Microsoft TechEd Developers Event 2007

To summarise...

2007-11-13T01:36:00.001-08:00

All in all, a very busy schedule.

The event, as you would expect was very professionally organised and executed. The length of the sessions seemed about right in terms of the content/concentration ration. A few nice touches such as the on-demand nibbles, drinks, wireless access etc. allowed the day to flow along much more smoothly. The format for the interactive sessions probably needs revisiting as too often, the speaker reverted back to lecture mode once the uncomforable process of trying to extract views from the audience was over.

The Blog helped focus the mind, consolidate learning and hopefully pass on a useful few nuggets to you all. Please, if you have any comments good or bad, please leave them on the site.
Overall, I was happy with my EasyJet experience and although the approach to John Lennon airport was a bit turbulant, I was happy that hte runway offered slightly more room for error that the one shown here. My scores are as follows:

The Grand Finale

2007-11-12T09:06:00.000-08:00

Session 20
"Hey dude wheres my business logic"

We started with a look back at the good old days:

Things have changed a lot since 1978. Over the years, the hardware has moved from the desktop model to client server to 3-tier to n-tierProcedural. Software on the other hand has moved prom procedural to OOP to SOA.

Peoples perception of what constitutes a "big" system often differs considerably. To some people a big system may be 100 users. To others, it may be tens of thousands. Scalability is one of the top issues in system deployment - small can grow unexpectedly - and this is never a good time to rebuild.

By way of disclaimer, the speaker offered us a warning "This session will be contriversial!"

"where is your business logic?" exclaims the speaker, "I will show you instances where it is either on the client and the databas server."

After a brief defenition of what the speaker means by tier and layer, we continued on the road of Business Logic (BL).

The old desktop applications contained 100% business logic with little or no seperation between the application layers. Once evolution to the 2-tier client/server model took place, we automatically had that seperation between the application and storage layers. However, the client retained intermixed business logic. When coupled with the network limitations of the time (i.e. high network usage, low lan speeds), bottlenecks were bound to ensue.

Applications evolved with a large amount of BL being moved to server which is good but the choice of migrating to the database (usually via stored procedures) was bad.

The speaker asked for a show of hands as how many of us know of a "monster" stored procedure in existance within their organisation. We were told why such stored procedures are often a bad thing i.e.interpreted which is slow, inefficient, large number of conditional statements which has a performance cost etc.

more to follow ...

A fine double act

2007-11-12T08:41:00.000-08:00

Session 19
Implementing the Enterprise Service Bus (ESB) using Microsoft BizTalk Server

There have been a number of fine double acts over the years, Cannon & Ball, Little & Large, Cheese & Onion and Mike & Bernie Winters, but to name a few and todays partnership proved no exception. Robert Hogg (Chief BizTalk Architect of Black Marble) and Ewan Faiweather (a Premier Field Engineer with Microsoft UK) managed to make a heavy topic area really quite entertaining.

How many of you have heard of Enterprise Service Bus (ESB) let alone wondered how it could benefit your business? ESB is a widely used term in the Enterprise industry but poorly understood.

The speakers introduced a number of key concepts needed to understand ESB and examined ESB can improve business. This was consolidated with a number of demonstrations.

We next dived into BizTalk which is a Microsoft sponsored set of guidelines for how to publish schemas in XML and how to use XML messages to easily integrate software programs together in order to build rich new solutions.

Further demonstrations showed how BizTalk can be used to implement ESB.

Although a number of the topics discussed during this session were very new to me, I tried to glean what I could.

May the force be with with you

2007-11-12T05:56:00.000-08:00

General Session
The irresistible forces meet the moveable objects

It was a full house in the auditorium for the late morning genreal session. The first thing on the agenda was for Pat Helland to elaborate on the mysterious title he had given this presentation. It turns out that the forces in this context were those which push the computer industry and pressure how our applications are composed. To tackle this, we need to create new models for components and evolve our existing computing models.

The nature of the forces were described in terms of old and new. In the good old days we had big servers, big data-centres, bif CPU's which all cost big money. Today we have small servers, small data-centres, etc., etc. (you get the idea). so lets have a closer look at the forces:

Forces in processing
Moore's Law says that the number of transistors in the CPU will double every 2 years. Some og the high-end chips are currently operating at 150watts. But why is CPU frequency not rising like it should? Well, apparantly this is down to the Power Wall whereby the total number of power increases year-on-year. Total power = dynamic power + static power. As transisters get smaller and smaller, they leak more and more power. Faster frequencies need more dynamic power. Also, as the chips get hotter, the static power goes up.

The Memory Wall occurs because access time to DRAM remains basically flat. There will be a big push toward speculative execution whereby the hardware is used to guess the next memory access required. There will be increasing attention to parallel chips and on-chip shared memory which offers faster access times than regular DRAM.

Forces in data-centres
Data centres dont need to be like aircraft hangers anymore. Computers are cheaper and smaller. Reducing the power saves on air-conditioning costs. You can now buy data-centres built out of converted shipping containers and at 55% of the cost of regular buildings. They have far more space, heat/power efficiency and allow hugh savings in production and installation costs.

Forces in storage
"DISK IS TAPE." The store to disk is getting skinnier. With each generation, capacity increases with ariel density amd read/write time with linear density. Predictions are 10+ terrabytes for 2010 and all for under $100. The memory market has been driven down by phones, cameras and ipods. Flash makes a better disk than disk! IO per Gb of flash memory is 200 compared to 4 for disk. Current trends show a crossover between flash and disk making prices comparable.

Forces in the cloud
At this point, we were shown a video of the future vision. Mechanisms need to be in place to ease the transfer of data between all types of machine. Application state needs to be seperated from the machine. Use peer-user-peer-app state and sand-boxing. Controlled and safe sharing across applications. There are two types of parallelism, pipeline parallelism and partitioned parallelism.

Single core processors wont get any faster. Ath this point, an analogy was made with an ice-skater. The closer they bring in their arms, the faster they spin.

People will evolve apps to cope with the forces. The demand will cause applications to change.

The movable objects
Even if the computer is accurate, data is entered by people (which can be inaccurate).
Computers have partial knowledge ...
Memories and sharing - its nice to remember your guesses - sharing your memories is useful.
Fidelity of memories <- -> cost

Sorry for some of the garbled notes. The presenter was going through at a rapid pace.

Improving the user experience

2007-11-12T05:18:00.000-08:00

Session 18
Web Client Software Factory (WCSF): Building Rich Internet Applications with ASP.NET, AJAX and WCSF.

Glenn Block started with a demonstration of a non-RIA web application without client side support from AJAX in order to highligh how poor the user experience was.

"Why are design patterns important?" Glenn mused. "Because they have a common taxonomy whilst being technology independant."

Patterns as good as they make sense no matter which framework your are working with. They are also useful for discussing requirements with peers. They define both the problem and the solution. Apparantly, there are 70 set patterns for developing applications with AJAX.

When we look at taking an application towards a RIA, it is not a black/white, all or nothing issue. The speaker utilised a pattern called "Suggestion" in order to demonstrate his point. "How can we help users enter data when they don't always know the allowed values." he quipped.

Solution: Assist user with list of useful suggestions by offering a list in real time. The speaker showed how you don't have to wait for full-postback in order to achieve this. AJAX ContextSensitiveAutocompleteExtender can implement the suggestion pattern by retrieving a list of suggestions from a web service and is triggered by either number of key strokes of a delay.

Next, a demo of the basic AJAX autocomplete control (or filtered list). The problem is with the control shown on the speakers demo site was that it gave a full list of cities in the USA even though Washington has already been selected as a state (i.e. not just cities in stage WA).

Solution: was to hook-up the city and the zip code and drop on the acsae*. This then only returns the cities and zips for washington. A call is made to a web service with the zip and city sent as parameter.

Another problem identified was the "pop-up problem". How can we provide the user with a quick method of looking-up valid field entries such as cities and states?

Another problem was the "display morphing problem". How can we make the interface more interactive? Weel, we need to update the display dynamically as the context changes and this can be done with via an updatePanel - automatically updates portion of the screen with server content via a partial postback. - Supports naive and third party server controls - but can be heavy.

* acsae: If anyone knows what I was trying to type, please let me know.

Hands On!

2007-11-12T05:09:00.000-08:00

Session 17
Hands-On Lab (HOL)

For one reason or another, a number of sessions for Thursday and Friday had been cancelled so I thought this would be a good opportunity to experience a few hands-on-labs. The ones that really jumped were:

DAT41-HOL - Introduction to LINQ
TLA03-HOL - What's new in C# 3.0?
WEB11-HOL - Introduction to ASP.NET AJAX

A bit too contrived to be realistic

2007-11-12T03:46:00.000-08:00

Session 16
Web application security

Alik kicked things off by outlining the objectives of the session. 1) As developers, we need to apply sound security engineering principles to our applications. 2) We need to plan for security throughout the software development lifecycle. 3) the ultimate goal to to produce more secure systems.

Security dilemmas facing the developer were identified:
How to authenticate users?

How to authorize users?
How to validate input?
How to perform data access?
How to handle exceptions?
How to handle sensitive data?
How to handle auditing and logging?

Much of the session from here on in was a practical demonstration of how to compromise the TechEd official website (although Alik later revealed that he had created a dummy site in order to prove the concepts).

So, first on the agenda was traffic sniffing. Sniffing traffic (on this site anyway) was easy to achieve by a) having the appropriate tools and b) having passwords sent as free text. Alik demonstrated this to us and concluded that where possible use Windows authentication. Where this is not possible, use https:// for secure transmission.

Next on the list was SEL Injection attacks. Alik performed an injection into the search field of the TechEd session lookup screen. The added SQL consisted of a search for a valid session plus a UNION with the SYSOBJECTS table. He then went on to locate any tables like '%login%' and finally performed a UNION on the LOGIN table to extract usernames and passwords. The lesson here was to ensure that you check data types, data lengths and ranges of anything being entered into your form fields.

This took us neatly onto exploiting over-privileged accounts. Again Alik inserted some extra commands into the search field:

;EXEC xp_cmdshell "netuser username password"

where username and password were Alik's. He then remote desktopped to the TechEd server and logged in with his new extended privileges. The lesson here is to apply the principle of least privilege accessand validate entry strings for correctness.

The next section related to exploing a single gate keeper and Alik showed easy it is to extract a password from the hash contained in the backup SAM file. The lesson here was to partition your website to physical folders and restict access. Also, apply a defence in depth approach using multiple gate keepers.

The final topic was live search hacking where Alik described a number of methods for gleaning useful "hacker related" information from a system.

Whilst interesting in parts, the example scenarios were so contrived, and the security flaws so obvious that you were left wondering if the Three Stooges had been responsible for implementing security on the "bogus site".

Tales of an overworked IT pro

2007-11-11T10:21:00.000-08:00

Session 15
Top 10 Mistakes Developers Make

We start with a formal definition of a mistake:

"A mistake: error, blunder, a misconception or misunderstanding, to confuse a person or thing with another."

What are the two biggest pains in software development? Well, David Aiken had no problem in letting us know: Install and Health. As an adide, we were then shown a sign which adorned the office door of a developer at Microsoft which read:

"I don't care if it works on your machine, we are not shipping your machine."

Anyway, onto the mistakes we make:

Mistake #1 - Ad-hoc configuration
what you do: Make configuration changes to your machine manually.
what you need to do: Script any changes so that they are repeatable.

Mistake #2 - Don't make assumptions about security

do not make assumptions that:

User will had admin rights.
Firewall will also port 8050.
User has permission to register HTTP namespace.
User is mapped to dbo role in the database.
User can write to file system in folder x.

Mistake #3 - XCOPY = Mistake

XCOPY really means XCOPY then:

Add registry entry.
Enable file permission on account.
etc, etc, etc.

Mistake #4 - Uninstall = Format C:
Do you provide a way to uninstall your application?
Checkpoint: 1) build an installer/msi for your app components. 2) Integrate istaller as part of the build process and test. 3) script install and uninstall steps.

Mistake #5 - Dependancies
What does your application depend on:

SQL?
MSMQ?
Port 8050?
Foo.dll?

Can your application easily check for dependancies? Use a dependancy checker.

Mistake #6 - Upgrade means reinstall
At worst, installation of patches may require uninstall and reinstall or even worse! Some developers simple overwrite earlier dll's with new ones - bad practice.

Mistake #7 - Patch breaks everything else
You make a fix to correct an error without comprehensive testing on the knock-on effect on other system components.

Mistake #8 - Don't use admin tools
Notepad is not really as admin tool and neither is Visual Studio.

What is? WMi, Windows event logs, Windows performance monitor, Windows Powershell, Microsoft Management Console etc.

Mistake #9 - How do you know your application really works?
Use of synthetic transactions such as bogus customers and orders to test every scenario.

Mistake #10 - Single user testing multi-user environment
Don't just assume that your application will operate in multi-user environment when testing has been carried out by single user.

A little more of the same

2007-11-11T03:45:00.000-08:00

Session 14

The Next Release of ASP.NET - Significant Features Available Soon...(really soon)

Another session led by the ASP.NET Deveopment Manager Matt Gibbs. This session was billed as walkthrough of the most compelling features of the next release and started with an ASP.NET roadmap in which the audience were treated to a discussion of the .NET framework through the ages.

Next we dived into the topic of Astoria data services. For those of you who arent in the know, Astoria enables applications to expose data as a data service that can be consumed by web clients within a corporate network and across the internet. The data service is reachable over HTTP, and URIs are used to identify the various pieces of information available through the service. Interactions with the data service happens in terms of HTTP verbs such as GET, POST, PUT and DELETE, and the data exchanged in those interactions is represented in simple formats such as XML and JSON.

A demo of Astoria followed.

Matt's focus was then onto ASP.NET AJAX and more specifically, how browser history and navigation can be improved by using AJAX. The discussion was consolidated with a demonstration based around an online shopping site with AJAX provifing state management. The site consisted of a 4-page shopping wizard which allowed the user to move back and forth between all pages and see all details without the need for full postback to the server.

Matt discussed desirable feature of ASP.NET AJAX called script combining which can dramatically improve web site performance by ensuring scripts are called efficiently as possible.

Matt next described in detail the Silverlight controls which he touched on in his previous seminar ASP.NET: Why, What, How and When?

Non-interactive Interaction

2007-11-11T02:05:00.000-08:00

Session 13
ASP.NET: Why, What, How and When?

Maybe it was down to the fact that this was the first morning session following the free bar at the Country drinks event the previous night, but this less-than-capacity crowd were probably more eager for 'hair of the dog' rather than audience participation. This left our host, Matt Gibbs with no opportunity but to deliver a rather one-sided lecture.

He started with a look at where are we now, specifically:

ASP.NET AJAX 1.0.
New 'Orcas' features are currently work in progress.
Astoria.
New AJAX features on the horizon.
The new Silverlight controls.
MVC framework.
The new data access controls available.

An important message that Matt wanted to drive home was that the views of the developer community are very important for the future development of the Microsoft technologies. So basically, keep your questions, issues, feedback, concerns, scenarios, feelings, impressions coming!

There is a perception among the developer community that the trend to implementing new features mean that javascript is being leveraged too much and this in turn makes debug harder to carry out. Matt described that there will be a shift to silverlight as the main vehicle to develop client-side code. "We don't see people making a wholsesale shift to silverlight, but rather evolve to this technology over time, levering silverlight when developers see a particular benefit."

To Silverlight controls are currently being worked on:

control makes it simpler to implement your Silverlight functionality without using JavaScript.
control simplifies the addition of music and video to your site by handling the complexity. You just need to select the skin and supply the path name to your media file.

Microsoft are working on a release date of December for the controls.

We then moved onto a definition of Astoria. The goal of Microsoft Codename Astoria is to enable applications to expose data as a data service that can be consumed by web clients within corporate networks and across the internet.

The data service is reachable over regular HTTP requests. The use of web-friendly technologies make it ideal as a data back-end for AJAX-style applications.

For those of us that did'nt over-indulge on the free bar the night before, this was quite a useful session.

All that glitters...

2007-11-08T04:23:00.000-08:00

Session 12
Hidden gems in ASP.NET 2.0

I must admit, I had not noted who would be delivering this session and my heart sank as I ascended into the auditorium and immediately recognised the distinct and lush facial hair of Stefan Schackow. It's not that he is not extremely knowledgeable, for he is. Its' more that the style of delivery does nothing to impart his knowledge into my grey matter.

Again, there were a copious amount of demo's based around a number of ASP.NET themes:

Ajax Callbacks
Why not implement ICallbackEventHandler instead of full blown AJAX in your applications. This will give you the ability to update a particular portion of the page without full-page postback. The method getCallbackResult returns the data from the server for the page portion as a string. It is then upto the developer to parse and repopulate the page.

Expression Builders
We were exposed to the magic behind the $ expressions e.g. and advised to use expression builders to extend the parsing engine. The Web.Config is the place to register your custom expression builder. A couple of demo's followed at this point.

Encrypted Configuration Sections
We were shown how it is possible to encrypt sections of your configuration files such as Web.Config. The encryption used is triple DES and can be applied via the Aspnet-regiis.exe. Connection strings containing username and passwords could be protected using encryption although it was pointed out that this is probably bad practice anyway.

Adapters
Next on the agenda were adapters and more specifically, control adapters and page adapters. Given a control, a custom piece of code can observe and effect the rendering of the control. As a demonstration, Stefan implemented the render method of a textbox. He discussed the benefits of creating your own browser definition file and dropping into the appbrowsers folder.

