February 2004 - Posts

Writing Secure Code - PPT's and Demo Code
24 February 04 11:29 PM | Joel Semeniuk | 7 comment(s)

I finally got around to sticking up PowerPoints and demo code from my last set of Webcasts on Writing Secure Code (http://joel.isa-geek.net)

1.      Powerpoints: Best Practices & Threats

2.      Demos: Best Practices & Threats 

Let me know if you have any problems.  

ObjectSpaces Article
20 February 04 06:39 PM | Joel Semeniuk | 3 comment(s)

ObjectSpaces – you better start thinking about it.  It seems that I get into conversations about data design patterns every other day hearing things like “we ALWAYS work with objects”, or “we NEVER use datasets” and “We ALWAYS use typed datasets” – now I am expecting to hear “We ALWAYS use ObjectSpaces”.  I suggest that you start mastering objectspaces – their cool and long awaited (even though this is far from new in the industry).  Dino Esposito wrote a good high level overview of ObjectSpaces in Whidbey that you can read here.

And remember folks – one data access design pattern does not fit all applications.  Know your options – know your requirements – understand what each design pattern provides and where they make sense.  I’m sure that most people know about the wealth of material on the Practices site, however, for those who don’t here are a bunch of links that I enjoy reading over and over ….

Enterprise Solution Patterns Using Microsoft .NET

Data Patterns

These are “fairly” good but will need to get updated with respect to ObjectSpaces and Yukon.

Writing Secure Code - Best Practices
18 February 04 11:27 PM | Joel Semeniuk | 6 comment(s)

My first Microsoft webcast went pretty good.  I decided to ask Mike D to help me answer questions during the presentation.  We thought it would add a nice interactive dimension throughout the presentation – I could focus on the presentation and the demos (one went boom – still don’t know why) – and he could answer the many (wow there were lots) questions submitted by attendees.   I’m going to post the slides and demo files on www.dotnetwired.com in a public document repository (meaning that you won’t need to be a member of the site to gain access to the files).  I’ll add a blog entry when I get that done – which I would expect would be this weekend.

Many thanks to Mike for helping out (as he always does).  Time to get ready for Friday’s webcast on Threat Mitigation techniques.

Security Webcast Anyone?
18 February 04 01:14 AM | Joel Semeniuk | 2 comment(s)

As some of you might already know February 16-20 is Developer Security Webcast Week.   There will be 13 or so web casts on virtually every aspect of security with the developer in mind.  I’m doing two of these web casts:

MSDN Webcast: Writing Secure Code – Best Practices - Level 300

February 18, 2004
11:00 AM - 12:30 PM Pacific Time, US & Canada (GMT-8)
In this webcast for experienced developers, you will learn established best practices for applying security principles throughout the development process. We will discuss common security threats faced by application developers, such as buffer overruns, cross-site scripting and denial of service attacks, and you will learn effective strategies to defend against those threats.

MSDN Webcast: Writing Secure Code – Threat Defense - Level 300

February 20, 2004
11:00 AM - 12:30 PM Pacific Time, US & Canada (GMT-8)
In this session for experienced developers, you will build upon existing knowledge of secure coding best practices to learn about analyzing, mitigating and modeling threats. The session will discuss established threat modeling methodologies and tools and show how they can be applied with other best practices to minimize vulnerabilities and limit damage from attacks.

There are other RD’s doing some webcasts as well.  Doing webcasts feels kinda funny.  I’m very energetic and when I present I feed off the audience – interacting with them constantly.  Doing a webcast feels like walking in a mall talking on my cellphone – nothing like blabbering on and on about something to your computer screen.  It’s a weird disconnected feeling – but none the less an EXTREMELY powerful way of getting the word out.

That actually reminds me of my youth.  In high school we all took aptitude tests – they were fairly extensive and gave an idea of what we might be when we grow up.  Mine consistently came back saying I was going to be a Priest.  Hmmm… without any disrespect to Priests – I really didn’t think that would happen judging by love of Jack Daniels, Metallica, and… girls.  Well, it turns out I’m a preacher anyway – just not in a religious context (although some would argue).  I’m spreading “the word” in a different way – and across an entirely different medium.  Wonder if religious groups will be using webcasts any time soon – or maybe they already are.  Amenbrother.net!

