Robert Hurlbut's Blog

I got in from the Washington, DC area yesterday afternoon after a very successful Mid-Atlantic (MAD) Security Code Camp conference held on Saturday, October 29, at the Microsoft offices in Reston, VA. I don't know what the total count was (my guess between 100 and 150 people), but it was great to see so many interested in writing secure applications. I took my older boys (15 and 13) with me to try to catch some of the sights. We didn't see as much as I had hoped in the short time, but I was glad they could see me presenting/teaching again as the last time was about 6-7 years ago.

I thought my talks went well, and there lots of queat questions. I enjoyed catching up with former Boston-area friends like Aaron Weiker, as well as several others I know in the area: G. Andrew Duthie, Scott Allen, Darrell Norton (it was great to finally meet after all this time!), and Sahil Malik. Speaking of Andrew, he and his dedicated staff of track chairs and volunteers put on an excellent conference -- things just worked, even when there were problems, everyone reacted quickly and efficiently.

The Code Camp site has my earlier slides here, but I have also posted the latest versions on my site as well.

Update: Here is a review of Saturday (and one of my talks) by Rob Garrett. One session I regretted missing (as it was the same time as mine) was Randy Hayes' session on running and developing as non-administrator, something I have also been doing for quite some time. According to Rob's review, it looks like there is one more convert!

My friends Adam Machanic and Andrew Novick led a Mini SQL Server Code Camp last Saturday in Waltham, MA. I was originally planned to attend, but family matters too precedent. I heard there were around 350 in attendance! Way to go guys!

Adam has posted slides and code on his site.

I will be speaking on Threat Modeling for Web Applications at the local OWASP Boston chapter meeting on November 2, at the Microsoft, Waltham, MA offices. This may turn into more of an interactive teaching session similar to what I am doing Friday at the MAD Security Code Camp as I am seeing more interest in this way of presenting this topic. Threat modeling can be very helpful as you design your own web applications, so you are welcome to attend if you are in the area.

I have been interested to see how threat modeling has evolved over the last few years. At PDC 2005, there was an interesting summary of the current state of threat modeling during the Security Symposium. An emphasis on simplifying the exercise was stressed, especially for those who aren't security experts. The big question (in my mind): how can the typical developer and/or architect get a handle on the security design tradeoffs? You can find the slides for the Symposium at PDC here. Interesting reading.

I really enjoyed my time in Cedar Rapids, Iowa for the Heartland Developers Conference (HDC) 2005. I already mentioned how it seemed like a homecoming to me, but I had no idea how much it would mean to me personally after being there a couple of days. After living in New England for 9 years, I found I miss living in the midwest. Everyone I met was nice and appreciative, food was great and inexpensive (including the liquor!), and developers were eager to learn about new changes in existing technologies. What more could you ask for in a conference?

The session I did for Programming SQL Server using the hosted .NET Runtime had at least 200 people in attendance, about 4 times more than last year's talk I did on Service Broker! The great thing was the subject was completely new to most people in the audience, so I hope I conveyed enough information to give a taste of the SQLCLR changes as well as insights on making informed decisions for when, where, and why to use it. I couldn't get one of the demos to work, so unfortunately I ended the talk a little early, but I had some great comments and questions which I want to explore further on my own.

I thought the session I did for Security Changes in .NET 2.0 and VS 2005 went well also. There were between 125 and 150 people I believe. At one point, there was a good standard set of questions about how to securely handle passwords today. One drawback about some presentations I give are they can be fairly narrow, and in the middle I get ideas and impressions from the audience that more comprehensive security talks may be desired. It would be cool to see something like the MAD Security Code Camp take place in that area as well. I certainly would be open to speaking again in the area on this and other topics.

In the security talk, I did mention these resources:

patterns & practices Security Guidance for .NET Framework 2.0

Security Guidelines: ASP.NET 2.0

Full trust ASP.NET (in)security

Developing in Partial Trust ASP.NET

Also, I listed resources I have mentioned before for Security in .NET 2.0.

Overall, HDC 2005 was a great conference, though I unfortunately missed part of it as I was in Orlando for VSLive! at the first part of the week (it is too bad these were overlapping). As I said before, Joe and crew did an excellent job in putting together something that will continue to grow and help developers in the area. I have posted the slides and code for HDC 2005 and I will be posting it for conference attendees on the HDC site as well.

