Attack and defence: Securing ASP.NET applications

A small introduction for these posts you can find here. Lunch at www.devdays.nl was well taken care of. Salmon sandwiches and plenty of them.

The next session for day 1 for me was “Attack and defence: Securing ASP.NET applications”  http://www.devdays.nl/sessies/detail.aspx?code=SEC01KB By Keith Brown. ( http://twitter.com/keithbrown42 )

As a preface Keith showed us is jojo skills, pretty impressive.

According to Keith in security you need to find a balance. You need to start by thread modelling. You can find info from P&P http://www.msdn.com/securityguidance.

tips:

  1. principle of minimum privileges. Don’t use the network  service account, create your own account
  2. do security in depth,  assume all input is evil. Do security validation on the server.
  3. put user input quickly in strongly typed variables don’t keep them in strings to long
  4. don’t use regex without ^ and $, otherwise people still can insert stuff .
  5. use sql parameters , don’t concatenate input in your query.
  6. don’t show complete error messages, put the in the log and give the user the possibility to correlate there error with the log.
  7. using a maximum length in textboxes doesn’t help. Use server side validation

If you use validation controls you need to program them correctly. You need the check on the server side the IsValid property.

Viewstate by default gets hashed and checked on tampering. Cookies don’t get this, form login cookies do.

printf(a,b,c,d) has a big security issue (not console,writeline()) a is a control channel, the rest is a data channel. Don’t give up control of the control channel. Equal so Proces.Start(a,b) and sql.commandtext = a.

demo on sql- injection (people have automated this)

  • in a search box start with a ‘ and see if you get an error (if it is a string, for a number you don’t need it.
  • use ‘ or 1=1 – to get all the rows
  • do ‘union select null,null,null (keep adding rows)
  • replace a null with intersting stuf @@version, username, tables from table_schema
  • if there is a user table, select emails and passwords and put them in an excell sheet.
  • change price
  • exec xp_cmdshell ‘net user hacker password /add’

Keith his anti virus software wanted to let the entire audience know that it was out of date during the presentation.

To test for XSS protection turn of validateRequest and see if your application can handle it. Web.config Demo:

  • put in a textbox <h2>test<h2> see if the formatting is kept.
  • put forms, JavaScript and what you want in the textbox (example change logo to Google)
  • when an error page is show that get’s its message from the query string, you can use this to enhance a phishing attack.

To fix the problem sandbox the output. When getting the data out of the database use HttpUtility.HtmlEncode(data). On the input side filter the input.

get free modules and examples form pluralsight.

DevDays 2009 day 1 TDD and S.O.L.I.D

A small introduction for these posts you can find here. My third session was a wildcard session by Dennis Doomen on TDD and S.O.L.I.D. Even though the room wasn’t on the map and the session wasn’t on the session overview the room was packed.

People who didn’t know what inheritance is, were asked to leave.

Dennis uses a definition by Michael Feathers to define quality. You must be able to write a unit test of your code within five minutes. There are multiple principles you can use, Dennis is going to focus on some of them:

  • TDD
  • S.O.L.I.D

TDD is a design process, tests are your first users, tests can be documentation. If TDD hurts you are doing it wrong.

For S.O.L.I.D I say read the book by Uncle Bob Martin. Dennis gives an introduction.

In the demo Dennis an aaa template for creating unit tests.( Arrange, Act, Assert) For naming he follows a Should_When naming convention. During the demo, Resharper and RhinoMocks prove their usefulness. Make unit tests intention revealing.

An extra tip from Dennis, it is possible to decorate your unit tests with the workitem attribute, this will couple the unit test with a workitem in TFS.

The samples are posted on Dennis’s blog.

It was a nice session with enough interaction. I would like to see this talk held in a room full of none believers though but then with enough time to discuss. For a nice simple introduction to S.O.L.I.D watch the dimecast screencasts.

DevDays 2009 day 1 Tasks threading and parallel programming.

A small introduction for these posts you can find here. The last session of the day was by  Ingo Rammer about parallel programming in .Net 4.0.

The slides and code of this session will be under conferences on http://www.thinktecture.com/.

