Common Web Application Vulnerabilities...

Common Web Application Vulnerabilities:
By examining common vulnerabilities that have appeared in other applications, we can learn from previous mistakes. OWASP The Open Web Application Security Project(OWASP) is an open community dedicated to enabling organizations to develop, purchase, and maintian applications that can be trusted. OWASP has tools, documents, forums, and local chapters all dedicated to the advancement of web application security. All the resources are free and open to anyone interested in improving application security.

OWASP Top 10:
1. Unvalidated input: Information from web requests is not validated before being used by a web application. Attackers can use these flaws to attach backend components through a web application.
2. Broken access control: Restrictions on what authenticated users are allowed to do are not properly enforced. Attackers can exploit these flaws to access others users' accounts, view sensitive files, or use unauthorized functions.
3. Broken authentication and session management: Account credentials and session tokens are not properly protected. Attackers that can compromise passwords, keys, session cookies, or other tokens can defeat authentication restrictions and assume other user's identities.
4. Cross-Site scripting: The web application can be used as a mechanism to transport an attach to an end user's browser. A successful attack can disclose the end user's session token, attach the local machine, or spoof content to fool the user.
5. Buffer overflow: Web application components in some languages that do not properly vlaidate input can be crashed and, in some cases, used to take control of process. These components can include CGI, libraries, drivers and web application server components.
6. Injection Flaws: Web applications pass parameters when they access external systems or the local operating system. If an attacker can embed malicious commands in these parameters, the external system may execute those commands on behalf of the web application.
7. Improper error handling: Error conditions that occur during normal operation are not handled properly. If an attacker can cause errors to occur that web application does not handle, he can gain detailed system information, deny service, cause secuirty mechanisms to fail, or crash the server.
8. Insecure Storage: Web applications frequently use cryptographic functions to protect information and credentials. These functions and the code to integrate them have proven difficult to code properly, frequently resulting in weak protection.
9. Application denial of Service: Attackers can consule web application resources to a point where other legitimate users can no longer access or use the application. Attackers can also lock users out of their accounts or evven cause the entire application to fail.
10. Insecure configuration management: Having a strong server configuration standard is critical to secure web application. These servers have many configuration options that affect security and are not secure out of the box.

Managed Code Performance, A Checklist - Part 3/3

String Operations
- Avoid inefficient string concatenation.
- Use + when the number of appends is known.
- Use StringBuilder when the number of appends is unknown.
- Treat StringBuilder as an accumulator
- Use the overloaded Compare method for case-insensitive string comparisons.

Arrays
- Prefer arrays to collections unless you need functionality
- Use strongly typed arrays.
- Use jagged arrays instead of multidimensional arrays

Collections
- Analyze your requirements before choosing the collection type.
- Intialize collections to the right size when you can.
- Consider enumerating overhead.
- Prefer to implement IEnumerable with optimistic concurrency.
- Consider boxing overhead.
- Consider for instead of foreach
- Implement strongly typed collections to prevent casting overhead.
-Be efficient with data in collections.

Reflection and LateBinding
- Prefer early binding and explicit types rather than reflection.
- Avoid late binding.
- Avoid using System.Object in performance critical code paths.
- Enable Option Explicit and Option Strict in VB.NET

Code Access Security
- Consider SupressUnManagedCodeSecurity for performance-critical, trusted scenarios.
- Prefer declarative demands rather than imperative demands.
- Consider using link demands rather than full demands for performance - critical, trusted scenarios.

Working Set Considerations
- Load only the assemblies you need.
- Consider assemblies that are being loaded as side effects.
- Reduce the number of application domains, and/or make assemblies shared assemblies.
- Reduce the number of threads.

Native Image Generator (Ngen.exe)
- Scenarios where startup time is paramount should consider Ngen.exe for their startup path.
- Scenarios that will benefit from the ability to share assemblies should adopt Ngen.exe
- Scenarios with limited or no sharing should not use Ngen.exe
- Do not use Ngen.exe for ASP.NET V1.0 and 1.1
- Consider Ngen.exe for ASP.NET V2.0
- Measure performance with and without Ngen.exe
- Regenerate your image when you ship new versions.
- Choose an appropriate base address

Managed Code Performance, A Checklist - Part 2/3

Threading

- Minimize thread creation.
- Use the thread pool when you need threads.
- Use a Timer to schedule periodic tasks.
- Consider parallel versus synchronous tasks.
- Do not use Thread.Abort to terminate other threads.
- Do not use Thread.Suspend and Thread.Resume to pause threads.

Asynchronous Calls

- Consider client-side asynchronous calls for UI responsiveness.
- Use asynchronous methods on the server for I/O bound operations.
- Avoid asynchronous calls that do not add parallelism.

Locking And Synchronization

- Determine if you need synchronization.
- Determine the approach.
- Determine the scope of your approach.
- Acquire locks late and release them early.
- Avoid locking and synchronization unless required.
- Use granular locks to reduce contention.
- Avoid excessive fine-grained locks.
- Avoid making thread safety the default for your type.
- Use the fine grained lock (C#) statement instead of Synchronized.
- Avoid locking "this".
- Coordinate multiple readers and single writers by using ReaderWriterLock instead of lock.
- Do not lock the type of the objects to provide synchronized access.

