So far I have taken advantage of Microsoft’s hospitality by – eating breakfast, tapping into the free wireless with my PDA, and playing with Windows Vista in the free Internet lounge.

Well, the keynote’s about to start, just enough time to grab another cup of coffee (the nights are long in Las Vegas).

More Later.

If you do business on the Web today, it’s likely that more than 90% of your customers reach you via Microsoft® Internet Explorer and/or Microsoft Windows®. Come to MIX and learn how the next versions of these products, due later this year, are going to dramatically improve your customers’ experience. Explore a wide range of new Web technologies that Microsoft is delivering to help you unlock new revenue opportunities and lower development costs. Learn about the future of Internet Explorer and join us in a discussion about how we can build the ideal Web surfing platform to meet your needs and those of your customers.

See you there.

When it comes down to software security, I, like a lot of
developers I know, tend to shy away from the technology because securing
computers and software is a fine art, left to a different group of people.  Many developers will tell you that securing
their PC and software is a secondary consideration, because security prevents
developers from being productive.  On the
other hand, discussing software development with security experts is akin to me
telling a fire prevention expert that I have no fire extinguisher in my house –
they tend to freak out when I explain certain development practices.  After spending the day listening to various
talks at the code camp I can honestly say that my opinions have changed, and I
am now thinking more about security. 

What is software and computer security anyway?  Well, I believe that Randy Hayes said it best
– “Security is not a product it is a process”. 
So many developers leave the securing of their applications to last
stage of the project, which usually results in a poorly secured application, or
as more often is the case, the securing of said application is never
implemented.  This is not the correct
approach – security needs to be considered through all stages of software
development, which means your design documents should include some form of threat
modeling, implementation should reflect a secure design from the start, and QA
procedures should include vulnerability tests.

So, how should one go about adding security to their
project?  This is an open ended question
with no single answer.  Many books exist
on this subject, security experts regularly post to weblogs, and their now
exist a few security methodologies to parallel the tried and testing SDL
methodologies.  This post is not about
answering this question, but more of an invitation to all those developers and
software engineers among us to start thinking securely.  Those working with Microsoft .NET on the
Windows platform have to look no further than the latest release of the .NET

Framework v2.0 to see how Microsoft are helping the developers by making it
easier to create secure applications. 

I want to thank Andrew Duthie and like minded individuals
for organizing free educational events like the MAD Code Camps.  Developers and software engineers no longer
have an excuse for not being better educated in their field, and not just in
the security area but in all aspects of development.  Since Saturday I have employed steps to
better secure my home computers and work computer, I have begun introducing my
employer to threat modeling techniques on software projects, and now consider
security implications when writing code. 
You can too.

Without any further rambling, I shall cover the finer points
of the second Mid-Atlantic Code Camp:

Code camp usually runs at least three interest tracks,
and each track consists of six or more sessions.  The following are details on the sessions I
attended.

Session 1 (Data
Track) – Secure Data from A to Z – William Ryan

Unfortunately Bill was not able to make the code camp to
perform his talk, so Sahil Malik stepped in at the last minute with an
impromptu session on ADO.NET 2.0.  The
best part of all code camp sessions is the ability of the presenters, none of
these guys (and gals) are Microsoft speakers, they’re regular developers and
software engineers like the rest of us. 
Rarely have I encountered a speaker who does not know their material and
cannot answer quick fire questions on the spot, and Sahil is no exception.  Sahil is an excellent speaker, and knows all
there is to know about ADO.NET – his latest book “Pro ADO.NET 2.0” is testament
to that fact.  I was impressed by Sahil’s
ability to talk for an hour on ADO.NET 2.0 topics, including connection
pooling, transactions and SQL CLR, without jumping around topics – the entire
session was performed without slides or prepped material. Sure, the session was
less about security, but a thrill to listen to – I only wish that I could
present as well as Sahil one day.

Session 2
(Application Track) – Security in ASP.NET 2.0 – Scott Allen

If there had to be one person who I could list as knowing a
lot about ASP.NET, then it would be Scott Allen.  I have had the pleasure of being a part of a
couple of presentations hosted by Scott, and I leave each with a better
understanding of how to write good web application code.  In his session Saturday, Scott discussed the
introduction of the new Member API in ASP.NET 2.0, new login controls and
configuration file encryption – all invented to make securing web applications
easier for developers.  I also have to
mention Scott’s ability to keep his audience entertained with witty jokes about
Vampires – thanks Scott. 

