ASP.NET
ASP.NET
The September 2007 update for SQL Server 2005’s Books Online (BOL) is finally available for download. The update has been available online since, well, September but this time it took the UE group forever to make the download available. Because of “technical issues,” whatever they might be.
Anyway, go grab it*. An updated BOL is one of your more valuable SQL Server resources.
* No guarantees the link will work forever, or even for very long. But Google always knows.
Update: BOL is now part of Microsof Update! How long has that been? Forever, and I just noticed it? Either way, cool!
Microsoft has just announced that PDC (Professional Developers Conference) will be back 27–30 October 2008 in Los Angeles. That’s good.
But it will be interesting to see how they uniquely position PDC versus TechEd*, now that TechEd has been separated into separate developer and IT weeks in Orlando.
* Interesting link for TechEd: http://www.microsoft.com/events/teched2007/default.mspx. The link says 2007, but at the moment it it is about TechEd 2008.
I attended a lot of sessions at DevTeach in Vancouver last week. It’s one of my favorite conferences because it is relatively small and therefore intimate, yet it attracts some amazing speakers, including some fine speakers from Microsoft.
Unlike some conferences, all speakers deliver their sessions from their own laptops instead of from a desktop machine provided by the conference. Not surprisingly, most speakers are running Vista since it is Microsoft’s latest and greatest client OS.
But it struck me at how many problems speakers were having with Vista. I’m not sure I attended a single session where some problem didn’t arise (but maybe I’ve blanked the good experiences out of my memory). One speaker couldn’t get the projector to work with Vista without technical help from the A/V support staff, then the magnifier was so small as to be worthless, making it hard to see important stuff. Many machines were slowed to a crawl, presumably from the combined performance-sucking power from PowerPoint and Vista’s Aero interface, not to mention Visual Studio or SQL Server Management Studio.
The carnage was impressive. It seems that Vista pushes the limits of laptop technology. Apparently the OS demands not only a new laptop but a top of the line version of the laptop with all the processor and memory you can throw at it.
And me? No problems at all. I had one issue with Diskkeeper kicking in during a session but I shut that off and problem was over. PowerPoint, Visual Studio, and whatever else I had to run, no problem.
I’m running Windows XP. I think I’ll stick with it for a while longer, maybe even after I replace my three-year-old laptop. Sorry, Microsoft!
DevTeach is one of the very fun conferences I speak at regularly, based in Canada. It is small, intimate, attracks some great speakers, and has support from Microsoft. There has long been plenty of good reasons to attend, as indicated by its motto, training you just can’t get any other way.
But now there is another reason: Beer! I’m blown away, but during the afternoon break they set out beer. And none of the 3% stuff either, this is 5%.
So it should be an interesting afternoon of sessions. Thank heavens I did my only session today right after lunch and before the alcohol flowed! Beer and SQL Server encryption just don’t mix.
Now, if I only liked beer…. Oh well.
I recently did a session about debugging ASP.NET applications at the Victoria .NET Developers Association in Victorial, B.C. It was a fun meeting, and as an Alaskan from Fairbanks I always feel a special bond with my Canadian peers down south!
I also had the opportunity to meet Ken Cox, who I’ve long known through Visual Studio Magazine but had never met. He and I have written the majority of the First Looks reviews in the magazine for years. I’ve always thought that he got the coolest products to review, and now I know that he has thought the same thing about me!
Ken asked an interesting question during the session, one that I had never explored. I was showing the DebuggerTypeProxyAttribute attribute, which lets you substitute an entirely different class for display in Visual Studio 2005’s Locals window (as well as other debugging windows where object variables are displayed). It’s a cool way to simplify the display of complex objects for debugging, although it can easily be abused to make debugging harder.
He asked whether the proxy class—used as the substitute display object—is compiled into the release build of the assembly. I didn’t know, but promised to find out.
Turns out that the proxy class is indeed included in the release build. Which, now that I know the answer, makes sense. There really isn’t anything special about the proxy class, and it is conceivable that it could be used for other purposes in the application. In the example I showed, the proxy class was internal to the class it was substituting for in the debug windows, but that isn’t a requirement; it is usually more convenient though.
For the compiler to exclude the class from the assembly, it would have to look at the DebuggerTypeProxy attribute and remove the code before compiling. But that raises all sorts of dependency issues that I’d rather not rely on the compiler to handle. Instead, a developer could use conditional compilation directives to remove the code, if it wasn’t needed in the release build.
A tip of the anorak to Ken for a great question!
At SQL PASS this year, I did a session about Common Table Expressions in SQL Server 2005. I had endeavored to come up with an extremely simple recursive CTE, but wasn’t creative enough at the time.