Boxing and UnBoxing.

- Avoid frequent boxing and unboxing overhead.
- Measure boxing overhead.
- Use DirectCast in VB.NET code

Exception Management

- Do not use exceptions to control application flow.
- Use validation code to avoid unnecessary exceptions.
- Use the finally block to ensure resources are released.
- Replace VB.NET OnErrorGoTo code with exception handling.
- Do not catch exceptions that you cannot handle.
- Be aware that rethrowing is expensive.
- Preserve as much diagnostic information as possible in your exception handlers.
- Use performance monitor to monitor CLR exceptions.

Iterating and Looping

- Avoid repetitive field or property access.
- Optimize or avoid expensive operations within loops.
- Copy frequently called code into the loop.
- Consider replacing recursion with looping.
- Use for instead of foreach in performance -critical code paths.

Cocoa...

Cocoa...

Apple's name for the collection of frameworks, APIs and accompanying runtimes that make up the development layer of Mac OS X. By developing with Cocoa frameworks you will be writing applications the same way that Mac OS X itself is written, with complete access to the full power of the operating system, including the signature Mac look and feel. Cocoa is simply the best way to create native mac applications.

The Cocoa frameworks are primarily written in Objective-C, and support both 32-bit and 64-bit applications as well as Objective-2.0's garbage collection, although there are a few components written in other languages such as C for performance or compatibility reasons, such as Core Foundation. The Cocoa frameworks are completely accessible to Objective-C programs, and can even be accessed using native syntax from AppleScript, Python and Ruby. Example frameworks included within Cocoa are Foundation, which defines the "nuts and bolts" classes for Objective-C programming, and Application Kit which includes higher-level controls such as Windows, buttons, Menus, and text fields. Whatever you need to develop, Cocoa contains the frameworks to make development productive and enjoyable.

For more Info, Cocoa

Managed Code Performance, A Checklist - Part 1/3

Design Considerations:
- Design for efficient resource management.
- Reduce boundary crossings
- Prefer single large assemblies rather than multiple smaller assemblies.
- Factor code by logical layers
- Treat threads as a shared resource.
- Design for efficient exception management.

Class Design considerations:
- Do not make classes thread safe by default.
- Consider using the sealed keyword.
- Consider the tradeoffs of using virtual members
- Consider using overloaded methods.
- Consider overriding the Equals method for value types.
- Know the cost of accessing a property.
- Consider private versus public member variables.
- Limit the use of volatile fields.

Garbage Collection Guidelines
- Identify and analyze your application's allocation profile.
- Avoid calling GC.Collect
- Consider weak references with cached data.
- Prevent the promotion of short-lived objects.
- Set unneeded member variables to Null before making long-running calls.
- Minimize hidden allocations.
- Avoid or minimize complex object graphs.
- Avoid preallocating and chunking memory.

Finalize and Dispose
- Call Close or Dispose on objects that support it.
- Use the using statement in C#.NET and Try/Finally blocks in VB.NET to ensure Dispose is called
- Do not implement Finalize unless required
- Implement Finalize only if you hold unmanaged resources across client calls.
- Move the finalization burden to the leaves of object graphs.
- If you implement Finalize, implement IDisposable.
- If you implement Finalize and Dispose, use the Dispose pattern.
- Suppress finalization in your Dispose method.
- Allow Dispose to be called multiple times.
- Call Dispose on base classes and IDisposable members.
- Keep finalizer code simple to prevent blocking.
- Provide thread-safe cleanup code only if your type is thread-safe.

Pinning
- If you need to pin buffers, allocate them at startup.

VSTS2008TFSPT

VSTS2008TFSPT - Visual Studio Team System 2008 Team Foundation Server Power Tools

VSTS2008TFSPTools is a set of enhancements, tools and command-line utilities that improve the TFS user experience.

TFSPower Tools include:
- Team Foundation Power Tool command-line tool(TFPT.exe)
- Build Notification
- Process Template Editor
- Custom Check-In Policy Pack
- Team Foundation Server Best Practices Analyzer
- Work Item Templates

New In this Release:
- Find in Source Control tool is an addition to the Team Explorer menu that provides the ability to locate files and folders in source control by the item's status or with a wildcard expression.
- Open a selected folder in Windows Explorer straight from Team Explorer. This feature allows you to jump straight to the mapped folder location from within Source Control Explorer.
- Quick Label feature that allows labels to be easily applied to a given selection of files and folders in the Source Control Explorer.
- Build Notification tool that runs in Windows task bar notification area monitoring the status of the build notifications you have specified. It can be configured to show notifications when builds are queued, started, or completed for multiple build definitions spanning multiple TFServers.
- Additional TFPT.exe commands for configuring Team Explorer connection settings (tweakui) and for destroying work Items and Work Items Type Definitions (destryWI, destroyWITD).
- Updates to the TFS Best Practices Analyzer for use with a Visual Studio Team System 2008 Team Foundation Server deployment.
- The Process Template Editor is updated for use with Visual Studio Team System 2008 Team Foundation Server. It also has several improvements, like, the ability to launch standalone w/o a VS installation, performance improvments, improved discoverability and bug fixes.