Session 3 (Best
Practices Track) – Real-world Threat Modeling – Robert Hurlbut

Just to mix up the day, I decided to attend a non-code-based
session.  Robert’s talk on threat
modeling was very inspiring, and like the sessions I attended earlier, I left
this session with a yearning to go and try what I had learned.  Robert introduced the audience in ways to
simplify documentation of security threats to software systems at the design
phase of a project.  The biggest problem
with security is being able to quantify it, and documenting potential threats
to software systems.  Threat modeling has
been invented to make this process of documentation easier.  Robert successfully educated session
participants on ways to employ threat modeling by working through real examples
on the white board, with input from the audience.  Of all the sessions I attended on Saturday,
this was the only session that I wrote extensive notes.  I plan to employ threat modeling in the
design of the current project I am working on.

Session 4 (Data
Track) – Enterprise
Library and Data Security – Gary Blatt

Gary’s
session about the Enterprise Library was an interesting look into the view of
coding for enterprise architecture using pre-coded modules, called building
blocks.  Specifically, Gary’s
presentation focused on the security application block (SAB), the configuration
application block (CAB), and Gary
touched on the database access application block (DAAB).  At this time, the EL has not been ported to
the 2.0 framework, but most of the material in Gary’s session was very useful to those still
working in a NET 1.1 environment. 

Session 5 (Best
Practices) – Developing Web Applications for Partial Trust – Joe Brinkman

I had been looking forward to this session all day!  I have been recently reading about code
access security (CAS) and operating low trust code in sandbox environments, so
I was very excited to hear about what Joe had to say about running ASP.NET at partial
trust.   By default, ASP.NET runs in an
AppDomain with full trust, and Joe demonstrated how this trust level can be
exploited by hackers on a shared hosted environment to gain access to other
hosted ASP.NET applications.  Microsoft
is pushing for all hosting organizations to move to medium trust – at this
level ASP.NET looses access to the file system, reflection, and a number of
higher privileged areas more commonly used by hackers to penetrate ASP.NET
applications.  Joe’s session included a
demonstrating the various trust levels, starting with full trust (maximum
functionality and low security) and ending with minimum trust (low
functionality, high security).  Since
sandboxing and CAS was fresh on my topic of interest list, I had a number of
questions, all of which Joe answered. 
During the break, after this session, I sat and talked with Joe about
his thoughts on running sandbox AppDomains in parallel to full trusted
AppDomains in WinForm applications (as mentioned in the latest MSDN magazine
publication).  I really wish I could have
had more time to converse with Joe on CAS, and I thank him for his time that we
shared.

Session 6 (Best
Practices) – Running as non-admin – Randy Hayes

This session gets the award for the most influential
presentation of the day – at least where I am concerned.  Randy is passionate about educating
developers and other users of the Windows platform to not run day-to tasks in
an administrative account.  By default
Windows XP installs the default user as an administrator, which is an open
security hole waiting to be exploited.  Hackers,
spy ware merchants, and virus developers are becoming smarter, and the simple
tactics of installing network firewalls are no longer enough to prevent
penetration by malicious software.  9 out
of 10 of Windows users are blissfully unaware that they may have spy ware or
virus software running on their computer, slowing down the processor, eating
memory and potentially compromising their personal files and applications.  This problem can be partially attributed to
surfing the Internet – an unsafe domain full of exploits and nasty pieces of
code waiting to be downloaded and installed without any knowledge of the
Internet user – whilst running in as an administrator.  Simply configuring your Windows machine to
run day-to-day tasks as a low privileged user (LPU) will lower the attack
surface open to malicious code. 
Approaching developers to run as LPU is the first step in convincing
Windows users to be more security conscious. 
Randy’s talk was very convincing (made me a little paranoid to be
honest), and by the intense concentration captured from the audience I would
say he was getting the correct message across that Windows needs to be actively
secured by users.  Randy informed the
attendees that he is testament to LPU working, because for two years he has
been spy ware and virus free, and yet he has no anti-virus or anti-spy ware
applications running on his computer. 
Well Randy, you convinced me, I went home that very evening and locked
down my servers and desktop computers. I am now running as LPU on all my
computers, and yes all my development tools still work!  Those of you still not convinced – better get
used to LPU if you’re planning on running Windows Vista, because the default
user in Vista is LPU. 