Multithreading vs Parallelism. Multithreading is easy, just call Thread.start(). It is primarily used to keep the ui responsive.Parallel programming is used to maximally use the cores that are available.

The ray traces sample comes form the parallel extensions.

Ingo shows a demo walking a large tree structure and visualizing this. The first version uses no threading and takes about 1500 ms to complete. In the second version he tries to make a thread for every node. This version blows up, every thread takes up one mb of memory. The third version uses Threadpool.QueueUeserWorkitem, timing is off now because the threads are fire and forget. The fourth version works with the new tasks from the parallel extensions. This version does the work in about 800ms.

More functionality of the Task is making the creation possible using a factory (shorter, cleaner code). Also the results of a task can be simply used, all synchronization is done for you. In the demo he sums up all values in the tree without having to worry about synchronisation.

After that my netbook just closed down. Basically Ingo covered three ways to do parallel programming in C# 4.0.

  • Fine-Grained Parallelism: Task-API and coordination structures (the foundation of it all)
  • Structured Parallelism: Parallel
  • Declarative Parallelism: PLINQ

Ingo is a great speaker and made this last session while everybody was tired still fun.

SharpDevelop 3.0 vs Visual Studio Express edition

For developers who  don’t know, SharpDevelop is a great free IDE for developing .Net framework applications. SharpDevelop is comparable to the express editions of Visual Studio. So since they are comparable, I will compare them in this post.

On februari the 10th 2009 sharpdevelop 3.0 was released, you can download it here. The version before this one was 2.2 and was released on the 8th of august of 2007, that is a long gap. I thought that SharpDevelop was dead. The 3.0 version shows that it is alive and kicking.
The visual studio express editions are also great. Just the idea of giving away a free IDE to starting developers or just developers who can’t or will not pay for the full editions  of Visual Studio is magnificent. The express editions can be found here

First Impressions
When you spent a lot of time in Visual Studio, starting up the express editions will make you feel right at home. Everything is where you think it is. Stating SharpDevelop will make you feel a bid off. It is like someone has build a new house, redecorated it and made it look like your own house, but you know it isn’t. Still once you see there is enough beer in the fridge and have found the remote , you can have lot of fun in the new house also.
ExpressFirstImpression
Spoiled by Resharper
In my normal development I am totally spoiled by Resharper. These IDE’s don’t support Resharper. How easy are they to use without Resharper.
Renaming a class with Resharper  also renames the file that the class is in, if you want it to. Resharper also renames all references to your renamed class and even gives you a change to change them in comments AND strings. SharpDevelop does not rename the file directly but if it detects that the class and filename are different it gives you the option to rename the file from right clicking the class name. SharpDevelop does also rename all references but does not look at comments by default. The Express Editions give the option to rename also in comments OR strings, it does not rename the filename.

When I use a class that is in the same solution but in another project Resharper gives me the option to reference the project and insert a using statement with a single shortcut. After making a reference in SharpDevelop and the Express Editions by hand you can add the using statement with a right and left click.

In general neither wins, only Resharper wins.

Add Ins and external tools
The express editions let you define your own external tools, so you can startup notepad or ildasm from your IDE and pass in parameters from your IDE. SharpDevelop lets you do the same but by default has already defined some of them. Extra to this SharpDevelop has a Regular Expression Toolkit a resource toolkit, support for subversion, FXCop and stylecop. I can see a lot more of these add- ins for SharpDevelop being developed. The express editions don’t have and probably never will have these possibilities because , and I quote :” We made a business decision to not allow 3rd party extensibility in Express.” From this post.

SharpDevelop wins this one easily.

Targeting .net frameworks
Both IDE’s by default target .net Framework 3.5 but also support 3.0 and 2.0. In addition SharpDevelop supports compact framework 3.5 and 2.0.

Another point for SharpDevelop.

Web Development
This one makes me a little sad. SharpDevelop just fails short to the “visual web developer express edition”. The express edition has a graphical designer for the pages, split screen functionality, javascript debugging possibilities and his build in web server. SharpDevelop has not.

A big win for the express editions.