But I revisited the problem in preparation for an updated CTE session at DevConnections this week, and came up with this:
WITH
SimpleCTE
(Number
) AS
(
SELECT 1
UNION ALL
SELECT * FROM SimpleCTE
WHERE 0
=1
)
SELECT * FROM SimpleCTE
No guarantees that I couldn’t get it even simpler, but this is probably what I’ll show this week. There may be another option for the SELECT * part of the CTE, but I’m not seeing it right now.
BUT! Obviously, this is the result of a thought experiment, and is not practical for anything else I can think of. Don’t take this as any kind of recommended practice!’
Wow. I just joined the World Wide Web Consortium’s HTML 5 Working Group as an “Invited Expert.” I had no idea that mere mortals could partake, particularly without being a member of a W3C member organization.
Should be interesting, but I have no idea what I’m in for. All I know so far is that all of a sudden far more emails are making their way through my inbox.
You can see the current state of the spec here. Definitely a work in progress, one that won’t be finished for a couple of years.
I just found out that I’ll be doing a full day, post-conference session on SQL Server 2005 security at SQL Server Magazine Connections at DevConnections in Las Vegas this November.
I’m excited beyond words! I’ve wanted to do this for a long time, and we’re going to geek out on keeping data safe from villans.
Here’s the draft description:
There are few corporate assets as valuable in the information age as data. Enterprises spend billions to collect and generate it, slice and dice it in every conceivable way to mine marketplace intelligence from it, and replicate and back it up using elaborate, redundant schemes. Yet it is all too common to slack on security. Sure, SQL Server 2005 is designed to be "secure by default," but once you add databases and start letting users and their applications access the server you have already poked holes in the security. SQL Server comes with plenty of features that let you secure data, but it can be hard to get a handle on the right ones to use in your environment. During this day of security, we'll explore myriad security features in SQL Server 2005, including granular permissions and how to design an effective authorization system, owners and schemas, and how they can help secure a database, the security issues and dangers with running SQL-CLR code, how to run T-SQL code in different security contexts, the comprehensive encryption features that can protect data, creating and enforcing password policies, how SQL Server protects catalog views and secures metadata, protecting against SQL injection attacks on the server, and more. You'll see lots of code and get lots of practical ideas for how to secure your database. Prerequisites: You'll need to have a good understanding of the basic database features and functions of SQL Server for this workshop, and it helps to have butt heads with SQL Server a time or two trying to get something to work without completely disabling security.
I’ll post more later as I develop the outline and contents.
OWASP, the Open Web Application Security Project, has finally released its updated list of Top 10 critical Web application security flaws. If you do Web development, I rather stronly suggest that you be familiar with all the vulnerabilities on the list and how to avoid them. If you take care of all 10, you’ll have a reasonably secure site. It won’t be totally secure because new attacks appear every week, and security takes vigilence.
Practice safe computing!
I’m in Montreal this week for DevTeach, a user group-oriented developer and SQL conference that is one of my two favorite conferences. Montreal is a great city (particularly for the stomach!) and they do a great job with the conference.
Yesterday were the pre-cons, covering .NET 3.0, VB.NET, and SQL. I sat in on part of Kevin McNeish’s .NET 3.0 session and learned lots of great information about Windows Workflow. It’s great how that technology has matured into something amazingly powerful.
The Tuesday morning keynote has started. Jean-Rene has announced that DevTeach is hitting the road. The next stop will be Vancouver 26-30 November, and will include both DevTeach and SQLTeach. I hope to be there; that should be a great time to be in Vancouver!
The main keynote event is Pablo Casto, Microsoft’s ADO.NET wunderkind. Julie Lerman’s excitement about the keynote was justified (causing her to miss the Vermont .NET User Group meeting for the first time ever to get here in time). Pablo talked about the current thinking at Microsoft about the Microsoft Data Platform. ON the surface, this is the same sort of thing they’ve been talking about since the introduction of ADO, but baby, it’s come a long way since then!
The Microsoft Data Platform:
- Provides a uniform way of describing business data
- Gives each app and appropriate view of the data
- Enables the creation of services, from reporting to synchronization to integration
- Applications and services use the same data model
A key part of the platform is the Entity Framework and the Entity Data Model, which is coming of age. I’m blown away by the possibilities of what this all means for application infrastructure. But what I didn’t know until today—apparently it was announced a couple of weeks ago—is that all this will not ship with Orcas. Instead pieces and parts will RTM at various times in 2008. That sucks, but so be it.
Well, it's about time! John Robbins of Wintellect is the debugging alpha geek, and the new edition of his seminal Windows debugging book is finally out: Debugging Microsoft .NET 2.0 Applications. This is sort of the second edition of his earlier Debugging Applications for Microsoft .NET and Microsoft Windows. But the new book focuses on .NET debugging, leaving the unmanaged code debugging for another book.