Well that about covers Code Camp, I cannot wait for the next
one.

1. They are free.
2. They are organized by members of developer user groups.
3. The speakers are not MS reps and thrilled to talk about what excites them.
4. Code Camps run on weekends.
5. Free CDs, magazines, book give-aways and other paraphernalia.
6. Free lunch.

I attended the following sessions:

Building Advanced Server Controls – Randy Hayes (Web Track).
This was a very informative talk. I have prior experience in developing
.NET server controls, both user and custom, so the beginning part of
this talk was glossing over knowledge I already had.  As the talk
progressed Randy explained how to develop designers and editors so that
custom server controls can be edited in Visual Studio at design time. I
was very excited to see an elaborate demonstration of an Amazon.com book
viewer with an effect panel.  I wanted to run home right there and
then and start looking at Randy’s code. 
I asked Randy if server controls have changed much from v1.1 to v2.0.
From what he knew not much is different – great news, since I have recently purchased and read
this great book.

Web Services Security for Humans: Security Fundamentals – Julie Lerman (Web Track).
Awesome talk. Julie’s talk demystified the whole security paradigm,
including RSA Public/Private Key, Symmetrical Key and Key Signing
principles. The talk was specifically about how these principles are
adopted by Web Service Enhancements 2.0 (WSE),
but everyone attending the talk was thrilled to hear Julie’s simple
explanation of how security works on a general level.  So many
questions were asked of Julie about general security methods that the session over ran into lunch. 
Julie was good enough to continue her talk while the audience munched
on the free sandwiches, chips and soda.

Using Web Services Enhancements (WSE) to Build Secure Web Services – Dwayne Taylor (SOA Track).
This talk followed on from Julie Lerman’s talk, which I had attended
previous.  Dwayne had a wealth of knowledge about WSE 2 and how
to develop enhanced web services in ASP.NET.  Unfortunately a lot
of the session content went far beyond what I was looking to learn in a 75
minutes of talk time.  Dwayne covered specifics about the WSE
configuration scheme, API, and how the WS-* standards are incorporated
into the .NET technology.  I was happy to learn about WS-Security but
the rest was overkill for any future development I have in mind. 
Never less, Dwayne did a good job at fitting in a “day’s worth of
content into a single session”.

Having Fun with SQL Mobile – Bill Ryan (Smart Client Track).
A refreshing change of pace from the intensity of the last talk.  Bill
explains the cool features of SQL Server Mobile edition – a reworked
version of SQL Server CE.  I don’t think I’ll be adding a database
to my PDA any time soon, but this talk gave me the insight should I
decide to in the future.  Bill explained how to synchronize data
from mobile databases to a central Yukon server, and the key
differences between Yukon and the Mobile edition.

Concurrency Management Techniques in ADO.NET 2.0 – Real Code – Sahil Malik (Database Track).
By far my favorite talk of the day.  It was late into the
afternoon, many attendees had either left or moved to the back of the
room to sleep. Sahil did a great job in keeping the audience alive with
his amusing analogies and witty statements, which made his talk fun to
listen to and to participate in. In my experience as a developer, data concurrency is
something that developers either: ignore, avoid by using awful locking
mechanisms, or deal with by developing elaborate methods in business
code layers.  Sahil uncloaked the concurrency problem and showed how easy it is to solve using ADO.NET 2.0 with the DataSet
class.  Sahil taught the session attendees that database pessimistic
locking is bad, and should never be used, with the single exception of
dealing with insert, updates and deletes to hierarchical tables in
datasets.  Sahil explains this theory further on his web log here.  I caught up with Sahil’s posts this morning, and here is what he has to say about yesterday’s code camp.

Unfortunately I had to cut my camp attendance short and missed Session
6. Of the 5 tracks, if I had stayed, I would have attended Configuration Management in an XP world, also by Sahil Malik.

Many thanks to Andrew Duthie and all those involved in making the Mid-Atlantic Code Camp a success.