Little Annoyances
The express editions don’t support solution folders, luckily SharpDevelop does.
If you want to combine a console or windows forms application with a web application or web service in a single solution the express edition don’t support this,  SharpDevelop does.

Two point for SharpDevelop.

Conlusion
If I have to choose for web applications than the express edition wins easily. The build in webserver, the graphical designer with split screen functionality and javascript debugging just make it too good.
If you think you really need to work with a database from within the IDE than also SharpDevelop is not for you. If you want to create a windows forms or console application both will work fine, if you want to build these applications more seriously and use a source control system, static code analysis and stylecop from the IDE you need SharpDevelop !

If the express editions would allow third party extensibility (Resharper) and solve my little annoyances,  it would be number one.
If SharpDevelop would get a resharper add-in, a graphical designer for web pages and a build in web server, it would be number one.

Feature Table
Matt Ward did a comparison of SharpDevelop 2.1 and the Express Editions at that time here. I stole his table and reevaluated. Thanks Matt I hope you don’t mind. The result is shown below:

Feature SharpDevelop 3.0 Visual Studio Express Editions
Code auto-completion Yes Yes
Code syntax highlighting Yes Yes
Windows Forms Designer Yes Yes
Web Forms Designer No Provided with Visual Web Developer
Code Coverage Yes No
Unit Testing Yes No
Languages Supported C#, VB.NET, Boo,F#, Python, ILASM C#, C++, VB.NET, J#
Help documentation No Yes
Plug-in support Yes No explicit support for plug-ins however third party plug-ins can work with the Express edition.
Insert PInvoke Signatures Yes No
Testing Regular Expressions Yes No
Class View Yes Yes
Solution Explorer Yes Yes
Project and Solution File Format MSBuild MSBuild
Web references Yes Yes
Refactorings Rename, Extract Method, Extract Interface Rename, Extract Method
Go to definition Yes Yes
Find References Yes Yes
Code generation Yes. Not as powerful as Visual Studio’s Code Snippet Manager. Yes
Object Browser Yes Yes
Database Explorer Yes. Lacking support for many database providers. Yes
Publishing No Yes
Data Sources View No Yes
Add Data Source Wizard No Yes
Document Outline View No Yes
Resources Local only Local and project
ActiveX Toolbox Items Partial – need to generate .NET interop library Yes
Integrated debugger Yes Yes
Targeting different .NET frameworks Yes Yes
Code Completion for different .NET frameworks Yes Yes
Reporting Yes Yes through the report viewer plug-in
Task List Yes Yes
Error List Yes Yes
Database Designer Tools No Yes
Code conversion Yes No
Integrated NAnt support Yes No
Integrated WiX support Yes No
Integrated FxCop support Yes No
Navigation History Yes Yes
XPath Queries Yes No
Incremental Search Yes Yes
XML documentation preview and generation Yes No
Solution Folders Yes No
Class Diagram Yes No
Build in webserver No Yes
Integrated subversion support Yes No

  SharpDevelopFirstImpression

Why I love twitter

Twitter is fun, and there are a lot of interesting people. Most of them are pretty open for discussion and just having fun. A lot of these people have interesting stuff to say and are willing to answer questions.

A few days now I watched crazeegeekchick make santahats for almost everybody she knows, I guess she is up to about fifty hats now. I asked her to also make a hat for my son, she did without asking any questions. Threw in a hat for me also and gave a nice compliment. Awesome !

crazeegeekchick thanks ! You are one of the people making Twitter fun.

MySonAndISantanized

Hooking into the world wide web.

Yesterday I taught a developer centric training class for starting in software architecture. During this class we discussed a few information sources on the web. While putting together the mail for the students in which I mention a lot of the information sources, I thought this would make a nice blog post. So here are the links.

 

Online rss readers:                                                                

http://www.bloglines.com/

http://www.google.com/reader/

 

Good rss feeds:

http://codebetter.com/

http://www.infoq.com/

http://architects.dzone.com/

http://nplus1.org/

http://blogs.msdn.com/jmeier/default.aspx (look at the pocket guides )

 

Link collections: (if you don’t want to plough through 320 feeds yourself)

http://www.arjansworld.com/

http://www.alvinashcraft.com/

http://blog.cwa.me.uk/

 

podcasts:

http://www.dotnetrocks.com/

http://www.hanselminutes.com/default.aspx

http://se-radio.net/

http://thirstydeveloper.com/default.aspx

 

screencasts

http://www.dnrtv.com/ (check out the design pattern series with JP Boodhoo shows 63,65,68,71,92)

http://channel9.msdn.com/

http://channel9.msdn.com/shows/ARCast_with_Ron_Jacobs/

 

free magazines

https://www.msarchitecturejournal.com/Default.aspx

http://www.microsoft.com/netherlands/studenten/informatie/dotnetmagazine.aspx (Dutch)

http://selfservice.abonneren.nl/titels/computable/abonneren.html;jsessionid=C7FD65099CA5399EA1133ED3BB9E2C12 (Dutch)

 

msdn:

http://msdn.microsoft.com/en-us/architecture/default.aspx

 

Good site for asking questions

http://stackoverflow.com/

 

Sogeti related sites (I work for Sogeti):

http://dsa.sogeti.nl/

http://www.clemensreijnen.nl/

http://blog.softwarefun.nl/ (not much to read yet J )

 

The list isn’t complete and it isn’t meant to be. I have given people my opml file with 320 feeds (No I don’t read them all completely) and it was just too much. This list is a way to get started.

 

Good additions are welcome in the comments off course.

S.A. 2008 domain specific modeling languages


This is the second in a two part blog-post about the software architecture 2008 conference in London. The two parts consist of:

  1. The conference itself, the conference location and software architecture in general.
  2. Building domain-specific modeling languages


At the pre-conference workshops Steven Kelly, co-author of the book Domain-Specific Modeling: Enabling Full Code Generation, showed the attendees what domain specific modeling is, what the value is, a general way of how to do domain-specific modeling and how to do domain specific modeling with MetaEdit+. To get a rough idea of the workshop check out this presentation. For more than one attendee with a Microsoft background the workshop was a bit of a surprise. The domain specific tools of Microsoft were mentioned and discussed a bit but not more than that. The company of Steven Kelly, called MetaCase, has been doing domain specific modeling for a long time with great success. They have been doing this without any influences from Microsoft and probably in the near future Microsoft will borrow more of their ideas. Stuart Kent was a MetaEdit+ user before moving to Microsoft, and they have thankfully borrowed at least some ideas, e.g. terminology and concepts like Relationship, Role and Object, rather than reinventing the wheel. Steven Kelly wishes they had borrowed more, e.g. a true concept of Graph, n-ary relationships etc.

In the past modeling has been used by Case Tools that generated code. These tools were seeking the silver bullet in code generation. These case tools were arguably not very successful. Isn’t domain specific modeling just another case tool ? The big difference is in the domain specific part, each modeling language is only intended for one company and one problem domain. This means its concepts can be at a high level and precise, rather than so low-level, generic or vague that they can be used to describe anything. Similarly the code generator is made by the customer to produce the same kind of code already used by them in their implementations, rather than having a vendor-provided generator with verbose and clunky “one size fits all” code.

What is domain-specific modeling ? It is modeling that:

  • Captures domain knowledge (as opposed to code)
    • Raise abstraction from implementation world
    • Applies familiar domain concepts and rules as modeling constructs
    • Narrows down the design space to focus on a single range of products
  • Lets developers design products using domain terms
    • Apply familiar technology
    • Solve the RIGHT problems
    • Solve problems only once! (directly in models, not again by writing code, round-trip etc.)

Or when you quote Wikipedia :

Domain-specific modeling (DSM) is a software engineering
methodology for designing and developing systems, most often IT systems such as computer software. It involves systematic use of a graphical domain-specific language (DSL) to represent the various facets of a system. DSM languages tend to support higher-level abstractions than General-purpose modeling languages, so they require less effort and fewer low-level details to specify a given system.

Why would you start domain specific modeling ?

