Tech-Ed 2009 – Thursday

I woke up Thursday morning feeling pretty good, until I sneezed.

Unfortunately the sneeze triggered another back spasm, so by the time I got over to the conference centre, I was not feeling super-comfortable. I felt a little better as the day progressed but it meant I did end up having to stand for most of the sessions to avoid aggravating things even more.

Highlights

Discovering Michael Howard also has a "Mr Happy" T-shirt – just like the one I was wearing during his session.
Mitch has great clip-art in his presentations
Winning a token to the Mobile Smackdown by answering a question in the WCF talk (don't call WCF proxies in a 'using' block as the Close() method can raise exceptions)

Software Development Pitfalls with Mitch Denny

Reality – software development is hard
68% of projects still fail (2004)
Failure #1 - "Customers must understand all requirements"
Failure #2 - "Fixed price solutions"
Define the vision
Roles
SketchFlow
"It's about value, not frameworks"
Minimise waste
Villan #1 – Scope Creep
Villan #2 – Big "A" architect (doesn't have Visual Studio installed)
- Planning Poker
- Keep team stable
- Pick team members for how they relate to the rest of the team
- Resourcing not just about people
Villan #3 - "Pony-tail network admins"
- Developers are different
- Need a good PC
- Developers' Bill of Rights
- Rent servers by the hour

What's new in .NET 4 and VS 2010 with Adam Cogan

Visual Studio 2010

Add references improved performance (kind of)
Multi-line editing
Code navigation
Call hierarchy
SharePoint support

Optional parameters
Named parameters

Less requirements for line continuation character "_"

ASP.NET

SEO (Routing), RedirectPermanent
Live data-binding – two-way binding
MVC
Query extensions
Deployment

SDL with Michael Howard

SDL Goals:

Reduce vulnerabilities
Reduce severity of missed vulnerabilities
Identify primary security/privacy contact
Security training
Track security bugs

Strong signing and ACPTA
Secure Crypto
1. configurable algorithms (use a factory class)
2. Use standard libraries
3. Use appropriate algorithms
Firewall
Threat models
Support UAC
Granular feature control
Grant minimal privileges (drop privileges on service startup)
Use minimum code gen suite (eg. latest compiler)
Use /GS
Use Safe Exception Handling
MIDL
Use ASLR
Use DEP
Defect heap corruption
No writable PE segments
Don't use banned APIs
Encode long-lived pointers
Use FxCop
Use /analyze
Use SAL
Use /W4
Native code XML Parsers
XSS
Safe tags without attributes
Use ViewStateUserKey
Don't use JavaScript eval()
Safe redirects
SQL execute only
Use parameterised queries
Use stored procedures
Don't depend on NTLM
Don't swallow all exceptions (rethrowing is ok though)
Safe error messages
Fuzz testing
Application Verifier
Device drivers

Security for Developers with Michael Howard

How do I sell security to management?
- Sell privacy and reliability
#1 skill developer should have
- All data is evil unless proven otherwise
#1 skill testers should have
- fuzz testing
- !exploitable (WinDBG)
#1 skill designers/architects should have
- threat modelling
What does the bad guy control?
The Turkish "I" problem
Why should I not use RC4
Don't use ECB mode

WCF Scaling with Chris Hewitt

Instance management (PerCall)
Service throttling 3.5/4.0
Threading IIS6/7
Cache the channel factory and channel
Proxies can explode
- Use proxy wrapper
Don't really need wrapper for basicHttp binding as there are no sessions
Large data – stream mode
Binary encoding – even over HTTP
PerSession with durable services
SSL load balancing behaviour
"Dublin" – WAS extensions

Thursday night a whole stack of coaches drove all 2,500 delegates to Dreamworld. I'm not big on rides, but it was nice to have a look around, grab some tea, and catch up with Nigel, then bump into Jason and a couple of the guys from GraysOnline (Australia's biggest online retailer, which I'd never heard of until a few months ago).