Also, I have added slides and code for VSLive! Orlando.

I arrived in Ceder Rapids, Iowa yesterday afternoon from Orlando for the Heartland Developers Conference 2005. This is my second time for HDC and my second time visiting Iowa. It is funny, but it feels like a homecoming when I come here because it reminds me so much of where I grew up in another part of the midwest. I saw the familiar flat planes and corn fields and knew I wasn't in Massachusetts any longer!

Joe Olson and crew puts on a great conference. There are at last count I heard around 350 developers here for this event. Its great to see several .NET groups represented from surrounding states participating in a big event like this. I think this is easily double or triple what it was last year!

I had a chance last night to be interviewed for PodcastStudio.net with John Alexander and Jeff Julian. I talked about security changes in .NET 2.0 (one of my topics I am presenting here). I will post a link when it is ready. I will also be giving a talk today on SQLCLR, pinch hitting for my friend Kent Tegels who has been teaching in Shanghai this week. I also would have liked to have seen Kent this week, but I am honored to help out and hope I can do as much justice to the topic as Kent would.

I had a great time in Orlando at VSLive!. The hotel we stayed at (Walt Disney World Dolphin Hotel) is amazing! This hotel is HUGE ... several of us commented you could fit some of the hotels we stay at normally in the lobby!

My talk on Security Changes in .NET 2.0 went pretty well I thought, though I had some problems with the ASP.NET Security demo. I don't know if its because I am missing something in my installation of VS 2005 RC and SQL Server 2005 Sept CTP or what, but the security portion of the ASP.NET configuration menu doesn't work and I had problems getting the user store to work correctly with the demo site. I'll get it figured out, but, obviously not before that talk now.

It was great to meet some speaker friends for the first time and again at the conference: Sam, Scott Allen, Stephen Forte, Peter DeBetta, Ted Neward, Rich Turner, and several others. Dinner on Tuesday was at a great Italian restaurant called Palio with Sam and our friend Jim Lennox who was also in Orlando on business this week. Sam posted how much dinner cost -- I don't want to think about it again. On Wednesday, it was great to finally meet Scott as we enjoyed a seafood dinner at the Flying Fish Cafe on the Boardwalk nearby.

All in all, a great trip. Next, I headed to Cedar Rapids, Iowa for HDC 2005 (where I am now), which I will mention in the next post. Slides and code for both conferences will be posted afterward.

I will be travelling again this week with back to back conferences at VSLive! Orlando and HDC 2005 in Iowa. I am looking forward to reading this long-awaited new book on the airplane trips: Framework Design Guidelines : Conventions, Idioms, and Patterns for Reusable .NET Libraries (Microsoft Net Development Series) by Krzysztof Cwalina and Brad Abrams.

In my work with .NET, I have spent almost all of my time writing libraries that are used by other developers for various projects. I have spent considerable time making sure my code is consistent, adheres to set guidelines, unit-tested, thorough, and as much as possible, easily maintainable. I believe this book will by very important to library developers like myself, as well as those who want a peek into how the CLR team and others who have worked on the .NET Framework came to agreement on what you see today. There is also a chapter on FxCop at the end, which I have been pointing more and more people to lately with its integration in VS 2005 and its security rules and other code checks.

If you are interested in a "try before you buy" method, Kryzysztof and Brad have both been writing about the book and giving sneak previews for some time now on their respective blogs.

I was excited to see Shawn Farkas' article available on "Discover Techniques for Safely Hosting Untrusted Add-Ins with the .NET Framework 2.0", which covers what I presented at VSLive! Boston in written form (its good to see Shawn move this from his blog to a comprehensive article, too). Then, I realized the article is part of the annual MSDN Magazine Security-focused issue I look forward to each year:

Be sure to read this one from cover to cover.

I will be speaking at the Mid-Atlantic (MAD) Security Code Camp at the Microsoft offices in Reston, VA on October 29. I am really looking forward to this as it will be an all security-focused Code Camp, where I am not nearly the only one speaking on security at one of these events. :)

My topics will be: Eight Rules of Security and Real World Threat Modeling, with Threat Modeling being a chalk talk instead of a presentation.