Trivial Samples? How about Patterns?
12 February 04 01:33 AM | Joel Semeniuk | 7 comment(s)

Just got back from our February (brr) .NET User Group session.  Tonight, as I’ve mentioned in a previous post, we had a different format – discussion only.  Turned out, the discussion needed to be facilitated quite a bit – but otherwise I think it was good.  The group talked about ASP.NET (which slowly turned into an application architecture – datasets vs. business object – object relational mapping discussion – hey Joel, what’s new in Yukon), Web Services (which quickly fizzled – we all agreed they were happiness – use them), and Security (hah – there is no such thing, only acceptable degrees of security).

I really wanted to take the time to listen and for those who know me you know how hard it is for me to keep my trap shut.  Through my facilitation effort (while I stuffed my face with pizza – “Thanks Microsoft”) I did hear one clear message and that was there are very few good (software) reference architectures (yes, there is the IDC and EDC stuff – but apparently those are not enough for developers) out there that are complex enough to represent the more common business problems most members have.   The members suggested that there were lots of very simple (or really bad) examples/samples –none that “really” demonstrated the “real” best practices.  Now, I don’t know if I agree quite yet so I’m going to make it my mission to try to find samples I think can be used as set of VERY good reference architectures that bring together the complexities of real enterprise software development – end to end.  Looking for reference apps that properly demonstrate security (right down to row and column levels that might meet healthcare needs), dynamic logging and instrumentation and auditing, complex data bound GUI’s, Business Objects/Datasets, client side caching, offline credential validation, complex (Insurance level) data driven business rules, versioned/historic objects/data – and the list goes on.  

The message I heard was that MSDN and spin offs such as GDN, ASP.NET, WindowsForms.NET were missing the boat with respect to content consumable by an intermediate/senior developer.  Now, I know that MSDN can’t provide for everyone and I believe that they have done a wonderful – actually AMAZING job the last couple of years.  Microsoft is reaching and supporting developers better than they have ever done in the past – but is there even more room for improvement?  Obviously there seems to be a common theme here because it’s not the first time I’ve heard this.   Again, I feel that I don’t have an opinion of this because I have always made very good use of MSDN and other Microsoft provided resources over the years – and have had good success.

Please – if you have time to point out some samples that have been very useful to you, please drop me a note or comment on this post.  My intent is to bring together a good set of reference material and stick it in the blog or on the Winnipeg.NET UG site.   

Personally, I consume design patterns rather than big complex sample applications.  I think that they are far more effective compared with reference solutions and I think that Microsoft is doing a good job getting that message out.  I believe that the introductory developer needs to have GREAT samples that they can almost literally copy to get their job done however, the  Intermediate-Senior developers SHOULD be learning patterns and how to apply them in different ways (one pattern does not fit all – not all solutions should have the same data access model for example).  In fact, I think that there should be more emphasis on patterns in all educational material coming from Microsoft as well.  Wish I could have been awake enough to bring this point up in the discussion tonight… oh well, I’ll use this as my soapbox.

Oh yeah, and why does EVERY Windows Automatic update want to restart my servers these days?  The only way to achieve 5 “9”’s seems to NOT apply the patches – the downtime accumulated from the restarts “required” by the patches makes it virtually impossible to achieve a very high uptime factor.  Ohh that grinds me.

Thoughts?

 

Discussion based Winnipeg.NET UG
11 February 04 01:48 AM | Joel Semeniuk | 1 comment(s)

 The Winnipeg.NET Users Group is having its next meeting tomorrow night (Feb 11) – but this time, its going to be slightly different.  To date the group would get a presenter in – they would present – people would nod – eat, and leave.  This time there is no presentation – just discussion (with some facilitation I would hope) on pre-chosen topics.

I hope we get a good turnout – and generate some good discussions.