I just can’t say enough about how great this book is. I was an unpaid technical reviewer, and I learned a ton of new stuff with each new chapter that arrived in my inbox. Let me tell you, if you think that debugging .NET apps means stepping through the code and using the watch window with visualizers, you’re not even scratching the surface of the tools and techniques available. He includes megabytes of code, including some very nice tools that enhance your ability to squash bugs.
The best part of the book is that John has a lot of experience debugging Windows applications, and he included a lot of sage wisdom in the book. He teaches courses in debugging for Wintellect and does their debugging consulting, so he has plenty of real-world experience. He cut his teeth at NuMega developing debugging tools, so he knows the tools. And he’s a genuinely nice guy (who even lived in Alaska for a while).
Here’s the blurb I wrote about the book:
John is the master code pest exterminator, and this book is one of the few that every .NET developer must have on the bookshelf! It's an intense read, but the book covers debugging from the most superficial step-through techniques in Visual Studio through most gnarly low-level .NET-Windows interaction bug. Best of all, the book is filled with the sage wisdom that John has developed over his many years of helping developers find and eradicate the worst, most pernicious, bugs.
Highly recommended. I would be afraid to code .NET without this book at my side.
Google has launched a Code Search tool, designed to make it easier to find snippets of code. The service looks interesting. I’m working on a project with the installation APIs in .NET 2.0, and tried to find an example of using the ManagedInstallerClass (despite the fact that the documentation says that it’s for internal use only). This was my search:
lang:"c#" ManagedInstallerClass
If found two hits, one of which showed me an interesting way to use it.
I tried to find the same thing in VB, but initially couldn’t find the magic way to indicate the language. lang:VB? lang:“VB.NET”? lang:“Visual Basic”? Another variation? Fortunately, the Advanced Search link provides a combo box with a complete list of languages. “Basic” it is. No samples for ManagedInstallerClass though, alas.
There’s a good spread of languages, certainly all the ones I’m interested in, including SQL.
There are lots of flexible options for searching, including regex. Options include searching by language as I did above, specific files or directories, specific packages, and code license types.
The only thing I don’t like so far is that there doesn’t seem to be an easy way to get context information of the page where the code is coming from. Most of the code I looked at was in some kind of archive file, with no link to the Web page that might give information about the code. Often you can figure it out from the link, but not always.
Give it a try. It seems to be a nice, targeged way to find useful code. The FAQ ‘splains it all. It’s still a Google Labs project, so I assume that means it will evolve quickly.
It has been a great summer that I’ve mostly stayed home, but it’s time to hit the road. Next week I’ll be visiting three INETA user groups to talk about security. At the Inland Empire .NET User’s Group in southern California and Little Rock .NET User Group in Arkansas I’ll be talking about SQL Server 2005 security from a developer’s perspective. At the Dallas .NET User Group in Texas I’ll be talking about least privilege development and showing off Aaron Margosis’ LUA Buglight and other tools. In Dallas, Ron Jacobs from Microsoft’s Patterns & Practices Group will be speaking as well during an extended meeting.
If you’ve in any of these areas those evenings, come join us! Details are on the groups’ Web sites.
It was a sad occasion, but Melinda and Bill Gates were here in Fairbanks, Alaska today. I couldn’t mention it before, but they came up for the memorial service this afternoon for Susan Butcher at the Davis Concert Hall at the University of Alaska Fairbanks.
The Gates have been friends with Susan and David for years, ever since the Gates came up for a dog mushing trip as part of their honeymoon. I was really impressed with Melinda, who gave one of several short reflections about her friendship with Susan and David. She told some nice, warm stories, and is an excellent speaker. Melinda apparently spent a lot of time with Susan when she was being treated at a hospital in Seattle, apparently more than anyone except for Susan’s husband David.
It was an impressive memorial, with a variety of dignitaries, including Alaskan politicians, George Lucas (another friend of the family), and many from the Fairbanks and mushing communities. It is amazing how many lives Susan touched, right through her losing battle with leukemia. It’s nice that people came from so far to pay their respects.
This is a bit commercial, but it is such a great deal on a wonderful resource that I wanted to get the word out.
I do some work with Grantstation.com, a wonderful portal for anyone who writes grants. They are having an incredible special for just eight hours tomorrow, Wednesday, 19 July. If you work with any non-profit agencies, this is a great special. A year of Grantstation for less than one sixth the regular price.
Here is the announcement:
Due to the overwhelming popularity of the GrantStation event we held this past February, TechSoup Stock and GrantStation are pleased to make a very special GrantStation offer available to the nonprofit community. http://www.techsoup.org/stock/grantstation.html
For only eight hours on July 19th, from 8 a.m. to 4 p.m. Pacific Time, specially discounted one-year GrantStation Memberships will be available to eligible nonprofits for only $90. After the special offer ends, our usual administration fee of $499 will apply. The regular retail price is $599. We are only able to offer this special promotion for a limited time due to the substantial discount involved.
GrantStation Membership includes instant access to a searchable database of thousands of pre-screened foundation and corporate grantmakers that are actively accepting proposals from nonprofits. This database provides you with more than 160 areas of interest to help narrow your search and keep your research time to a minimum. GrantStation also lists the latest federal grant announcements as well as access to state agencies offering grants in all 50 states. GrantStation also offers a section dedicated to international grantmakers to help you find grantmakers based in other countries.
Besides helping you identify the most appropriate grantmaker(s) for your program or project, GrantStation also provides comprehensive tutorials for building a successful grant seeking program and powerful grant requests. You will also receive their informative weekly bulletin, the GrantStation Insider.
Visit TechSoup and place your order on July 19 (8 am – 4 pm Pacific Time)!
Learn more about this special offer and GrantStation PRO: http://www.techsoup.org/stock/grantstation.html
ELIGIBILITY: U.S. 501(c)(3) nonprofits and Canadian Registered Charities
asp.netPRO has posted my July Secure ASP.NET column, Security via <machinekey> in ASP.NET 2.0. It’s an exploration of how ASP.NET uses the options in <machineKey> to affect encryption.
Since writing the column I’ve learned about some subtle issues, so I’ll probably write about those next month.
The Anti-Phishing Working Group has a nice site with information about phishing. Lots of statistics and information about the threats, an archive of phishing attacks, ways to report it, and lots of resources.
I wonder if InfoCard will help? Time may tell….
For a few years I’ve been doing a periodic column for Informant Communications and their asp.netNOW e-newsletter. It has been published at various frequencies over the years, but currently it is monthly. I started writing a Troubleshooting ASP.NET column, which morphed into Secure ASP.NET a couple of years ago. Sometime I’ll have to put together a list of the troubleshooting columns, although they are all old enough to only apply to ASP.NET 1.x.
Here is as complete a list of the ASP.NET security topics, in reverse chronological order:
2006
2005
2004
Wow. Here’s a report that Microsoft is dropping PowerPoint from Office.
What a great way to make the world a better place!
I’m taking the year off from speaking at most conferences, but I just couldn’t pass up the chance to head to the French Riviera and SQL Connections there this April. As usual, the all conferences—SQL, ASP.NET, Visual Studio, and Exchange Connections—have an incredible group of speakers.
I’ll be doing these sessions at SQL Connections, all covering SQL Server 2005:
Defence in Depth: Encrypting Data
Despite all of the security features built into past versions of SQL Server, sometimes they just aren't enough. Far too often creative attackers are able to get around normal protections even when the database is isolated from the Internet. SQL Server 2005 now natively supports data encryption on the server using a variety of algorithms and techniques. Best of all, it can manage the keys for you, removing the biggest problem and hassle of using encryption. This session will explore the encryption options in SQL Server, how they protect against specific types of attacks, encryption support in objects and T-SQL, common pitfalls that cause encryption to only provide an illusion of security, and whether encryption is the right tool to use.
Querying and Updating the XML Data Type
With XML as a native data type in SQL Server 2005, you are now faced with two query engines and syntaxes, good old SQL and the new kid, XQuery. It can be daunting to create queries that mix the two engines and it can be hazardous to your performance. This session will explore the XML-specific T-SQL functions you can use with the XML type, how to mix and match the syntaxes effectively, and how to build common queries that extract and modify data at a minimum of two levels: relational data and embedded XML.
Security in the CLR World Inside SQL Server
One of the major benefits of writing .NET code to run in the Common Language Runtime in any environment is its code access security (CAS). CAS provides a code-based - rather than user-based - authorization scheme to prevent various kinds of luring and other code attacks. But how does that security scheme coexist with SQL Server 2005's own, greatly enhanced security features? By default your .NET code is reasonably secure, but it is all too easy for the two security schemes to butt heads and cause you grief. During this session we'll briefly look at the concept behind CAS, then explore how to make it work for you instead of against you as you take advantage of these advanced programming features in SQL Server.
SQL Server 2005 Security for Developers
An increasingly hostile, connected world requires bold new initiatives to protect your data stores. SQL Server 2005 is the first major release of SQL Server since Microsoft began its Trustworthy Computing. As a server product and the foundation for business critical applications, SQL Server has a whole new security infrastructure that will affect how you develop applications for it and maintain it. This session will look at what's new, what's easier, what's harder, and why you'll need to have a better understanding of these features than ever before. Developers can no longer afford to be ignorant of security, and this new version of SQL Server changes how you handle threats in fundamental ways.
XML Schemas with the XML Data Type
XML Schema has become the dominate data schema description format, implemented throughout .NET, deeply integrated with SQL Server, and rapidly becoming the standard way to describe the structure of XML data. This session will cover everything you need to know about XML Schema and its use in SQL Server 2005 to provide typed XML data, and why you s