Tuesday 30 June 2009

Upcoming Talks

I will be doing a presentation at the Dublin Area Microsoft Technology User Group (DAMTUG) meeting on July 16th. I will be giving a short zip talk on Virtual Earth (now Bing Maps) and on Defensive Web Programming.

I am also hoping to get to speak in Cork and Galway if we can arrange it. More details when I have them

Monday 29 June 2009

Security Mistakes #9 Passwords

Let us continue on with the series of common security mistakes in web development.

Passwords, or leaving them unencrypted on publically accessible servers. This is a very common mistake that a lot of new and seasoned programmers alike make.

Even though the web.config is not served by IIS, what would happen if a new virus/undiscovered bug comes along and changes this. To encrypt your web.config is quite simple and can be done via the .NET Framework. I have explained how to do this is a previous post.

Added to this, is that passwords stored in the databases should also be encrypted and not be able to be decrypted. You can do this using the SHA1 encryption which is in the System.Security.Cryptography. You can compare the encrypted input with the information stored in the database.

You shouldn’t write your own crypto protocols and also you should keep up to date with the protocols as they go out of date.

If you fancy some interesting(!) reading take a look on the Google Code Search tool to find places where people haven’t encrypted their connection strings. Sample search here

Sunday 21 June 2009

NDC 09

Over the last week I attended the Norwegian Developers Conference which was held from the 17th to the 19th of June in the Telenor Arena in Oslo. There was a total of 7 different tracks covering such topics as legacy code maintenance, test driven development, web development and architecture.

The speaker line-up was fantastic, with noted industry experts like Scott Bellware, Ted Neward, Bob C. Martin, Scott Hanselman and Michele Leroux Bustamante. As its one of those view vendor neutral conferences it allows you to try different aspects of software design and get new ideas into your field

Also it allows better access to the speakers. Even though there was around one thousand delegates at the conference, you could still catch the speakers chatting to everyone and anyone during the day. I managed to get talking to Scott Bellware, Phil Haack, Peter Provost and Scott Hanselman which lead to some interesting discussions and also some fantastic insights into software development.

Bob C Martin gave the keynote speech on software professionalism which being very honest about made me twice (if not many more times) about my own skill as a developer. His main focus to instil a sense that we all need to up our game and strive to be truly professional by increasing our understanding of software development and increasing our skill

Among some of the sessions I got to see were

  • Phil’s sessions on MVC development which gave me many ideas on how to speed up my development
  • Michele’s sessions on Azure which was a whole day track and cleared up some issues I was having with Azure
  • Scott Bellware trying to scare me into using Ruby which was always going to be a tough sell to me but he did show me more in 60 minutes than many people who have tried before him
  • Scott Hanselman’s session on Astoria. I also learnt a lot of presentation techniques from watching how he gives demos and shows off complex subjects using edu-tainment
  • Udi Dahan’s talk on scalable web architecture
  • Ted Neward’s talks on WCF and extending Visual Studio using scripting languages
  • The very entertaining .NET Rocks! live which I really hope they don’t edit out.
  • And finally the Hanselman and Haack show, a truly enjoyable session for me as it was on security similar to the one I presented the week before (and in which I won a signed copy of Professional MVC 1.0 signed by Scott Hanselman, Phil and Scott Guthrie) though not the extended forehead edition

extended-forehead-edition_2

Scene from .NET Rocks! Live

DSC04243

Added to all this, was the speaker interaction with the delegates.

Getting to discuss software approaches with Scott Bellware (including reminiscing about hand written coding exams in college) and heading to an impromptu dinner with Scott Hanselman and Phil Haack in Mama Africa’s in Oslo Sentrum. Guided by Scott’s seeming random memory and his nose (directions were quite funny) we found the restaurant where I was amazed he ordered in Ethiopian and then explained to a lot of us Ethiopian food virgins, which included two of my colleagues and some other folks we just picked up along the way, what we were about to eat and how to eat it. A very interesting experience I have to say and one I quite enjoyed

Myself and Phil Haack sizing up some Ethiopian food (the jersey that I am wearing now belongs to Phil after he won a game of last man standing with me!)

DSC04233 

Thursday night was party night and we enjoyed some good food and music provided by Data Rock and Loveshack

Overall it was an excellent conference. I can suggest a couple of things. One would be to have more power points as there was very few and they would have been good in the overflow areas.

The other one was in relation to the Azure track. It would have been nice if it had lab orientated allowing people to work with the material as its very hard to stay focussed when you are being given a lecture on code without being able to implement it.

Whether or not you are a Norwegian or Scandavian based developer, you should catch this next year. Its line-up rivals TechEd & PDC and in some respects surpasses it.