Other topics up for discussion were custom cache dependencies, post-cache substitution, Virtual path providors, session state partitioning and async pages.

I must admit, I thought that some real 24 carat nuggets would be revealed in this session but was left feeling a tad disappointed.

The ego has landed

2007-11-08T04:21:00.000-08:00

Session 11
Top Ten ASP.NET Scaling Tips

"I just want to give you a brief biography of my career before we start" exclaimed an incredibly fired up and annoyingly confident Stephen Forte. Now I don't mind larger than life characters, in fact, part of me wishes that I could shout a bit more about my achievements. But I am not sure what reaction someone is fishing for when they trot out line after line of self congratulation. At one point I felt like grabbing the mike and saying "listen Steve, I am really pleased that you have done so well in life that you don't need to work again. Your brilliant" and have done with it. Sorry for the rant. Actually, probably not wise to work on the blog this late in the evening after a tiring day so i'm going to sign off.

The session was billed as an open Q&A session and Stephen did his best to rouse the crowd in his own distinct way. A big problem with the interactive sessions at TechEd is that the room layout does not really promote or encourage interaction. I suggest the organisers watch a couple episodes of Jeremy Kyle to identify the core requirements:

Seating arranged in a raised crescent format.

Speaker moving back and forth between stage and seating area.

> 1 microphone

Stephen started by defining scalability:"if you can add more workload to a system without increasing the cost of the system per unit of workload." So I guess that ramping up the number of users is only half of the equation. The other half means doing so without increasing the cost per user.

At this point a delegate asked Stephen "exactly how do you measure scalability?" which is fair enough as this is an interactive session right. Apparetly, you work out your total system costs in Excel. You then figure out your variable costs and put these into the spreadsheet also. You then look at your transaction volume. A transaction in this context may be a business process as well as a financial transaction. You finally determine a cost for this transaction and divide the overall system cost by this transaction cost. As easy as that!

In discussing performance, the speaker took us through an equation he has been working on. For all you mathematicians out there here it is:

Legend:

R - Response Time.
RTT - Round Trip Time.
AppTurns - HTTP Requests.
ConcurrentRequests - The number of server sockets open by the browser.
Cs - Server side compute time.
Cc - Client side compute time.

Stephen hammered home the following point:

"performance, extensibility and reliability need to be at the forefront of your mind when developing applications. You cannot throw expensive hardware at a non-scalable system in a hope of making that software more scalable. Instead, all you get is really expensive non-scalable software."

Now one particular delegate was not about to accecpt this point of view and challenged Mr Forte enthusiastically. The speaker attempted humour in order to deflect the difficult situation but the challenger was undeterred. After a few more attempts to extract an agreeable answer from the speaker, the challenger left the hall disatisfied (well that was my observation).

The final few minutes were spent discussing priority and sticky based load balancing.

A somewhat disjointed but never the less, entertaining session.

Demo Overload

2007-11-08T04:18:00.000-08:00

Session 10
Server Communication with Microsoft Silverlight and ASP.NET AJAX

Blog to follow...

Too little too late

2007-11-08T04:09:00.000-08:00

Session 9
Microsoft SQL Server 2005 - Reporting Services - Advanced Report Design

Almost immediatly, our host Ciprian Jichici jumped straight into a practical example.

Problems can occur when exporting a report from Reporting Services (RS) into a data analysis tool such as Excel. The thing is, when a complex and/or formatted report, arrives in Excel from RS, all formats and groupings are preserved as far as possible. "Well, whats wrong with this?" I hear you say. Surely, it is credit to the application that not only is the formatting of the Excel export identical to the RS version, but any complex, multi-level sorting/grouping from the original are still preserved. The issue is that often, the reason why such an export happens in the first place is so that additional analysis and computation can be performed on the data or the data can be combined with other data already in Excel. In these cases, you may want the raw report data without the bells and whistles. Hence, the demo showed us how an 'analysis friendly' version of an elaborate RS report can be exported with minimal overhead for the developer.

The speaker discussed the difficulty of being able to including data fields in the headers and footers of SqlServer 2005 RS. The next demonstration showed how this is a lot easier to achive in 2008.

Next topic was localization and more specifically, the two problems of localizing report structure and localizing report contenct. The demo showed how easy it is to allow your report to be translated into a number of different languages.

Report parameters were next in the spotlight. Parameters are your friend and have lots of uses:

Dynamic queries.
Varable groupings.
Fields in headers and footers.
Currency translation.
Language translation.
Self-drill reports.

Ciprian dived into a few practical examples of the use of parameters.

It was clear that nobody in the auditorium was happy with the layour capabilities of RS in SQL Server 2005. For example, it is not an easy task to combine dynamic and static column content in the same report. The speaker showed us a "trick of the trade" for reducing the number of row headings on a drillable-crosstab report by converting to a stepped format. This has the advantages of a) reducing complexity and b) reducing the screen area of the report i.e. going from this:

to this:

Although there were so good tips in this session, it was of limited use for anyone who does already know the technology inside out. I left slightly disappointed.

Postback - Not on your life!

2007-11-08T04:04:00.000-08:00

Session 8
Building highly scalable ASP.NET web sites by exploiting Asynchronous programming models

Blog to follow...

Upto my elbows in AJAX

2007-11-08T03:59:00.000-08:00

Session 7
Optimizing and Extending ASP.NET AJAX

A big advancement in the .NET framework is the support for ASP.NET AJAX. More specifically, the increadible ease by which 'AJAX magic' can be added to applications. This was the central message of Stefan Schackow here in auditorium.

But did you know that a few lines of hand-written code can be orders of magnitude more efficient than an UpdatePanel? That an UpdatePanel fires client-side events that can be used for advanced customizations? Or that you can leverage the Microsoft AJAX Library directly and tap into features that aren't exposed on the server?

Stefan convinced us all in the hall that the ease in which async capabilities can be added to your apps. A number of demo's were undertaken at machine-gun pace until we could AJAX no more.

