year, a couple of the speakers and these guys went out to Drover's for great Omaha steaks. My flights into and out of Omaha were eventful -- I missed my plane when I was waiting in line to get carry-on bags checked but my luggage went ahead, and then I and everyone else coming from Omaha lost our luggage when we came into Boston on Saturday. Fortunately, I got mine last night, but I really felt for this couple on their honeymoon who were without their three suitcases for a couple of days. Hopefully they got their bags by last night as I did. 

I will be speakinzg at the Heartland Developers Conference 2007, which takes place October 17-19 in Omaha, NE. This will be my 4th year speaking at the conference (I was there at the beginning) and it has continued to get bigger and better each year. Both Joe and Phil have done an excellent job in putting this together.

My topics are:

  • Service-Oriented Design Patterns
  • Building Queuing Database Applications with Service Broker

For the Service Broker talk, I have updated my material to include the latest changes in SQL Server 2008. This should be a great conference -- I am finally going to be able to catch the pre-conference party on Wednesday as I am flying in earlier this time. If you are at the conference, stop by and say hello.

More Posts Next page »