Thanks to Anders Norås, Rune Grothaug and Kjersti Sandberg for a great conference and I am already looking forward to NDC10!

And finally some photos from the events

Data Rock get some love

DSC04282

Love Shack

DSC04343

NDC put your hands up!

DSC04386

Phil Haack and Scott Hanselman as the HaHaa brothers

DSC04225

Glenn Henriksen, Phil Haack, John St Clair, Sondre Bjellås & Børge Østrem 

DSC04300

Friday 12 June 2009

MS Press Training Kits errata and corrections updated

Well here we go again with links that give the corrections to certain MS Press Training Kits. With the new 3.5 and SQL 2008 certification kits out, there are a few more additions to the list.

.NET Developer Exams

SQL Server Exams

Windows Exams

Exchange Exams

Other exams

If you go here and type your exam number you will probably find the corrections if they exist.

 

 

Security mistakes #10 Admin info

I will be doing a single post on each point to allow people to understand what I was talking about at the NNUG Stavanger meeting.

So lets start with issue #10 which was leaving admin info on the server.

This is not just about leaving passwords in plain text but leaving valuable clues to allow a person to penetrate your security and your web application. Examples of such information include Trace info, debug info, descriptive error messages, unsecured admin tools and test pages which output sensitive information.

It is possible to use Google to find vulnerable web sites and also such information on web servers. Because Google allows you to use certain search operators to refine your search you can search for particular files for example on a site.

Take for example you create a backup file with the site contents and create a folder that is called backup but is browsable. A quick search of the site with Google could allow someone to find this information and gain access to your source code, which would allow them a lot of time to study it for security vulnerabilities.

intitle:index.of "parent directory" site:your site

Leaving the trace file will also give away a lot of information.

So set the trace to off or least set the localOnly value to true.

Thursday 11 June 2009

NNUG Stavanger presentation

Here is a copy of the presentation I gave last night at NNUG in Stavanger.

Sorry if I rushed a bit through the presentation. Feel free to drop me a line if you have any questions or queries

Later I will look at doing a post as a follow up on this

Sunday 7 June 2009

Where can Microsoft certifications take you?


Certification helps IT professionals get jobs and keep them. Hiring managers have confirmed that certification sets job seekers apart and can be a key element in deciding which employees to promote. In today’s economy, it’s more important than ever to make sure your Microsoft certifications are up to date.

Watch this video to hear what real MCPs have to say about the impact certification has had on their careers.

Video link: http://www.microsoft.com/video/en/us/details/b5f53794-56aa-47e3-98d8-0d35b379060b

Want an arcade machine??

Scott Hanselman has a great series on how to build your own arcade machine. And not too expensive either!

Upcoming presentation at NNUG

On Wednesday 10-June-2009 I will be presenting at the NNUG Stavanger meeting.

My talk will be on defensive programming, i.e security mistakes we shouldn’t make when doing ASP.NET applications. Its going to be quite basic and for most people a refresher on stuff they know.

Also on the agenda there is Connected Systems MVP Lars Wilhelmsen who will be giving a presentation on Oslo, my colleague Glenn Henriksen on object simulation and Fredrik Kalseth on digital paper prototyping

Registration is free and you can register here

Upgrade date booked

So I now have the date booked for my upgrade exam 70-567. So now I am mainly doing some revision as well as trying to remember where I had issues when I did the ASP.NET beta exam.

My main thing is to start looking again at the exam matrix and seeing what I need to brush up on, which for me is a bit of WCF, LINQ and AJAX. These are the major additions to ASP.NET from 2.0 to 3.5

I went through Dino Espsito’s Programming ASP.NET 3.5 book again after finding it explained most of the stuff I wasn’t too familiar with the first time round and also for this exam, I have being doing a lot of ASP.NET development as part of my day to day work and also in my spare time for the Stavanger Rugby club site.

So the MCTS should be ok. The MCPD part will be based on past experience and general knowledge of what do I do when x happens. Not very handy for those trying to do the same thing I know, but I will do another blog post on that next week when I get more stuff squared away.

IT Galla 2009

ErgoGroup’s IT event for Stavanger is now over for another year and it was a roaring success.

I was managing TechnoLoft and talking to people about SilverLight, SharePoint, ASP.NET and other webby things. The great thing about IT Galla is that you get a chance to meet the experts in the loft and get a lot of free advice and also see how someone else would do it. For the experts its good to meet a lot of new faces, show off our toys and generally get to be the “Expert”

Along with my fellow Microsoft team mates Glenn Henriksen, Børge Østrem and Shamrez Iqbal we showed off some of the technologies we are working on as well as giving some people the chance to get hands on with our Windows 7 installations.