Microsoft DevDays 2004 is a blend of cutting edge technology demonstrations and best practices in software development. The agenda is engineered to give developers a clear view of Microsoft's development roadmap, up coming technologies and exciting developments with the .NET Framework. At the same time, the event provides developers with a practical inside look at application design patterns and best security practices prescribed by Microsoft and its partners. The agenda revolves around showing real world Web application scenarios, identifying security threats to an application, documenting and prescribing ways to overcome potential security flaws, following patterns to avoid development gotchas, and explaining how to build secure, data driven, and robust applications. Since DevDays is targeted at developers, speakers don't use sales pitches. Instead, they focus more on in-depth analysis, design, coding and testing processes.
To make it real mini-PDC, Microsoft gives away powerful tools. Some of the more popular products include:
- Visual Studio .NET "Whidbey" Technology Preview
- Microsoft SQL Server Enterprise Evaluation Edition
- ASP.NET Resource Kit CD
- OpenHack reference application Source Code
Also you get the DVD of all the presentations, source code and videos presented in DevDays. They also provided a Complimentary .NET Connected Logo Test and a coupon for a free test to become a Microsoft Certified Partner.
In LA, DevDays 2004 came to LA Convention Center on March 15, 2004. DevDays 2004 is centralized, so it follows a similar agenda nationwide. It consists of two tracks that run parallel; Smart Client Track and Web Development Track.
The opening keynote, "Realizing Your Potential", was very interesting. Speakers demonstrated Microsoft InfoPath and BizTalk Server 2004. BizTalk Server 2004 launched on March 2, 2004. It provides support to integrate systems and provides business processes orchestration through a sophisticated and friendly interface. Speakers demonstrated nested transactions, multi threading, and complex real world scenarios of Mutex, Semaphore and synchronization made easy by BizTalk Server 2004.
One of the least used but most powerful features of SQL Server 2000, Reporting Services, was demonstrated by Kirk Nason. He explained Microsoft Business Intelligence Infrastructure and how SQL Server supports online analytical processing (OLAP). Presenters also showed off SQL Server 2005's (codename Yukon) multiple format reporting capabilities with minimal effort and mere drag and drop. OLAP is the foundation of analyzing data for business applications, including sales and marketing analysis, planning, organizational budgeting, profitability analysis, performance measurement and data warehouse reporting; SQL Server provides easier ways to perform required data slicing operations.
Later on Bill Sheldon of Interknowlogy introduced a set of analysis and design tools (codename Whitehorse). For those who are not following Microsoft's developers roadmap or are overwhelmed by jargon, Whitehorse is set of tools with Visual Studio 2005 (codename Whidbey) "that enable architects and developers to easily design service-oriented applications and operations infrastructure simultaneously". Here's an excellent presentation in Whidbey Chronicles on Microsoft Whitehorse.
I attended Track 1 -- Building Secure Web Applications with ASP.NET, which had the following agenda.
In session one, "ASP.NET Web Application Security Fundamentals", speakers demonstrated threats to application, for instance, cross site scripting, hidden field tampering, session hijacking, elevation of prviliage attack, SQL injection attack, buffer overflow exploit, etc. This session was mainly focused on IIS and .NET Framework security features. Concepts of security through pooling, authorization, authentication, impersonation SSL and IP restrictions were analyzed and explained. An in-depth study of ACL (Access control list) vs. URL authorization and implementation of IPrincipal interface to provide custom security principal objects was also a part of this hour long session's discussion.
Chris Rolon, principal consultant Neudesic, came along in the next session, "Threats and Threat Modeling - Understanding Web Application Threats and Vulnerabilities", to explain various commonly used scenarios and provide a configuration file overview. With his security background, he explained where impersonation becomes crucial for application security. For instance, in one demonstration he showed how not providing proper impersonation information to ASP.NET can be a security glitch. He made an XML data file inaccessible to a user, but the user was able to access it using the ASP.NET XMLDocument because impersonation wasn't in place and IIS considered the running process an ASP.NET process and not an IUSR_Computername process.
In this session, Chris Rolon demonstrated how to hack a query concatenation Web site using SQL Injection. Using SQL Profiler, he showed how appending an SQL statement could be deadly. An MSDN webcast on Protecting Your System from SQL Injection Attacks explains it better.
Stride and Octave are two ways to create threat models for applications. Chris analysed them both and emphasized security should be built into an application from the beginning, not at the deployment stage.
The STRIDE risk assessment model focuses on six security risks: Spoofing, Tampering, Repudiation, Information disclosure, DoS, and Escalation of privilege. There is a sample chapter from Microsoft Secure Messaging with Microsoft Exchange Server 2000 on this particular technique.
OCTAVE is a general security assessment documented by CERT at Carnegie Mellon. OCTAVE stands for Operationally Critical Threat, Asset, and Vulnerability Evaluation.
Some other topics discussed during this session were DPAPI (data protection APIs), Crypto API, Trust boundries, open points, repudiation, and how to establish a threat tree to thwart threats.
A threat Tree (Courtesy Microsoft Corporation)
His discussion revolves around Improving Web Application Security: Threats and Countermeasures- Threat Modeling of Microsoft Patterns & Practices Series.
In his talk, Chris also discussed DREAD. Its is an acronym describing five criteria for assessing threats to software.
- Damage
- Reproducibility
- Exploitability
- Affected users
- Discoverability
Scott Robinson and Bernard Wong started the next session, "Defenses and Countermeasures - Secure Your ASP.NET Applications from Hackers". Bernard Wong is a DCC and a ten year veteran of Microsoft. Scott Robertson is co-founder and President of the Los Angeles .NET Developers Group, headquartered at UCLA. Wong discussed file cannibalization issues and what threats could be exposed by not restricting inputs to ISO 8859-1 character encoding.
DPAPI (Data Protection API) uses Triple DES algorithm for encryption and decryption. It can generate either user- or machine-specific encryption keys. Wong explained that since they are not written in managed code, one has to create a RCW COM Wrapper to invoke them. He also explained how hash encoded passwords can provide protection against brute force and dictionary attacks.
In the final session, "Developing Secure Web Applications - Examining an End-To-End, Hack-Resilient Application", Bill Sheldon demonstrated Microsoft's submission for eweek's OpenHack security test.
OpenHack 2002 Competition downloads are located here.
The closing section looked right at Microsoft's future developments. The dynamic duo of Paul Sheriff and Ken Ketz demonstrated the 70% percent code reduction promise using Visual Studio 2005 (codename Whidbey). It was a great demonstation of how little and big things are improved in future versions of Visual Studio, especially re-factoring, enhanced debugging, and dataset visualizations. Specially, now when they have distributed it to DevDays 2004 participants, I'd assume much regression testing and enhancements will be on its way through community process.
Chris Rolon came back to the stage and concluded the talk with an evolution of the framework development process. He explained that Microsoft Visual C++ will still be the primary development language and that Microsoft is bringing up a new version of STL (Standard template library). He demonstrated the Visual J# compiler and disclosed his expectations with Whitehorse, the next generation analysis and design tool integrated with Visual Studio 2005 (codename Whidbey).
After that we all saw an advertisement for Windows Longhorn. The meeting ended up with books, MSN goodies and SPOT watch giveaways. The bad part is I didn't get any!
It was overall an excellent experience -- an environment of developer synergy and learning. I'm sure my likes who didn't make it at PDC, are busy exploring Whidbey, Presentation Code samples, ASP.NET resource kit and various other DevDays DVD features.