  • Development becomes faster
  • Development becomes easier
  • Expertise can be leveraged
  • Routine tasks can be minimized

At the workshop Steven Kelly showed fifteen real life cases that he and his company worked on. And even when you don’t have all the details and because of that would only believe half, the numbers are still impressive. Below is a mix-up of several noticed benefits of those different cases.

  • Comparison to hand-written java after first thirty products = DSM is 3 times faster with fewer errors
  • Development time for a feature from a week to a day
  • Creation of new services 6 times faster compared to manual practices
  • Code generation produces 100% of implementation
  • Generate all required artifacts from a single design (code, configuration, documentation)
  • Look at the picture at the top right corner (Software Productivity Research & Capers Jones, 2002)

The general idea of how to build a domain specific modeling language is beyond the scope of this blog post. People who are interested are advised to get the book Domain-Specific Modeling: Enabling Full Code Generation.

During the workshop the participants were walked through and participated in creating a domain specific language for making interactive TV applications. This was done with MetaEdit+. MetaEdit+ is a very interesting piece of software.

Thinking up the domain experts concepts was the hard part. After that building the language and creating the generator and making a first model was very fast. One of the noticeable abilities was the ability to adjust the representation (while modeling) of parts of the model based on the relative positions of the parts programmatically. Is there a Microsoft product that is able to do this ?

A part of the way MetaEdit+ works is by the use of a domain framework. As a starting point, the code generated looks like the code the developers have written by hand so far. If large sections of that code are recognized as repetitive boilerplate, those multiple occurrences will initially be moved to be just one occurrence in the generator. However, if a section is more than a few lines it’s probably easiest to edit it outside the generator, so the IDE can offer syntax highlighting etc., so the repetitive code may well be moved into a separate function in its own file and just a call to that function will be left in the generator. Functions like that are what Steven Kelly calls the “domain framework”: new code components made by refactoring existing code during the process of creating the DSM solution. There’s not often much new code in the domain framework: code that already exists many times in hand-written apps, are taken and refactored so it appears just once.

When you want to use MetaEdit+ in an all Microsoft organization you have to keep some things in mind.

  • The user interface is not like most Microsoft products.
  • The generators are written in a language called MERL. Microsoft developers will need some time to get proficient with this language.
  • MetaEdit+ is a separate tool, not an add-in for Visual Studio. The generator can produce the code files and a new project file, or add them to an existing project. After some positive feedback from “Software Architect 2008” about a VS add-in, an add-in certainly has become a possibility.

But even when you take these points into consideration MetaEdit+ is definitely worth looking into

Great thanks goes out to Steven Kelly for commenting on and adding valuable context to this blog post. Hopefully he will not sue for plagiarism.

Software Architecture 2008

This is the first in a two part blog-post about the software architecture 2008 conference in London.
barbican
The two parts consist of:

  1. The conference itself, the conference location and software architecture in general.
  2. Building domain-specific modeling languages

The conference was great, a wonderful location, fantastic speakers and a very diverse audience. The conference was held at the barbican conference centre.

The blog posts are based on sessions from the following speakers:

Still there is a need for defining an architect and defining architectures, the key note and some sessions started with definitions. For defining an architecture there are some pretty good definitions that most people can agree upon.

“The software architecture of a program or computing system is the structure or structures of the system, which comprise software elements the externally visible qualities of those elements, and the relationship among them.”
Len Bass, Paul Clements and Rick Kazman (SEI)
“All architecture is design but not all design is architecture. Architecture represents the significant design decisions that shape a system, where significant is measured by cost of change.”
Grady Booch
“The set of design decisions that, if made wrongly, causes your project to be cancelled”
Eoin Woods
“Architecture is the art of how to waste space.”
Philip Johnson

But when it comes to defining an architect the definitions are less clear and mostly boil down to a list of synonyms or a list of characteristics, skills or activities of an architect.