For more Info, and to download: Link

Microsoft Sync Framework Runtime

Microsoft Sync Framework:

A comprehensive synchronization platform that enables collaboration and offline access for applications, services and devices. It features technologies and tools that enable roaming, sharing and taking data offline. Using MS Sync Framework, developers can build sync ecosystems that integrate any application, with any data from any store using any protocol over any network.

A key aspect of the Microsoft Sync Framework is the ability to create custom syncrhronization providers. A provider is a software component that represents a replica for synchronization. A replica is a particular repository of information to be synchronized, such as a file system on a handheld device. When representing a data source, a provider enumerates changes from its replica. When representing a destination, a provider applies chnages to its replica. If the data at the source and destination differ in type or schema, each provider performs any necessary mapping or transformation.

The following providers are included:
- Sync Services for ADO.NET - Synchronization for ADO.NET enabled data sources
- Sync Services for File Systems - Synchronization for files and folders
- Sync Services for FeedSync - Synchronization for RSS and ATOM feeds

For full introduction: Visit

X++...

X++. What's this?

The World's First Full XML-Based Programming Language.

Work on X++ began in 2001 and the language was released in beta. Real programming logic was implemented using other languages/frameworks, such as Java, .NET etc. Then there were the XML technologies like XSLT and XPATH, used for manipulating/transforming XML. There is a reason for the proliferation of tranditional language XML-manipulation implementations. This is one of the needs that X++ aims to fill.

Every X++ object is an XML node and every XML node is an X++ object. By default all classes and objects inherit from the Node class which provides tree and node access and manipulation methods. The group of these methods comprises most methods that you will need for a typical program. X++ supports both single and multiple inheritance.

XML serialization is done at zero-cost to the program and the programmer in terms of complexity or performance. In Java, .NET and other languages/frameworks that implement XML serialization, it is necessary to use some special means: usually this requires the use of special clases. With X++, XML serialization is achieved by merely invoking the save method on the object which you want to serialize. Deserialization is achieved by loading an XML file into an object-- also a single instruction.

XML Memory
X++ is very tightly bound to XML in its syntax and also in its constructs. This idea is extended to something that has never been modelled before as XML. X++ presents the programmer with a metaphor of the run-time memory of an X++ program as an XML document. When objects are instantiated they are appended as children of the root node. All the objects that they contain are placed as their children in the object tree of the run-time memory XML document. The beauty of this move is that you can access and manipulate the run-time memory in exactly the same way as you can individual objects. Yes, the run time memory object also inherits from the Node class.

Each X++ process maintains its own run-time memory which it uses to keep track of the instantiated objects. No process can encroach upon another's run-time memory.In addition, there is the class run-time memory which keeps track of the current definition of classes.

XML-based Adaptive Programming
X++ is an adaptive language in that it allows you to write adaptive programs. X++ implements adaptive behaviour by supporting class redefinition as well as self-modifying programs. Class redefinition is the ability of a class to be redefined at run-time, thereby changing the behaviour of existing objects of the class. It is therefore necessary to keep track of the current definition of a class - that is where the class run-time memory comes in.

X++ also allows programs to modify themselves. As a safety net, a program can also save its state at run-time which produces a state file. The format of this state file is XML. This state file can be processed by the X++ interpreter at a later time, which has the effect of resuming the execution of the program from the point at which the state file as saved.

X++ is an open source project to use it freely. Get from here., MSDN

How NOT to use Powerpoint

Very cool video, showing how not to use Powerpoint

Live Documents...

Live Documents, a hybrid online-offline Office suite of applications.

Live Documents is a full-featured suite of online Office Productivity applications offering functionality similar to Word, Excel and PowerPoint. Built using RIA technologies such as Flash and Flex, Live documents allow users to view and edit documents within any common browser or any operating system from anywhere. Live Documents uses a Flash-based user interface that offers a richer and responsive user experience that is comparable to native Office software applications.

Live Documents is available as a optional desktop client application that wraps around Microsoft Office and embeds collaborative capabilities into these hitherto standalone software applications - Live Documents converts Microsoft Office applications from static standalone software to smart clients that are connected to the internet and facilitate in-context document sharing and management without requiring users to give up their familiar user interfaces. The Live Documents desktop client also ensures offline access to documents - a key failing of current online Office applications.

With its hybrid "Services plus Software" approach, Live Documents gives users the choice and flexibility to work on their documents either on the desktop or on the browser and while they are online or offline - any changes made on either side are automatically synchronized to the other side ensuring that the desktop and web versions are always in sync without requiring manual actions like check-in/check-out, upload/download or import/export. Live Documents is designed to increase consumer choice when it comes to purchasing hardware, selecting an operating system, choosing a network and accessing and sharing file systems.