R&D
Adnan on Technology, Research & Development
AppSec 2010 Conference
Aug 10th
AppSec USA 2010 is the premier web application security conference of the year. From IT decision makers and managers to security conscious developers and engineers, AppSec USA will provide answers to a wide variety of questions on application security.
Online registration is open till September 3. We have 5 keynote speakers, 2 panel discussions, 6 training classes and 20 plus high quality presentations.
Website: http://www.appsecUSA.org
URL to register is http://appsecUSA.org/reg
Agenda: http://www.appsecUSA.org/agenda
June 10th – Reactive Extensions for .NET (Rx) with Bart De Smet
Jun 2nd
Thanks to Lynn Langit, Microsoft’s Bart de Smet will be in town to speak to SGV.NET special user group meeting on Thu June 10th at 6:00 PM. Reactive extensions is a new and exciting topic for most of us and Bart, being the expert in functional programming paradigm, will be an excellent speaker to listen to.
Help us getting the word out to your co-workers, fellow user group members, friends or via your website to maximize the attendance. This announcement will also be a part of MSDN flash.
Details of the meeting are available on our website http://sgvdotnet.org
Looking forward to see you there.
-Adnan
Abstract: Reactive Extensions for .NET (Rx) is a library for composing asynchronous and event-based programs using observable collections.Rx is a superset of the standard LINQ sequence operators that exposes asynchronous and event-based computations as push-based, observable collections via the new .NET 4.0 interfaces IObservable
About the Presenter:
A former Visual C# MVP, Bart De Smet now works at Microsoft Corporation on the WPF dev team in an SDE role. Prior to this new challenge, Bart was active in the Belgian community evangelizing various Microsoft technologies, most of the time focusing on CLR, language innovation and frameworks. In his evangelism role, he’s been speaking at various events and attended several international conferences including TechEd Europe, IT Forum and the PDC. In 2005, Bart graduated as a Master of Informatics from Ghent University, Belgium. Two years later, Bart became a Master of Computer Science Software Engineering from the same university. http://bartdesmet.net/blogs/bart/
Learn Windows Azure with Stanford’s Folding@home distributed computing project
May 25th
Are you
A) a Scientist/researcher/student/ looking for the right enterprise platform for your next big scientific project?B) a developer/architect who wants to learn cloud computing with windows Azure and would like to go beyond the Hello World Apps?
C) an hobbyist interested in Stanford’s Folding@home distributed computing project and see it’s implementation
D) someone who would like to try out a free two week trial of windows Azure and see a cool distributed computing project unfold (literally 
)
E) a combination of above
If your answer is anything from A-E, this is a perfect opportunity for you. @home with Windows Azure is an online hands-on workshop! This is a guided tour of process of building and deploying a large scale Azure application. No more “hello world”! in this two hour long session, you will see how to build and deploy a real cloud app that leverages the Azure data center It’s a free online session where each attendee will receive a temporary, self-expiring, full-access account to work with Azure for a period of 2-weeks. The webcast is 2 hours and offered at 4 different times during the month of June. For details, check out the project website and the event registration page. You’d need VS.NET 2008/2010 with the Windows Azure Tools for Microsoft Visual Studio 1.1 (February 2010) Enjoy! PS. A recording of the Tuesday, May 4th session can be viewed along with the webcasts on Creating your first Azure application and Running and deploying the @home with Windows Azure application however in order to get the free 2 week account, you’d need to signup and attend an event.Upcoming SoCal .NET Events – June 2010
May 22nd
There are few upcoming events in Southern California I’d like to share.
On Thu, June 10th, Bart De Smet will be speaking to our own San Gabriel Valley .NET developers Group on Rx (Reactive Extensions). Bart is a Software Development Engineer on the SQL Cloud Data Programmability team, an avid blogger and a popular speaker on various international conferences. Rx is a technology created in the SQL Cloud Data Programmabiltity team. Details here.
June 26th and 27th, SoCal Code Camp in San Diego is on it’s way. This is going to be the 5th Code Camp event in San Diego. With great sessions and line of speakers, it’s a must-see-event for all SoCal developers.
On Wed June 2nd, Chris Burrows from Microsoft on the C# Compiler team will be speaking to a special Combined Orange County Meeting in Irvine on getting to Know C# 4. It’s part of the VS 2010 Launch Event with the Product Team at Microsoft Irvine Office. Details here
Woody Pewitt‘s just spoke to SGV.NET Users group on Mobile application development using .NET 4.0 last week. The recording of his talk is available here.
Happy Coding!
Mock Objects 101
May 2nd
Getting started with Mock Objects can be a bit daunting task if you are newly entering the uncharted waters of TLA’s i.e. TDD (test driven development). It quickly gets confusing to decide when to use Mock objects, the merit and need to use them and also how do they integrate with your testing strategy.
Let me give you a simplest example along with sample code of how to use MOQ, a simple and easy to use mock objects framework. This should help clarify some aspects of mock-objects and their potential usage.
Let’s say you have a simple Math class which looks like follows.
namespace MOQtester
{
public interface IMathClass
{
int Sum(int a, int b);
}
public class MathClass : IMathClass
{
public int Sum(int a, int b)
{
return (a + b);
}
}
}
All it does is that it sums up two values and return you the response. Now you will try to mock it which means you’ll try to make a pretend-object or make-believe entity which will behave as the original object according to the instructions told during the setup.
Ok, what does this mean?
Here is all of this works.
You initialize a MOCK object class
var mock = new Mock();
and then you do the “setup” to instruct the make-believe object to return 10 when 1 and 10 are being summed up.
mock.Setup(s => s.Sum(1, 10)).Returns(10);
This setup (use to be Extend) instruction is very important because it defines the behavior of how the mock object would act when invoked.
Now one may wonder, why would I ever want to do this? Why can’t I just instantiate and run the original object?
Well, in this particular case you are right. Its easy to just instantiate an object of Math class and call the Sum method but imagine for the methods where this is hard for instance your HTTPContext testing or when you’d like to test a customer object without going to database and populating the entire thing for a selected test? You can think of several scenarios when a functionality like this can come in handy.
and this is how you’d call it
mock.Object.Sum(1, 10)
Now I am returning a wrong value just to prove the point that mock objects are exactly what they are called, mock. This means they do as told and are not real replacements of original entities. They mock the supposed behavior of original entities and make TDD easier.
The entire listing of Program.cs looks like this
using System;
using Moq;
namespace MOQtester
{
internal class Program
{
private static void Main(string[] args)
{
var mock = new Mock();
mock.Setup(s => s.Sum(1, 10)).Returns(10);
//Actual Object
var obj = new MathClass();
Console.Write("{0}, {1}", mock.Object.Sum(1, 10), obj.Sum(1, 10));
}
}
}
Complete Code can be downloaded from here. MOQ Sample Code
MOQ is a Mocking library for .NET 3.5 and C# 3.0, heavily based on Linq which can be downloaded from here.
Step by Step Guide for Authenticating WCF Service with Username and Password over SSL
Apr 29th
Here is a short step by step guide on how to get your WCF service to perform Message and Transport level security over SSL with user name and password. I ran into this recently and thought should document it along with source code to provide reference for the rest of us.
1. If your development machine is XP (or 2K3 server) and you need dev SSL cert installed on it, follow the instructions mentioned in the articles here. The SelfSSL makes it real easy to do self signed certificates, literally one statement.
Setting up SSL with a SelfSSL certificate on Windows Server 2003 (and XP)
Create a self-signed SSL certificate with IIS 6.0 Resource Kit SelfSSL
2. Create a WCF Service Project. Name the service and contracts appropriately. In my sample it is a simple contract like follows.
[ServiceContract]
public interface IWcfService
{
[OperationContract]
string GetData(int value);
}
Make sure you make the appropriate config changes matching with your service contract.
2. Add a custom validator class in your service. You can create a separate file for it. In this example I have added it to the main service file WcfService.svc.cs. You are going to need to add the reference (not just adding these lines at the top, go to add-reference and add the corresponding dll’s to the project)
using System.IdentityModel.Selectors; using System.IdentityModel.Tokens;
and the custom validator code.
public class CustomValidator : UserNamePasswordValidator
{
public override void Validate(string userName, string password)
{
if (userName == "test" && password == "test")
return;
throw new SecurityTokenException(
"Unknown Username or Password");
}
}
You probably want to make this user name and password moved to a more secure location or point to your database/authentication store for security and maintainability perspective.
3. Now the code part is done. Move to config file. Enable custom errors so you know details about the errors happening.
<customErrors mode=”Off” defaultRedirect=”GenericErrorPage.htm”>
4. Add a new bindings attribute in the config called SafeServiceConf which will specify the TransportWithMessageCredential type of security. You can add this right before </system.serviceModel>
<bindings>
<wsHttpBinding>
<binding name="SafeServiceConf" maxReceivedMessageSize="65536">
<readerQuotas maxStringContentLength="65536" maxArrayLength="65536"
maxBytesPerRead="65536" />
<security mode="TransportWithMessageCredential">
<message clientCredentialType="UserName" />
</security>
</binding>
</wsHttpBinding>
</bindings>
<bindings> <wsHttpBinding> <binding name="SafeServiceConf" maxReceivedMessageSize="65536"> <readerQuotas maxStringContentLength="65536" maxArrayLength="65536" maxBytesPerRead="65536" /> <security mode="TransportWithMessageCredential"> <message clientCredentialType="UserName" /> </security> </binding> </wsHttpBinding> </bindings>
5. Modify your end point address to refer to this binding configuration
<endpoint address="" binding="wsHttpBinding" contract="MySamples.IWcfService" bindingConfiguration="SafeServiceConf">
also modify your metadata exchange endpoint to use mexHttpsBinding
<endpoint address="mex" binding="mexHttpsBinding" contract="IMetadataExchange"/>
6. Modify your service behavior to look like this
<behavior name="WcfService.Service1Behavior">
<serviceMetadata httpGetEnabled="true"/>
<serviceDebug includeExceptionDetailInFaults="true" />
<serviceCredentials>
<userNameAuthentication
userNamePasswordValidationMode="Custom"
customUserNamePasswordValidatorType="MySamples.CustomValidator,WcfService"
/>
</serviceCredentials>
</behavior>
It’s recommended that “Include exception in faults” should be disabled when moved to production.
7. Now you are almost ready to run the service however before you do this, make sure that you are running it in the IIS AND you have the SSL enabled on the server as specified in step 1 otherwise you’ll run into WCF error stating that there is no HTTPS endpoint available.
Setup Virtual Directory in IIS from Visual Studio
You should be able to run and see the service end point as follows.
Running WCF Service over SSL
Running WCF Service over SSL 2
8. Now that the service is done, let’s move towards building the client. Add the service reference to the service end point. You can do it either via entering the entire URL or using the discover feature.
Add WCF Reference
9. Name your reference “Client” or modify your code appropriately. Following is the code for client implementation.
private static void Main(string[] args)
{
ServicePointManager.ServerCertificateValidationCallback = new RemoteCertificateValidationCallback(
delegate { return true; });
var client = new WcfServiceClient();
GetCredentials();
client.ClientCredentials.UserName.UserName = username;
client.ClientCredentials.UserName.Password = password;
Console.Write(client.GetData(1));
client.Close();
Console.Read();
}
The RemoteCertificateValidationCallback part is used to programatically avoid the following warning which would popup due to self signed cert usage.
Self signed Certificate Warning
10. Now run the program.
Running WCF client
You can see that for the right credentials, service will run just fine. Otherwise a security exception will be thrown.
Source code can be downloaded from here.WCFAuthSample
Feel free to drop me an email or comment here if you have any questions.
References and Further Readings:
How to: Authenticate with a User Name and Password
WCF Service over HTTPS with custom username and password validator in IIS
Chapter 5 – Authentication, Authorization and Identities in WCF
How to: Use Transport Security and Message Credentials
WCF: Could not establish trust relationship for the SSL/TLS secure channel with authority
Deploying an Internet Information Services-Hosted WCF Service
How messages are encrypted when security mode is “Message”?
Windows HTTP Services Certificate Configuration Tool (WinHttpCertCfg.exe)
Setting up SSL with a SelfSSL certificate on Windows Server 2003 (and XP)
Create a self-signed SSL certificate with IIS 6.0 Resource Kit SelfSSL
The Fizz-Buzz Programming Test
Apr 21st
A lot has been said about the FizzBuzz programming test used in interviews. It’s a decent litmus test measure of testing a few key capabilities in a developer i.e. (a) knowledge of programming constructs (iterations/conditionals) (b) algorithm / logic and (c) thinking process
The problem statement goes as follows.
Write a program that prints the numbers from 1 to 100. But for multiples of three print “Fizz” instead of the number and for the multiples of five print “Buzz”. For numbers which are multiples of both three and five print “FizzBuzz”
Here are few scenarios how it may play out during interviews.
Scenario A.
Interviewer: States the problem statement.
Applicant: hmmm….How do I do multiples?
Interviewer: (grrrr.. Out!.) You’ll be hearing from our hiring manager. Nice meeting you.
Scenario B
Applicant: well, I think in the loop .. if (number * 3 = 5) print something
Interviewer: (Out!) You’ll be hearing from our hiring manager. Nice meeting you.
Scenario C
Applicant:
for(int i=1; i<=100; i++)
{ if (i % 3 == 0)
{ Console.WriteLine("Fizz");
if (i % 5 == 0) Console.WriteLine("Buzz");
if (i % 3 == 0 && i % 5 == 0)
Console.WriteLine("FizzBuzz");
else
Console.WriteLine(i);}};
Interviewer: (well, I suppose you get points for trying but NO, it won’t work. Will print Fizz Buzz FizBuzz for 15.) You’ll be hearing from our hiring manager. Nice meeting you.
Scenario D
Applicant:
for(int i=1; i<=100; i++)
{
if (i % 3 == 0 && i % 5 == 0)
Console.WriteLine("FizzBuzz!");
else if (i % 3 == 0) Console.WriteLine("Fizz");
else if (i % 5 == 0) Console.WriteLine("Buzz");
else Console.WriteLine(i);
}
Interviewer: It works! Cool.
Scenario E
Applicant:
for(int i=1; i<=100; i++)
Console.WriteLine( ((i%3 == 0 && i%5 == 0) ? "FizzBuzz" : ( (i % 3 == 0) ? "Fizz": (i % 5 == 0) ? "Buzz" : i.ToString())));
Interviewer: hmmm… terse and concise but readability / maintainability?
Hired / needs more review? Your thoughts?
Related:
Coding Horror: Why Can’t Programmers.. Program?
Scott Hanselman – You Can’t Teach Height – Measuring Programmer
Coding Horror: FizzBuzz: the Programmer’s Stairway to Heaven
SGV.NET User Group Meeting – Learning Silverlight 4 w/ Volkan Uzun – Wed 4/21/2010
Apr 19th
Abstract: Silverlight 4 enhances the building of business applications, media applications, and applications that reach beyond the browser. New features include printing support, significant enhancements for using forms over data, full support in the Google Chrome web browser, WCF RIA services, modular development with MEF, full support in Visual Studio 2010, bi-directional text, web camera and microphone support, rich text editing, improved data binding features, HTML support, MVVM and commanding support, new capabilities for local desktop integration running in the new “Trusted Application” mode such as COM automation and local file access.
While Silverlight turns into a mainstream RIA technology for enterprise level applications; this presentation will focus on and demonstrate a selected group of Silverlight 4 features to highlight its potential. The content will include useful pointers for further study and experimentation.
About the Speaker: Volkan is currently working at California State University as an Information Technology Consultant. He has a passion for creating accessible and secure applications and loves to share his knowledge with the developer community. He was the instructor for the IEDOTNETUG ASP.NET Web Forms class in 2008 and this year he taught teaching ASP.NET MVC. Volkan is holding a MS degree in Computer Science from California State University.
He has been developing softtware since 1999; former companies he worked for include Wincor-Nixdorf and Denizbank; where he was involved in systems engineering and programming. He is certified as MCTS on SQL Server 2005 and MCTS on ASP.NET Web development.
Read Volkan’s blog at http://www.msnetprogrammer.net/blog.
for further details, please check out the San Gabriel Valley .net user group website
OWASP Top 10 FINAL 2010 – Web Application Security Risks
Apr 19th
OWASP Top 10 Web Application Security Risks 2010 has been released today 4/19 as FINAL.
The OWASP Top 10 Web Application Security Risks for 2010 are:
- A1: Injection
- A2: Cross-Site Scripting (XSS)
- A3: Broken Authentication and Session Management
- A4: Insecure Direct Object References
- A5: Cross-Site Request Forgery (CSRF)
- A6: Security Misconfiguration
- A7: Insecure Cryptographic Storage
- A8: Failure to Restrict URL Access
- A9: Insufficient Transport Layer Protection
- A10: Unvalidated Redirects and Forwards
Click here to download the OWASP Top 10 – 2010
Startups For the Rest of Us – A Podcast by Rob Walling
Apr 18th
I wanted to pass along a bit of info about Rob Walling, the co-founder of San Gabriel Valley .NET Developers group newest project. a podcast!.
The podcast is called Startups for the Rest of Us. Rob’sco-host is Mike Taber, the guy behind SingleFounder.com.
The focus of the podcast is bootstrapped startups and Micropreneurs. A new episode every Tuesday. The first episode is live at the podcast website and you can listen to it in your browser or download the MP3. It also provide full written transcripts of each episode in the show notes. Episodes will be concise and run 20-30 minutes so you can listen during a jog, a short commute or part of a lunch hour.
Check it out if you’re the podcasting type:
If you listen and like it, find it in iTunes using the link above, rate it and post a comment.