Synonyms
Enterprise Architecture: enterprise Architect, functional architect, business architect, strategic architect, domain architect, stream architect, …
System Architecture: software architect, solutions architect, application architect, systems architect, technical architect, …
Infrastructure Architecture: Infrastructure architect, technical architect, technology architect, database architect, middleware architect, network architect, database architect, storage architect, …

The characteristics could be distilled out of the key-note. Among other characteristics an architect needs to fight being human. An architect must fight the urge for

  • New and complex solutions (Fashion driven development)
  • Pursuing possible solutions too far
  • Just having faith (Faith based coding)
  • His own habits
  • Resolving every uncertainty right away (sometimes the right decision is to wait)

Most speakers did seem to agree on a certain skill set.

  • An architect needs street credibility
    • A relation to the code (preferably code himself)
    • Have the big picture to code detail
    • Cannot immerse in code completely
  • A solid technical background that isn’t just history
  • Communicator, appreciate other mindsets.
  • Needs design skills
  • Leadership skills
  • Coaching skills

One of things that was most prominent present was the need for architects to be more agile. Philippe Kruchten also held a session on the same topic on the 18th of june . This talk was an initiative by Logica’s guru4Pro and worthy of a blog post in itself. At the software architecture 2008 conference the message was clear. We need to be more agile to create more sustainable software and projects fail because we are not agile enough. To get an idea, watch the presentation from Kevlin Henney and James Coplien at infoq ( Agile Architecture is not Fragile Architecture ). What you could get from the conference, Philippe Kruchten and the presentation is:

On every project ask yourself: how much architecture do I need and how agile can I be to make this project a success !

In the key-note Kevlin Henney mentioned the Dreyfus Model of Skill Acquisition. This model recognizes five stages of skill acquisition.

  • Novice
  • Advanced Beginner
  • Competent
  • Proficient
  • Expert

According to Kevlin Henney at the novice level people try to learn the rules, when people start to be competent they start to bend the rules and finally the expert recognizes that the rules depend on the context. That is why when you a ask an expert architect a question, nine out of ten times the answer is “it depends“.

And yes, the answer always depends on the context.

Kevlin Henney mentions that the emphasis on context is mostly his own (as are his jokes!), as this comes from patterns, but some of the detail and framing has been inspired and influenced by Andy Hunt and Dave Thomas (the Pragmatic Programmers) and Dan North (better-best-practices).

Let’s make a step in becoming more of an expert in software architecture and recognize that also when :

  • you define an architecture
  • you define an architect
  • you write down what the characteristic of an architect are
  • you determine the tasks of an architect
  • you define the skills that an architect needs
  • you determine how agile a project must be
  • you determine how much architecture a project needs

It depends on the context.

C# 3.0 in a nutshell

A while ago I purchased the book C# 3.0 In a Nutshell. This post gives my first impression.

It is an amazing reference guide with a lot of detail. This picture gives a great overview of what is in the book and where it is. Notice that what is outside of the circle, like ASP.Net, ADO.Net, WCF and WF is not covered by the book.

If you see through the advertising this overview gives a pretty good idea about the book.

If you are looking for a book to teach you how a computer program is put together this is not the book for you. It describes al the parts pretty well but it doesn’t describe putting them together.

You could read the book from cover to cover. This is mainly because a very easy to read writing style and a good build up of level of detail. But the sheer number of facts that follow each other in a very rapid pace doesn’t make it very useful to read it from cover to cover, after a while facts just want stick anymore.

I would suggest, skimming through the book behind a computer trying the interesting things you see and experiment with it. After that keep the book on your desk and use at as the great reference guide it is.

Testing code formatting in blog post

A while ago I started a blog. In the beginning I came across a visual studio add-in for showing sources as HTML. I just had to test it. You can find the tool here CopySourceAsHtml.

A result of this add-in is the one below.

  250  private static void MakeFileWritable(FileSystemInfo dsInfo)

  251         {

  252             FileAttributes flags;

  253             flags = dsInfo.Attributes;

  254             if (flags == FileAttributes.ReadOnly)

  255             {

  256                 flags &= ~FileAttributes.ReadOnly;

  257             }

  258             dsInfo.Attributes = flags;

  259         }

 

I think it looks pretty kewl. It wasn’t a smart thing to use the horrible colours on the download page. Luckily the html will look exactly the same as it looks in visual studio.