I can't help but feel that Stephans style, delivered in his broad Brookyn accent and without pause leaves the viewer feeling somewhat overloaded.

Just what the doctor ordered

2007-11-06T07:51:00.000-08:00

SESSION 6
Principles and Patterns of Security

Theres no doubt about it, Ron Jacobs is a lively and interesting speaker. He kicked off with a quick plug for ARCast which is a show on Channel9.msdn that looks at the latest architecture trends.

The focus of this session was firmly rooted in the way we (as developers) think about security. The speaker set the scene with a security related story about the American company TJ Maxx. "But surely the company is called TK Maxx", I hear you say. I too thought that the speaker had wrongly combined the names TJ Hughes and TK Maxx into a non-existent company, but no, it seems that in the US it is TJ and in the UK it is TK. Anyway I digress.

Apparantly, hackers pulled up outside a store in Massachusetts and compromised an insecure Maxx network. The net result of Maxx failing to successfully encrypt their network was theft of 47.5 million customer credit card details. 6 people were later charged.

In the above scenario, the prime motivation for attack was obviously money ($1,000,000 was spent on merchandise and gift cards using some of the details). However, an asset does not have to be cash,. Other motivations may be:

destroy customer confidence.
Elicit personal customer details for identity crime.
Hijack processor, storage, bandwith capabilities.
Affect availability (e.g. DoS).
Degrade performance.

So what are the entities within the whole attack scenario. Well i'm going to summarise:

Assets are the things that the attacker wants to take from you.
Threats are the ways in which the attacker will try to get the assets.
Mitigation is the way(s) that you can block an attacker.
Vulnrabilities are unmitigated threats.

The speaker then turned his attention to Threat Models which are assessments of the assets, threats, mitigations and vulnrabilities of a system you are building or have built. A useful exercise that Ron asked us to consider was to transpose the attack scenario onto a simple template which takes the format:

AS AN ATTACKER

I WANT TO ____________

SO THAT I CAN ____________

BY ____________

so an example may be:

"As an attacker, I want to obtain credentials so that I can plunder bank accounts by logging customers into a bogus website".

You get the idea.

Next, Ron turned our attention to security objectives or to put it another way, "what do we NOT want to happen!" well, we need to be real clear about our security objectives up front. It is no good to think of security as some kind of 'bolt-on' further down the development process.

The speaker outlined some basic security concepts:

Reduce you attack surface

Your attack surface is all the ways in which an attacker can get to you. It goes without saying that "the smaller the attack surface, the better" and the analogy he gave was that of a castle (not the doomed Microsoft project but a real live castle with turrets, drawbridge and things). When they used to build castles in medievel times, they would have minimal access (i.e. one door complete with drawbridge) and safeguards such as moats and those windows that you can only fit an arrow through. A key message here was "UNDERSTAND YOUR ATTACK SURFACE!" and take steps to reduce it for applications that you already have running in live. Document your attack surface and understand all entry points into your application.

Defence in Depth

Don't just count on one line of defence for your entire system. What if the attacker penetrates that defence? We need to think about a multi-layerd approach and our next move to minimise damage once a layer has been broken.

Least Privilege

Although least privilege can be seen as a defence in depth measure it is best to give it the respect it deserves and treat as a seperate entity. It's as simple as this - CODE SHOULD ONLY RUN WITH THE PERMISSIONS IT REQUIRES (sorry for yelling). Attackers can only do what the code was already allowed to do. Ron offers some recommendations at this point: 1) use least privilege account 2) use code access security and 3) write applications that non-admins can use.

Fail to Secure Mode

Where possible, incorporate failsafe features into your application. DO NOT assume successful operation e.g. initialising all boolean flags to TRUE rather than false. Apparantly, some people do this in their code and wonder why hitting an exception (without a flag = FALSE statement in the CATCH block) causes the potentail attacker to proceed unchallanged.

Never connect to the database as SA. Why? because it violates the principle of least privilege and allows the attacker to elevate his permissions on the system.

Ron then stepped through some other nuggets of information which were pretty obvious things. Dont store passwords in unencrypted connection strings, use Windows security where possible, dont use easy passwords, use stored procedures instead of embedded SQL etc. etc.

In introducing his section on secure storage, Ron mentioned that almost every company on the Fortune 100 list have had security breaches due to insecure storage context. Data MUST be secured in all contexts, whether it be a laptop, a back-up, transmissions of the Internet or third party credentials (e.g. customers).

Never, ever attempt to write your own encryption algorithms in order to secure your data. There are brainy professors that have devoted hundreds and hundreds of years of combined research into this area. Use their work. You would'nt perform your own brain surgery now would you?

Remember... All input is EVIL unless proved otherwise.

Excellent session.

Never work with animals, children or... un-prepared demo's

2007-11-06T07:48:00.000-08:00

SESSION 5
Programming SQL Server 2008

The speaker opened the session by discussing data access methods and more specifically the things to think about when selecting the most appropriate one for your application. Factors to consider include:

New application development.
Application migration from other API and database.
Multiple database backend support.
Platform restrictions and data access availability.

We looked at a cool feature of SQL Server 2008, namely Table-Valued Parameters. This is where you can bind an in-memory data table as a SQL parameter and send to the server. The parameter is then parsed and the contents used to carry out multiple inserts or updates.

We next looked at streaming data for the application to the database using TransactionScope.

A tour of new additions/enhancements to 2008 were discussed next such as the 4 new date/time data types on offer. Currently, SmallDateTime has precision to 1 minute whilst with DateTime this is 3.33 milliseconds. The new types and precisions are: Date (1 day), Time (100ns), DateTime2 (100ns) and DateTimeOffset (100ns).

Although a couple of demos were attempted by the speaker, none worked and this seemed to dent the poor chaps confidence for the rest of the session. A good lesson to take from that would be to have a supply of "heres one I made earlier" projects as backup.

2008 also boasts unlimited length User Defined Types (UDT). The speaker introduced the FILESTREAM storage attribute on VarBinary(max) columns. The designer is no longer restricted by a 2GB LOB.

Good session but could have been better.

Castles in the air

2007-11-06T07:45:00.000-08:00

SESSION 4
Threat Modelling

Security expert Micheal Howard took to the stage once again to discuss the concept of Threat Modelling.

The speaker used the Castle project as an illustration of a Microsoft feature which never made it to release due to the security threat it posed. Castle allows synchronization of passwords and files within a home network topology. In the home, you may have several computers but no domain. If you have 5 computers and no domain controller, how do you synchronize? The castle service needed to run as System user in order to manipulate the SAM. Config data in the registry is accessed by the Castle service but there's no trust boundary. Problems.

The foundations of Threat Modelling are firmly rooted in the Data Flow Diagram (DFD). Firstly, develop a comprehensive DFD of your system. Next, identify the trust boundaries in existance. Where a trust boundary exists, you need to ensure that the appropriate safeguards and validation are in place. Each element of the DFD (i.e. external entities, processes, data stores and data flows) are subject to different threats. These threats are described in the

STRIDE model:

Spoofing

Tampering

Repudiation

Information Disclosure

Denial of Service (DoS)

Elevation of Privilege

It is worth noting with Repudiation, that computers and software do not repudiate - people do!

The following table describes the DFD entities along with the threats that they are susceptible to:

We then moved onto the topic of Threat Trees which are graphical representations of security-relevant pre-conditions in the system. Basically, they are a refinement of the fault tree with the root node equalling the prime threat whilst the chid nodes equate to the questions that need to be asked. The leaf nodes are secondary threats that need to be evaluated.

"How do we calculate risk" I hear you ask. The speaker examined a number of methods.

Calculating risk with numbers...

The problem with using mathematics in calculating risk is that numbers are highly subjective. The DREAD method is particularly bad in that it allows the developer the luxury of moving potentially serious riks further down the list of severity.

Calculating risk with heuristics...

Simple 'rules of thumb' which are derived from the MSRC bulletin rankings. MSRC is good as it removes the temptation from the developer of picking and choosing the problems to fix. From this point of view it is truly objective.

Of course, there are 4 ways to mitigate software threats:

Leave things as they are.
Remove from product.
Remedy with technology countermeasure.
Warn the user.

Point 4 is shifts responsibility onto the user which is not good practice.

The speaker next turns our attention to the mitigation techniques which can be applied to the threat categories:

Threat..........................Technique
Spoofing................................Authentication
Tampering............................Integrity
Repudiation..........................Non-repudiation
Information Disclosure.......Confidentiality
Denial of Service..................Availability
Elevation of Privilege..........Authorisation

The speaker finally left us with an example scenario and 10 mins in order to

Identify all DFD assets.
Identify all threat types to each asset.
Identify 3 threats (one for a data flow, one for a data store and one for a process).
Identify first order mitigation for each threat.

Useful session.

The slickest session yet

2007-11-06T07:42:00.000-08:00

SESSION 3
The Next Release of Microsoft SQL Server: Overview of SQL Server 2008

After a brief overview of SQL Server through the ages, the session was formally introduced as a broad walkthrough of "Katmai" (or SQL Server 2008 to you and me). The speaker was eager to concentrate on 4 key themes:

Enterprise data platform
Beyond relational
Dynamic development
Pervasive insight

2008 offers a number of new features to bolster its postion as a secure trusted platform including trasparent data encryption (without the need to amend your calling application in any way). In fact, encryption can simply be turned on at column level at design time. Other techniques discussed were external key management, data auditing, pluggable CPU's and enhanced database mirroring.

2008 also promises optimised and predictable performance with advances in data compression, backup compression, performance system analysis and query optimization. 2008 allows the designer to limit the proportion of CPU devoted to each application on the box. This is achieved viat he RESOURCE GOVORNER.

Productive policy-based management allows the designer to specify rules which must be adhered to when maintaining the database and an alert system to flag-up breaches of the rules. For example, you may want to ensure that all table names within the Personnel database start with a pnl_ prefix. If this convention is broken, then this will be reported to you.

The next topic concentrated on the availablity of data - "any place any time". 2008 incorporates techniques to facilitate disconnected usage with data beiing cached locally. It goes without saying that there are reliable methods to ensure trouble-free synchronisation takes place between client and server. Data collision and conflic resolution techniques were also discussed.

Next on the agenda was the Entity Relationship Model. The idea was to move away from the constaints of the table structure in order to better model complex business rules and relationships. For example, you may devise an entity for Accounts Payable which may combine columns from a number of tables. When designed, the entity resembles a new table which can be both queried and updated. A demo on the ERM then followed.

A big idea of 2008 is to break the constraints of the relational model in order to effectively store unstructured data such as GPS downloads, movies, documents, XML data etc. Integrated querying accross both relational and text data was also discussed as was the provision for a new data type DateTime2 which provide accuracy down to 100 nano seconds (is that a millisecond?) rather that just a second.

I must admit, the next topic was one of those "wow" moments. Location Intelligence - whcih allows for the effective capturing/querying of location/spatial data - sees the introduction of Geometry and Geography data types. and Virtual Earth integration.

The demo which followed showed how the latitude/logitude coordinates of addresses can be stored within the database as geographic points whilst coordinates of roads and highways are stored as lines. A simple SQL query was composed to show all the coffee shops which exist within a 5 mile radius of a partucular location with the output being plotted onto a Virtual Eath map.

The final section of the presentation discussed Pervasive Insight and enterprise data warehousing. more specifically, it focused on 2008's ability to scale in order to manage large numbers of users and data.

I thoroughly enjoyable session indeed.

Would the real Michael Howard stand up!

2007-11-06T04:07:00.000-08:00

SESSION 2
The Security Development Lifecycle

When I heard that Michael Howard was making a presentation here at TechEd regarding security, I feared the worst. What would the MP for Folkestone and Hythe be doing here for heavens sake (and I have'nt even brought my blue rossette with me). Imagine my relief when the man taking the stage was none other than Michael Howard the Co-Author of Writing Secure Code.

