September 2005 - Posts
has written a new article on MSDN describing the new security features of Visual Studio 2005
. Take a look -- I have been playing with many of these features for awhile, and I am glad to see this finally pulled into an consise article.
I am catching up after another very successful New England Code Camp weekend. I am getting ready to head out to the MVP Global Summit 2005 in Seattle, WA (and Redmond at Microsoft) tonight as well (heading out a little early for the new author's meeting tomorrow at Microsoft). I am still working on uploading my
slides and code (slides are there now -- just have to extract code from VPC images) to my site -- I will update when they are available.
Code Camp was once again a blast! I heard there were over 600 in attendance (wow!). I met some people from California and England that flew out for the weekend. Incredible!
I felt all my talks went well. There was very great interest in security and in the System.Transaction talk. I had lots of great questions that spurred on more questions for me as I dig in more into the .NET 2.0 changes. I think everyone agreed that the next release is going to be packed with great tools and improvements to really help the developer.
Here are some links to information I mentioned in answer to questions or further resources than provided in the slides:
Security Guidance for .NET Framework 2.0
Threat Modeling ASP.NET Applications
Guerilla Threat Modeling (on Peter Torr's blog)
Active Directory and ASP.NET 2.0 (a nice blog post I mentioned by Andrew Duthie)
I had fun this past week catching up again on System.Transactions while getting ready for New England Code Camp 4 this weekend. In my readings and experiments with code, I pulled together the bloggers I know about who are either working with System.Transactions directly (the team at Microsoft) or writing and/or talking about it out in the field. I have listed these resources on my main blog page, and I am listing them here as well:
System.Transactions Team Blogs Jim Johnson Florin Lazar Miguel Gasca Nate Moch
Wiki for team System.Transactions Team Wiki
Blogs out in the field John Papa Sahil Malik
I have been working on several presentations on security, SQL Server, and transactions topics for upcoming conferences and user group talks. These always seem to come around the same time, but fortunately, I have a few that are similar at different locations.
New England Code Camp 4, Waltham, MA, Sept. 24-25
Speaking on What's New in Security for .NET 2.0, Security Tools for the .NET Developer, SQL Server Security, and Introduction to System.Transactions.
VSLive! Orlando, Orlando, FL, Oct. 9-13
Speaking on Security Changes in .NET 2.0.
Heartland Developers Conference 2, Grand Rapids, IA, Oct. 12-14
Speaking on Security Changes in .NET 2.0, Programming in SQL Server Using the Hosted .NET Runtime (filling in for Kent Tegels who will be in China that week).
MAD Security Code Camp, Reston, VA, Oct. 29
Submitted four topics and waiting for what's selected.
I will also be speaking at the Boston Beantown .NET User Group in early October, and the OWASP Boston chapter meeting in early November. Topics TBA.
All in all, a busy couple of months!
Kirk Allen Evans talks about his adventures in discussing with several at PDC one of my past favorite topics: distributed transactions. I have renewed interest in this, and in particular Enterprise Services again, as I will be speaking on the new System.Transactions namespace in .NET 2.0 at next week's Code Camp 4.
Kirk also talks about how in-depth discussions with the most knowledgeable people are again one of the best values of attending conferences like PDC. I couldn't attend unfortunately, but I know from my experience at TechEd earlier this year (when I got a chance to speak with the System.Transactions team), such discussions are priceless!
I noticed Dino Viehland posted a notice regarding fiber mode support in SQLCLR for SQL Server 2005: Fiber mode is gone...
I remember following Dino's cooperative fiber mode posts and remarks on sample code last year with great interest, and was eager to try this out in some of the later versions of SQL Server 2005. For me, it was only a curiosity -- I have never had or seen the need to write a fiber mode SQLCLR procedure. The SQL and CLR teams decided it was more important to make sure normal threading issues were rock solid for ALL operation rather than pay half-attention to both regular threading AND fiber mode issues that may benefit a few. The biggest obstacle for fiber mode sign-off was dealing with stress conditions. It's an understandable choice -- I would much rather have the basics to be rock solid. Dino does bring up an interesting point regarding use of fiber mode in your application design:
For those of you wanting to develop a fiber mode CLR solution I think you need to first ask yourself why you're doing this. If you're attempting to conserve stack space then this is not the solution you're looking for. If you're attempting to reduce the number of context switches experienced then you can still get much the same results using thread mode and blocking "switched out" tasks on an event that gets signaled when it's their turn to run. And of course there's a 3rd, although usually less desirable, option to redesign the way you're approaching the problem of a large number of work items.
Again, I am glad the teams focused on the items that could be made feature complete. I wonder, though, how many people/companies this will impact in their anticipated design after rollout?
A couple of weeks ago while flying to and from Microsoft in Redmond, I read most of this book (still finishing it between bits of spare time on my current projects): Rootkits: Subverting the Windows Kernel
by Greg Hoglund and Jamie Butler. Ted Neward
has a very good review of the book
I suggest you read, and I agree with his evaluation as well -- this really helped me dig into some untouched areas for me such as how to build device drivers and many of the techniques used by rootkits to avoid detection and remain after reboot. This is a great security book, and highly recommended.
Just a quck follow-up on my Devscovery trip (I type this on a draining battery on my laptop while on "vacation" in beautiful North Conway, NH).
I continued to attend Jeff Richter's and John Robbins' talks. I especially liked John's talks more and more as he spoke about things I enjoy: unit testing (he mentioned you should really look at MbUnit as well, which is currently led by my friend Andrew Stopford), best coding practices, interesting tools, and he "preached" on running as non-administrator. It was great to see him run through all his slides and demos doing the non-administrator dance that is part of my everyday lifestyle! His talk on .NET performance (the last talk of the conference I attended) was excellent and definitely worth the price of admission. Again, an extremely well put together conference and if you have a chance to go, definitely do so.
Another highlight was having lunch with Wintellect's Jason Clark in one of the Microsoft cafeterias. I have been a fan of his book (he wrote the sections on security) and articles and it was great to meet Jason in person. I hope he will finish his Inside Indigo book, but also start blogging more.