April 2004 - Posts
The book Improving .NET Application Performance and Scalability I have been pointing to over the past few months has finally been released on MSDN. This is another excellent resource from the Patterns and Practices group.
Rico provides a great Forward to the book (he and his team did a great job on putting the finishing touches to the book).
Get it now!
has posted an excellent introduction to one of my favorite methods of securing web sites: creating Partial-Trust ASP.NET web sites to sandbox your application. See his latest post “ASP.NET Websites running under Partial Trust and third party controls
” for some great insights.
Developers need to focus on writing least-privileged applications. This includes knowing how to set up a development environment that is helpful. You also make sure you never force your end-users to run as Administrators when they use your products.
Keith Brown has an excellent new security article - Security in Longhorn: Focus on Least Priviledge [by way of Sam Gentile]
I will have more to say about my own writing and speaking on the topic of “Writing Least Privileged Applications in .Net” in the coming days. Stay tuned.
As you may know (those who read this blog), I spend a lot of my time architecting and developing enterprise/distributed applications using EnterpriseServices, .Net Remoting, and most recently WebServices and SOA-type applications. I do a lot of coding of the various layers and tiers, but I am always having ideas about how to code some of those layers better (read: easier).
I will be checking out nTierGen this weekend. I asked Gavin Joyce for a copy of the latest nTierGen 1.6 (free to webloggers on weblogs.asp.net) to review. I will post my results.
Thanks Gavin for the generous offer!
I found an interesting article titled “Detection of SQL Injection and Cross-site Scripting Attacks“ at SecurityFocus today. Basically, it focuses on how to set up rules for SNORT (an open-source Intrusion Detection System (IDS) tool) using regular expressions. What I found most interesting about the article is that some of the same ideas can be applied to input validation as well, in terms of checking for these kind of input attacks to a web site. Very good read.
As mentioned by Ted Neward
, the second Architect's Journal is now available
. Looks like some great articles on Service-Oriented Architecture (SOA), Patterns, and an article on Metropolis
by Pat Helland
(Pat was one of the original architects for MTS and COM+). Get it now! (You must sign in with Passport and answer a survey to obtain a copy).
My good friend Andrew Stopford has posted some great articles and information on Flex and .Net recently, as well as some upcoming information on Flash Remoting (updated). Macromedia Flex is one of the newest products that will help developers build enterprise-level Rich Internet Applications. Definitely worth a look.
A preview of the May, 2004 MSDN Magazine (featuring Visual Studio 2005) is now available. It's an article called “Create Elegant Code with Anonymous Methods, Iterators, and Partial Classes” by Juval Lowry.
I think I have been asleep a couple of times and missed that Beta 3 of Improving .NET Application Performance and Scalability (which I mentioned back in December, 2003) was released on February 27, 2004.
Looking at the chapter on Remoting, I noticed this comparison (which wasn't in Beta 1 and Beta 2):
Web Services vs. Enterprise Services vs. Remoting
The following are product team recommendations for choosing a communication technology:
* Use Remoting for one process, cross application domain communication, or if you need to integrate with a legacy protocol.
* Use Web services wherever you have a boundary to cross.
* Use Enterprise Services inside your service implementation if you need a component service such as distributed transactions.
Web services are the recommended approach for crossing boundaries. Some common boundaries include servers, trust domains, organizations and teams. You should also use Web services for single machine inter-process communication.
If you have some kind of boundary that leads you to use Services but you have a performance problem, then you should use Enterprise Services.
If you haven't looked at this best practice guide on peformance before, do so now. Noticeably, .Net performance expert Rico Mariani has contributed a lot to make this very good resource to be a great resource!
By way of Gary McGraw (co-author of the newest must-read application security book, Exploiting Software: How to Break Code) from the SC-L today:
Today the National Cyber Security Partnership released a set of reports
about the software security problem meant to drive policy in the
Department of Homeland Security. I co-authored the report titled
"Processes to Produce Secure Software" with, among others, Mike Howard,
Watts Humphreys, and Sam Redwine. A copy of our report can be found