Tech-Ed 2009 – Thursday
I woke up Thursday morning feeling pretty good, until I sneezed.
Unfortunately the sneeze triggered another back spasm, so by the time I got over to the conference centre, I was not feeling super-comfortable. I felt a little better as the day progressed but it meant I did end up having to stand for most of the sessions to avoid aggravating things even more.
Highlights
- Discovering Michael Howard also has a “Mr Happy” T-shirt – just like the one I was wearing during his session.
- Mitch has great clip-art in his presentations
- Winning a token to the Mobile Smackdown by answering a question in the WCF talk (don’t call WCF proxies in a ‘using’ block as the Close() method can raise exceptions)
Software Development Pitfalls with Mitch Denny
- Reality – software development is hard
- 68% of projects still fail (2004)
- Failure #1 - “Customers must understand all requirements”
- Failure #2 - “Fixed price solutions”
- Define the vision
- Roles
- SketchFlow
- “It’s about value, not frameworks”
- Minimise waste
- Villan #1 – Scope Creep
- Villan #2 – Big “A” architect (doesn’t have Visual Studio installed)
- Planning Poker
- Keep team stable
- Pick team members for how they relate to the rest of the team
- Resourcing not just about people
- Villan #3 - “Pony-tail network admins”
- Developers are different
- Need a good PC
- Developers’ Bill of Rights
- Rent servers by the hour
What’s new in .NET 4 and VS 2010 with Adam Cogan
Visual Studio 2010
- Add references improved performance (kind of)
- Multi-line editing
- Code navigation
- Call hierarchy
- SharePoint support
C#
- Optional parameters
- Named parameters
VB
- Less requirements for line continuation character ”_”
ASP.NET
- SEO (Routing), RedirectPermanent
- Live data-binding – two-way binding
- MVC
- Query extensions
- Deployment
SDL with Michael Howard
SDL Goals:
-
Reduce vulnerabilities
-
Reduce severity of missed vulnerabilities
-
Identify primary security/privacy contact
-
Security training
-
Track security bugs
- Strong signing and ACPTA
- Secure Crypto
- configurable algorithms (use a factory class)
- Use standard libraries
- Use appropriate algorithms
- Firewall
- Threat models
- Support UAC
- Granular feature control
- Grant minimal privileges (drop privileges on service startup)
- Use minimum code gen suite (eg. latest compiler)
- Use /GS
- Use Safe Exception Handling
- MIDL
- Use ASLR
- Use DEP
- Defect heap corruption
- No writable PE segments
- Don’t use banned APIs
- Encode long-lived pointers
- Use FxCop
- Use /analyze
- Use SAL
- Use /W4
- Native code XML Parsers
- XSS
- Safe tags without attributes
- Use ViewStateUserKey
- Don’t use JavaScript eval()
- Safe redirects
- SQL execute only
- Use parameterised queries
- Use stored procedures
- Don’t depend on NTLM
- Don’t swallow all exceptions (rethrowing is ok though)
- Safe error messages
- Fuzz testing
- Application Verifier
- Device drivers
Security for Developers with Michael Howard
- How do I sell security to management?
- Sell privacy and reliability
- #1 skill developer should have
- All data is evil unless proven otherwise
- #1 skill testers should have
- fuzz testing
- !exploitable (WinDBG)
- #1 skill designers/architects should have
- threat modelling
- What does the bad guy control?
- The Turkish “I” problem
- Why should I not use RC4
- Don’t use ECB mode
WCF Scaling with Chris Hewitt
- Instance management (PerCall)
- Service throttling 3.5/4.0
- Threading IIS6/7
- Cache the channel factory and channel
- Proxies can explode
- Use proxy wrapper
- Don’t really need wrapper for basicHttp binding as there are no sessions
- Large data – stream mode
- Binary encoding – even over HTTP
- PerSession with durable services
- SSL load balancing behaviour
- “Dublin” – WAS extensions
Thursday night a whole stack of coaches drove all 2,500 delegates to Dreamworld. I’m not big on rides, but it was nice to have a look around, grab some tea, and catch up with Nigel, then bump into Jason and a couple of the guys from GraysOnline (Australia’s biggest online retailer, which I’d never heard of until a few months ago).