Sunday, 13 September 2009

Tech-Ed 2009 – Thursday

I woke up Thursday morning feeling pretty good, until I sneezed.

Unfortunately the sneeze triggered another back spasm, so by the time I got over to the conference centre, I was not feeling super-comfortable. I felt a little better as the day progressed but it meant I did end up having to stand for most of the sessions to avoid aggravating things even more.

Highlights

  • Discovering Michael Howard also has a "Mr Happy" T-shirt – just like the one I was wearing during his session.
  • Mitch has great clip-art in his presentations
  • Winning a token to the Mobile Smackdown by answering a question in the WCF talk (don't call WCF proxies in a 'using' block as the Close() method can raise exceptions)

Software Development Pitfalls with Mitch Denny

  • Reality – software development is hard
  • 68% of projects still fail (2004)
  • Failure #1 - "Customers must understand all requirements"
  • Failure #2 - "Fixed price solutions"
  • Define the vision
  • Roles
  • SketchFlow
  • "It's about value, not frameworks"
  • Minimise waste
  • Villan #1 – Scope Creep
  • Villan #2 – Big "A" architect (doesn't have Visual Studio installed)
    • Planning Poker
    • Keep team stable
    • Pick team members for how they relate to the rest of the team
    • Resourcing not just about people
  • Villan #3 - "Pony-tail network admins"
    • Developers are different
    • Need a good PC
    • Developers' Bill of Rights
    • Rent servers by the hour

What's new in .NET 4 and VS 2010 with Adam Cogan

Visual Studio 2010

  • Add references improved performance (kind of)
  • Multi-line editing
  • Code navigation
  • Call hierarchy
  • SharePoint support

C#

  • Optional parameters
  • Named parameters

VB

  • Less requirements for line continuation character "_"

ASP.NET

  • SEO (Routing), RedirectPermanent
  • Live data-binding – two-way binding
  • MVC
  • Query extensions
  • Deployment

SDL with Michael Howard

SDL Goals:

  • Reduce vulnerabilities
  • Reduce severity of missed vulnerabilities

 

  • Identify primary security/privacy contact
  • Security training
  • Track security bugs
  1. Strong signing and ACPTA
  2. Secure Crypto
    1. configurable algorithms (use a factory class)
    2. Use standard libraries
    3. Use appropriate algorithms
  3. Firewall
  4. Threat models
  5. Support UAC
  6. Granular feature control
  7. Grant minimal privileges (drop privileges on service startup)
  8. Use minimum code gen suite (eg. latest compiler)
  9. Use /GS
  10. Use Safe Exception Handling
  11. MIDL
  12. Use ASLR
  13. Use DEP
  14. Defect heap corruption
  15. No writable PE segments
  16. Don't use banned APIs
  17. Encode long-lived pointers
  18. Use FxCop
  19. Use /analyze
  20. Use SAL
  21. Use /W4
  22. Native code XML Parsers
  23. XSS
  24. Safe tags without attributes
  25. Use ViewStateUserKey
  26. Don't use JavaScript eval()
  27. Safe redirects
  28. SQL execute only
  29. Use parameterised queries
  30. Use stored procedures
  31. Don't depend on NTLM
  32. Don't swallow all exceptions (rethrowing is ok though)
  33. Safe error messages
  34. Fuzz testing
  35. Application Verifier
  36. Device drivers

Security for Developers with Michael Howard

  • How do I sell security to management?
    • Sell privacy and reliability
  • #1 skill developer should have
    • All data is evil unless proven otherwise
  • #1 skill testers should have
    • fuzz testing
    • !exploitable (WinDBG)
  • #1 skill designers/architects should have
    • threat modelling
  • What does the bad guy control?
  • The Turkish "I" problem
  • Why should I not use RC4
  • Don't use ECB mode

WCF Scaling with Chris Hewitt

  • Instance management (PerCall)
  • Service throttling 3.5/4.0
  • Threading IIS6/7
  • Cache the channel factory and channel
  • Proxies can explode
    • Use proxy wrapper
  • Don't really need wrapper for basicHttp binding as there are no sessions
  • Large data – stream mode
  • Binary encoding – even over HTTP
  • PerSession with durable services
  • SSL load balancing behaviour
  • "Dublin" – WAS extensions

Thursday night a whole stack of coaches drove all 2,500 delegates to Dreamworld. I'm not big on rides, but it was nice to have a look around, grab some tea, and catch up with Nigel, then bump into Jason and a couple of the guys from GraysOnline (Australia's biggest online retailer, which I'd never heard of until a few months ago).

No comments: