Visual Studio 2008 - Team Edition

Yesterday i finally got ride of VS 2008 beta 2 and installed Visual Studio 2008 Team Edition Trial. I have to say, this is such an amazing tool, i really enjoyed the beta and i am very excited that its finally here.

If you did not try it yet, download it from the following location:

http://www.microsoft.com/downloads/details.aspx?FamilyId=D95598D7-AA6E-4F24-82E3-81570C5384CB

One comment i want to make regarding Team Edition is that it seems to work just fine stand-alone without Foundation Server.

I am bringing this up since i had two separate people tell me that Team Edition will NOT work without Foundation Server. I never used VS 2005 Team Edition so i had no way to argue, even though such a statement never made sense to me. Now i can confirm that having tried it for myself: Visual Studio 2008 Team Edition does NOT require foundation server.

This of course does not mean that you should not try to get Foundation Server, as it will bring many collaboration benefits and Source Control (but that's a topic for a different post).

.NET 2.0 Multi-threading and Memory Management (GC)

The problem with most modern software development is its greatest productivity point: “Easy of development”. This is especially true in the .NET/Microsoft space where the tools and Frameworks are simply amazing and hide most of the complexity.

Fortunately though for those of us who need to create more custom/complex solutions or simply want to fully understand their environment there are many ways to learn and interact with concepts such as Multi-threading and Memory Management (The Garbage Collector in .NET).

The following links are some of the best resources I have found to learn from or fresh your memory on these subjects. If you never visited them before I highly recommend adding these to your bookmarks and required reading lists.

Multi-threading

Multi-threading in .NET (by Jon)
http://www.yoda.arachsys.com/csharp/threads/

Memory Management

Garbage Collection: Automatic Memory Management in the Microsoft .NET Framework Jeffrey Richter
http://msdn.microsoft.com/msdnmag/issues/1100/GCI/default.aspx

Garbage Collection—Part 2: Automatic Memory Management in the Microsoft .NET Framework
http://msdn.microsoft.com/msdnmag/issues/1200/GCI2/default.aspx

Exception: "Attempt to put an instance with no defined key"

Problem

Recently one of my work projects presented a good scenario for a management console that could help configure servers using WMI. The requirements themselves were simplistic as the utility would only need to manage a server list and update system-level environment variables based on the servers category.

To check the feasibility for building such a solution i started to research example applications that automate WMI using C#/.net 2.0 and found many straightforward candidates. The samples used the ManagementObject and seemed to do what i needed.

Coding my first prototype everything seemed to go well until i attempted to execute enough code to actually update the environmental variable which immediately hit an Exception on the .Put() method of the ManagementObject, the exception being "Attempt to put an instance with no defined key".

My first instinct was to Google the exact error but to my horror zero results were returned. Trying MSDN and LIVE search also resulted in zero documented cases of this Exception. As most Software Engineers today i am spoiled by Google's ability to provide me an answer to all programming questions and this particular case bothered me greatly as it seemed like a simplistic 10 lines of code that someone must have coded before.

Solution

After many hours of trying to debug this strange Exception and looking at other peoples samples i realized that the MSDN's example was actually very close to my code except it used a different overload on the line which would query the variables:

MSDN Code: SelectQuery wmiQueryObject = new SelectQuery("Win32_Environment", "UserName=\"\" and Name=\"SystemRoot\"");

My Code: SelectQuery wmiQueryObject = new SelectQuery("select VariableValue from Win32_Environment where name = \"SystemRoot\"");

In hopes this would solve my problem I decided to try their method overload instead my WQL variant while leaving the rest of the code alone and it worked perfectly! I really do not understand why switching the overload causes the .Put() method to work but at least i was able to get beyond an Exception that is not even documented and my project moves forward. I hope this Blog entry or my MSDN Wiki content posting saves someone time and documents this Exception.

In general i believe this is a great example of why the source code for .NET should be released, and thankfully this is happening in .NET 3.5! (to read more see Scott Gu's blog posting on this subject)

Reference

My MSDN Wiki Post

http://msdn2.microsoft.com/en-us/library/system.management.managementobject_methods.aspx

Helpful WMI Link

http://www.csharphelp.com/archives2/archive334.html (By Kevin Matthew Goss)

http://msdn2.microsoft.com/en-us/library/aa720264(VS.71).aspx (Managing Applications Using WMI on MSDN)

http://en.wikipedia.org/wiki/Windows_Management_Instrumentation (WMI Overview on Wikipedia)

Security Analysis

Overview

Building applications that are exposed directly to the Internet presents many challenges to engineers especially those working in smaller and less mature development shops. Security tends to be one of these challenges and in my opinion is one of the hardest to approach correctly.

Two years ago in 2005 I found myself architecting and building an ASP.NET 2.0 application from the ground-up. This particular project would expose sensitive personal information to the Internet directly for the first time in my company’s history and we had no experience on keeping it secure. (Citrix was used for all previous projects which added the extra security wrapper). A flawed design had the potential to hurt thousands of people so I took this topic very seriously.

My security analysis started on a long flight from the United States to the Ukraine for a family visit (what better way to pass the time of a long flight then geek out on security?). To begin my analysis I started to piece together the various aspects of the system that needed security considerations and soon realized I was struggling on creating what I would consider a complete list.

The root of my problem was I neither had a solid reference-base to start with, nor a large amount of experience in security. To try and overcome these limitations I immediately began to piece together every major system or concept my application would interact with and had security considerations. Four hours later this warped into the Security Zones Diagram featured above. This simple diagram breaks up the various part of the system that needed my attention in any security analysis phase of an ASP.NET application.

(Click on the above diagram to see high-resolution version)

Zones and Examples Breakdown

• Personnel (People Factor)
  Example: Have we made an effort to train our end-users not to respond to emails requesting their password?
• PC (End-user computers)
  Example: Have we considered what impact key-logging Trojans might have on our security?
• Internet (External Network Traffic)
  Example: Have we made an effort to security all traffic from our application as it crosses the Internet?
• Firewall
  Example: Have we considered all the ways a firewall can help block our application from harm such as limiting sensitive resources access to specific restricted IP ranges?
• Load Balancer
  Example: Have we considered all the ways a load balancer can help block our application from harm such as real-time layer-7 traffic analysis?
• IIS Servers (Web and App) Configuration
  Example: Have we locked down our IIS server to only expose the type of physical files required to run our application and not sensitive resources such as code assemblies?
• Your ASP.NET hosted code
  Example: Have we made sure our custom authentication code locks out users when a dictionary attack is suspected?
• .NET Framework
  Example: Have we made sure to service-pack the .NET framework with all the latest security hot-fixes?
• SQL Servers Configuration
  Example: Have we configured our SQL servers in a secure way that restricted which resources can talk to it directly?
• SQL Server Code (Users, T-SQL code, etc)
  Example: Have we limited our user’s access to the minimum rights such as Stored Procedure execution rights in only a specific database?
• SSL Tunnel
  Example: Have we made sure that all sensitive information is transferred using SSL when it leaves our network?
• Network Data (Internal)
  Example: Have we setup VLAN’s and Routers to segment off our internal sensitive traffic away from the general network where it could potentially be intercepted?
• Email Communication
  Example: Have we made sure no services send sensitive information in clear-text emails?

Documenting and Analyzing

Once you consider all the various aspects that could potentially impact your application you will quickly realize that the list can grow to such a size that it can almost feel unmanageable. This is something that must be avoided if you are to have a constructive analysis process that leads to actual actions. Here is my recommended approach for managing this:

• Get all the key player(s) thinking about the Security Zones or some other common method of highlighting all the key areas. (and do this early on in the process)
• Time-box this exercise and demand feedback if possible. Otherwise you’ll never get input, people are busy after all.
• Use SharePoint lists, Google Shared Documents or any list that can be easily viewed and updated by multiple people with minimum conflict. Making it easy for people to contribute and keeping the process transparent is essential
• Setup a meeting for a group review of the documented risks. Rate the risks into three categories: Priority, Next Phase or Won’t Fix. Priority items should be added to the development or networking tasks for your current project phase as critical-path items. These items cannot be seen as external to the key deliverables of the project
• Next Phase items should be added to your next-phase project plan and treated as priority critical-path items during that phase
• Won’t Fix items should remain documented but be considered irrelevant or so unlikely that investing time into resolving them would not be constructive
• Keep this process alive through the entire development cycle of your application since as the application evolves it will constantly bring new security challenges or considerations to the table

Conclusion

Having any process is better then having no process and while I will not claim to be a security expert the above has at least provided me a context from which I can analyze security risk.

Please feel free to use any part of my recommendations or even the diagram itself if it helps you.

Please Comment

Know of a better way? Have criticism of my approach? Have general feedback? Please post your comments, I really look forward to it.

The Next Ten Years

The one concept that binds the last ten years of my life is Software Engineering. Whether its being an aspiring web developer at my first contract job or leading a team of engineers on complex projects, making computers come to life is my passion.

As I enter the next decade I am more energized then ever, the tools from Microsoft are better then ever, the hardware is amazing, and don’t even get me started on how exciting I find the innovations coming out of Google, Apple and other major players.

When I look back at my life in development and technology ten years from now I hope to define my two decades differently: The first ten being an exciting start and growth, while the ten that follow to be a time of giving back and engaging the community like never before. The communication tools and our ability to reach out and talk to people leave no excuses for someone like myself to continue and stay isolated to the immediate circle, its time to engage.

I hope this Bog will be a positive start. My content plan is ready, my schedule is set, let the posting begin.

Please visit and comment often, I look forward to it!