Michael set out his stall be outlining the scope of the presentation. Specifically, this was "Security as a threat to software and the process of building secure applications"

He launched into a bit of an attack on security professionals: "Security people are antagonists who annoy people. They are good at telling you when someing doesnt work right but not much good at coming up with solutions." he claimed to a somewhat stunned audience.

He strongly suggested that most vunrabilities come into the system as data. And gave us a snippet of information regarding the software release process: "When something is not on by default, it is usually a feature that has not been tested enough and hence the vendor are not 100% confident about. However, he also made the point that tere are shades of grey in system security. Its not always black and white. Yet this is often something that the security guys refuse to take on board.

We next went into the topic of the day - The Security Developer Lifecycle. In a nutshell, these are a bunch of requirements/recommendations that deal with design/development/testing/post-release security/privicy and whose goal is to improve security by reducing severity or vulnrabilities.

The key message that Michael pushed here was "Secure by Design, Secure by default". There is no evidence whatsoever to support the case that if you increase the quality of the software, then security will improve. Or put another way, you must focus on security in order to deal with security!

The speaker then looked at security requirements and recommendations. Put simply, requirements are things that MUST be done prior to software release whilst recommendations are things that we may want to incorporate but will not delay software release.

I must be honest and say that the remaining half of the presentation was something of a disapointment to me as the focus was clearly on the area of unmanaged code and more specifically the vulnrabilities of the C and C++ language.

I shall bullet point the following snippets and hope that some of what was said may be of interest:

vs2005 provides warning for unsafe functions still in use.
Banned function replacements - safe crt (included in vs2005) and Strsafe (included in VS2005 and Windows SDK).
VS2005 automatically migrates banned/unsafe functions into safe versions in object code.
SAL (Standard Annotation Language) Used by static anaysis tools.
example of SAL in use __out__ecount(cchBuf) allows the compiler to link buffer size variable with buffer.

The speaker then went on to discuss cryptography and stated that no new code must use md4, md5, sha1, des, rc3 (without crypto review), althogh Michael did conceed that Microsoft will sometimes allow weakended security for reasons of compatability. e.g. triple des within ssl.

Moth in the Spotlight

2007-11-06T03:49:00.000-08:00

SESSION 1
Visual Studio 2008 and the .NET framework v3.5

It was clear that Daniel Moth wanted to get off to a good start and broke the ice with a comedic routine that Bobby Davro would have been proud of. Once the laughter had died down, it was onto the business of the day...

He started by guiding us through a timeline of the .NET framework and said that, as developers, we should think of the framework as a number of seperate components (i.e. tool, languages, libraries and clr) rather than a single entity. There is no new clr in VS2008 and Daniel exclaimed that this is a good thing for reasons he would reveal later in the presentation.

According to the speaker, the most important new feature of VS2008 is LINQ with approximately 8 to 10 sessions at this years TechEd being devoted to the technology. In addition, he outlined a number of important enhancements to the latest release, namely Workflow, AJAX and device emulation.

v3.5 adds approximately 15 new assemblies to the 2.0 and 3.0 frameworks. VS2008 guarantees backward compatability and affords the developer the means to work against any previous framework version simply by selecting from a drop-down list.

Daniel identified those areas of VS2008 where most progress had been made:

Multi-Targeting
The ability to select the most appropriate framework for your project. If the developer selects the latest framework, all assemblies from prior versions of the framework are available. You can even switch versions part way through the development process which will either limit the functionality (If you go from a later to earlier version) or present the developer with additional functionality.

Compiler Features
The speaker discussed new additions for VS2008 including:-

Integrated AJAX libraries and project templates.
ListViw, DataPages and LinqDataSource.
The new HTML designer window.
Synchronised split view.
JavaScript intellisense and debugging facilities.
New support for CSS including auto-ordering of rules, CSS property window etc.

After highlighting the new features for developing mobile applications, Window applications and the Windows Communication Foundation, Daniel demonstrated the new features of VS2008 can extend the functionality of Office applications. Traditionally, VBA has been the main route for customising Office application, however Daniel demonstrated that new Office functionality - such as Excel add-ins - can be easily constructed and deployerd via VS2008.

C#
The speaker discussed a number of enhancements to the language such as the new VAR keyword for Type inference. For example, the statement:

VAR arr = new[] {3,56,34,666,7}

will construct a variable of type int32.

Assemblies

The speaker concluded by identifying the 15 main assemblies included in VS2008:

System.Core.dll
System.Data.Linq.dll
System.Xml.Linq.dll
System.Data.DataSetExtensions.dll
System.Web.Extensions.dll
System.WorkflowServices.dll
System.ServiceModel.Web.dll
System.AddIn.dll,
System.AddIn.Contract.dll
System.Windows.Presentaion.dll
System.Net.dll
System.DirectoryServices.AccountManagement.dll
System.Management.Instumentation.dll
System.VisualC.STLCLR.dll

Excellent work Daniel!

Heads Up for the Keynote

2007-11-06T01:35:00.000-08:00

We take our seat in the arena. The lights dim and a thumping acid house bass and drum combo kicks in whilst pycadelic imagery flashes before our eyes. You could be forgiven for thinking that we were at a Happy Mondays concert rather than a Microsoft conference but instead of listening to the vile rantings of Shaun Ryder, we are treated to an informative and motivational keynote by this year’s keynote speaker S.Somasegar, Corporate Vice President of Microsoft’s Developer Division.

He first starts by congratulating the user community for their assistance in making the latest release of Visual Studio the best version yet. In describing the user experience of Visual Studio, a parallel was drawn (by way of analogy/anecdote) to a meal he had the previous night at the Moo restaurant in Barcelona. His evening was memorable for two reasons:

1) The quality of the food and
2) Its presentation and overall ambience of the establishment.

1st class software development too requires a balance of high quality functionality coupled with an attractive and effective presentation layer. Further, each version of Visual Studio incorporates additional functionality designed to optimise the productivity of the developer.

The speaker emphasised that there are different types of developer (ranging from the hobbyist to the pro-developer) and different platforms that are developed against. .NET needs facilitate developers of all abilities to construct the systems they need to develop across a range of platforms.

Visual Studio 2008 increases the bar in a number of ways, from support for multi-targeting to the AJAX integrated libraries. Not to mention the workflow capabilities and comprehensive libraries for further development of MS Office applications.

Whilst congratulating the MSDN concept, Mr Somasegar wants a greater collaborative and community based approach to the sharing of knowledge and discussed the concept of code galleries.

The Microsoft Sync Framework was announced which provides developers with the programming tools required to develop applications that support off-line and disconnected usage. The main thrust was that the data should follow the user across multiple devices and multiple protocols. It was announced that Visual Studio 2008 along with the .NET Framework 3.5 will be available for download from the end of November.

The speaker then introduced Tony Goodhew, a programme manager within the Visual Studio team, who took us through some of the cool features of VS 2008. Such features were:

Split view screens which allow a coordinated HTML and design view for the developer.
Breadcrumb lists.
Greater support for CSS including links to external style sheets and the CSS properties window.
Multi-targeting.
LINQ (Language Integrated Query).
AJAX integration.
Development with Silverlight.
Full support for JavaScript including Intellisense and debugger support.

A lighthearted video entitled 'VS2008 - A True Development Story' aimed to convince the developer community that you really can have your cake and eat it as far as this product is concerned.

It was announced that Microsoft has removed the licensing term restriction which stopped the VS IDE from supporting all platforms.

Popfly was introduced as the next generation web-based tool for building web pages, mashups and gadgets.

Finally, the speaker outlined the future for Visual Studio which will see greater support for testing and debugging and offered 4 commitments to us the developers:

We will be transparent.
We will listen to customer feedback.
To build a vibrant community.
To foster a partner eco-system.

The speaker left the stage to a warm round of applause.

Halloween Picture

2007-11-04T01:32:00.000-07:00

Here is Brandon in his halloween outfit. Whilst obviously scary, I am pleased that it is also a functional garment.

My Sessions

2007-10-30T04:56:00.000-07:00

Here is my current event calender for TechEd showing the sessions I will be attending. Although web technologies figure highly on my selection, I have a particular interest in system security and this too is reflected in some of my choices. Obviously SQL Server figures heavily in software development here at the University so I have aimed to include sessions of interest from this particular technology. There are some general/lunchtime slots which I will make a decision on when I am there. Please note, you need a Microsoft EMEA account to get futher information about the sessions.

Session 01:TLA201 - A Tour of Visual Studio 2008 and the .NET Framework 3.5
Session 02: SEC201 - The Security Development Lifecycle
Session 03: OFF401 - .NET Developers Advanced Introduction to SharePoint 2007
Session 04: SEC202 - Threat Modeling
Session 05: DAT312 - Programming SQL Server 2008
Session 06: ARC206 - Principles and Patterns of Security
Session 07: WEB312 - Optimizing and Extending ASP.NET AJAX
Session 08: WEB401 - Building Highly Scalable ASP.NET Web Sites by Exploiting Asynchronous Programming Models
Session 09: BIN305 - Microsoft SQL Server 2005 Reporting Services: Advanced Report Design
Session 10: WEB314 - Server Communication with Microsoft Silverlight and ASP.NET AJAX
Session 11: WEB02-IS - Top Ten ASP.NET Scaling Tips
Session 12: WEB308 - Hidden Gems in ASP.NET 2.0
Session 13: WEB01-IS - ASP.NET: Why, What, How and When?
Session 14: WEB310 - The Next Release of ASP.NET – Significant Features Available Soon… (really soon)
Session 15: WEB307 - Developing Data Driven Applications Using the New Dynamic Data Controls in ASP.NET
Session 16: WEB201 - Web Application Security
Session 17: WEB306 - Building Multi-Channel E-Commerce Solutions with Commerce Server 2007, ASP.NET, AJAX, Silverlight, WPF, SharePoint and BizTalk Server
Session 18: WEB318 - Web Client Software Factory (WCSF): Building Rich Internet Applications with ASP.NET AJAX and WCSF
Session 19: WEB316 - Understanding ASP.NET Internals
Session 20: WEB403 - Securing your High-Risk ASP.NET Web Applications: A Case Study

TechEd Format

2007-10-30T04:49:00.000-07:00

The Microsoft TechEd Developers 2007 event boasts the following session formats:

Breakout Sessions
The new five day format provides an even greater choice of technical Breakout Sessions. Presented by industry experts and Microsoft product team members, TechEd Developers' Breakout Sessions are delivered in theatre-style format in rooms seating 140 to 700 people. Sessions are 75 minutes in length, including time for Q&A—so you can talk to the people who actually develop the products you use every day. All sessions are recorded and provided on the Post-Conference DVD to make sure delegates don’t miss any of the latest news.

Interactive Sessions
Interactive Sessions are small and informal and provide you with an opportunity to interact with speakers, to ask questions and discuss topics. They can be a chalk-talk, based around a whiteboard or even an extended walk-through of a demo or product feature presented at an earlier breakout session. Interactive Sessions are 30-75 minutes in length and delivered in theatre-style format in rooms seating a maximum of 80 people.

Panel Discussions
Panel Discussions are lively debates with a mix of industry experts and Microsoft product team members on stage answering your questions. Panel Discussions are 75 minutes in length and delivered in theatre-style format in rooms seating 140 to 700 people.

Self-Paced Hands-on Labs
Self-Paced Hands-on Labs let you dive deeper into specific products and technologies at your own pace, with the support of experienced Microsoft Certified Trainers (MCTs). Self-Paced Hands-on Labs are 30-60 minutes in length and delivered at individual desktop workstations.