Archive for May, 2004

Detroit Security Summit Review

Last week I got to attend the Microsoft Security Summit in Detroit. The event lasted an entire business day, and was broken down into a keynote address followed by four sessions that covered three different tracks: 200 Level Networking, 300 Level Networking and 200 Level Developer. I personally attended all four Developer sessions.

The keynote address was given by Tom Button, VP of the Windows product management group. He gave a dynamic talk and clearly outlined Microsoft’s broad range of security efforts. Most of the focus was on XP and Windows 2003 server. During his presentation there was a demo of XP sp2. It looked good, I need to see more so the XP sp2 RC1 CD that every attendee got will come in handy. Tom laid out an excellent view of Microsoft’s vision of security as well as an overview of all the current intiatives and their future directions.

Of the four Developer sessions, three were OK and one was terrific. Of the three that were OK, much of the material was an overview or shallow demos (it is a 200 Level track). For instance cryptography and and impersonation were explained in the first session, with a demo of installing a SSL certificate and a demo of the authentication options for a web site. The second session covered different types of exploits like buffer overruns and SQL injection with simple demos. It was better than the first session, the speaker was much more excited about the topics and it came across in the presentation.

The third session was a winner. It covered threat modelling in detail, followed by an extensive demo of securing web.config in ASP.Net. The speaker covered a ton of great material there, information that I had to really dig for when I was first trying to secure web.config for my own projects. On top of that, he covered additional information about machine keys that I could really use. The demos in this session were much more in-depth that the previous two.

The last session fell into the pattern of the first two. Much more theoretical and less code.Some of the topics covered included .Net Code security, using the GAC, and using identity and principal objects. The session was better than the first two, but not as in-depth as the third.

Overall, I think Microsoft did an excellent job of presenting a wide range of material at the Summit. Since there was only one Developer track advertised at a 200 level, most of the information was somewhat basic, but if you were new to developing or to .Net it was certainly worthwhile. The speakers included enough advanced material to keep more experienced developers from losing out as well. It’s a difficult balance to strike. For what was promised up front, the Summit delivered.

Posted on:
Posted in Security | Comments Off on Detroit Security Summit Review

ASP.Net Exposed Review

I got the chance to attend the ASP.Net Roadshow in Detroit/Ann Arbor this past Tuesday. It was given by Rob Howard, ASP.NET Program Manager and one of the driving forces behind

Rob was a very engaging speaker, and despite working with ASP.Net for over a year, I didn’t find the presentation to be dragging at all. There were nuggets for developers at all different levels throughout the presentation. The material was mostly basic, as the target audience was really developers and managers thinking about moving to ASP.Net. Rob performed most of the talk by writing code to demonstrate his points, which helped out the more experienced users in the audience. Much of the material he covered througout the presentation contained a fair amount of the “WOW” factor by demonstrating large effects with little code, such as autoformatting a datagrid or connecting to a database and fetching information.

The second half of the presentation focused on Security demos and Whidbey demos. The security demos focused around impersonationa and SQL injection. Good stuff for all ranges of developers to keep in mind.

For me, this was the first real exposure to Whidbey. A few things in particular stood out about what I saw:

  • For ASP.Net, Whidbey takes an approach much more like VB6, focusing on the Visual design aspects and not much on the code. In fact, he repeatedly pointed out how much could be done without any code at all.
  • The strong visual RAD aspects of Whidbey will draw lots of non-programmers to ASP.Net, much like VB6 did for the Visual Basic language.
  • The RAD visual development aspects of Whidbey have much going on “Under the Hood“. This of course will require real trust for the developers. Is it really flexible, or will it turn out to be like the web controls that shipped with Visual Interdev 6.0 that in theory were great, but just didn’t offer the flexibility? Only time and experience will tell us that.
  • For so much to be going on “under the hood“, there must be a price to pay somewhere in overhead. Is it in the Viewstate? This wasn’t mentioned, but it’s got to be somewhere.

Overall, it was worth the three hours. I picked up information I can use today, and got a pretty good view of what is coming with Whidbey. Every person who turned in an evaluation got a copy of Microsoft ASP.Net Coding Strategies with the Microsoft ASP.Net Team, plus there was a giveaway at the end of some T-shirts and two Pocket PCs.

Posted on:
Posted in Reviews | Comments Off on ASP.Net Exposed Review