Speaking

Notes from my LA C# User Group Talk

I spoke to LA C# User group last night in Pasadena on the topic of Web Application Security with OWASP.

The slide deck of my talk can be downloaded from here. LA C# OWASP Presentation

Links from the talk follow.

Share

WCF vs. ASP.NET Web API – An Architect’s Primer - Speaking to Southern California .NET Architecture Users Group

I will be speaking to the next Southern California .NET Architecture Users Group - IASA chapter meeting will be Thursday February 21, 2013 at Rancho Santiago Community College District, 2323 N. Broadway, Santa Ana.

Meeting starts at 7:00 pm, pizza and networking 6:30 pm. Abstract follows.

WCF vs. ASP.NET Web API – An Architect’s Primer

ASP.NET Web API is a framework that makes it easy to build HTTP services that reach a broad range of clients, including browsers and mobile devices. The new ASP.NET Web API is a continuation of the previous WCF Web API projection. WCF was originally created to enable SOAP-based services and other related bindings. However, for simpler RESTful or RPCish services (think clients like jQuery) ASP.NET Web API is a good choice.

In this meeting we discuss what do you need to understand as an architect to implement your service oriented architecture using WCF or ASP.NET web API. With code samples, we will elaborate on WCF Web API’s transition to ASP.NET Web API and respective constructs such as Service vs. Web API controller, Operation vs. Action, URI templates vs ASP.NET Routing, Message handlers, Formatters and Operation handlers vs Filters, model binders. WebApi offers support for modern HTTP programming model with full support for ASP.NET Routing, content negotiation and custom formatters, model binding and validation, filters, query composition, is easy to unit test and offers improved Inversion of Control (IoC) via DependencyResolver.

You will walk away with a sample set of services that run on Silverlight, Windows Forms, WPF, Windows Phone and ASP.NET.

 

Downloads: Slides and Source

Share

SecureIT 2013 - OWASP Web Services Security- Securing Your Service Oriented Architecture

I am confirmed to speak to SecureIT 2013 Conference with OWASP Los Angeles chapter leader, Tin Zaw. Following is the abstract from my talk.

Abstract: Any Service-Oriented Architecture (SOA) needs to support security features that provide auditing, authentication, authorization, confidentiality, and integrity for the messages exchanged between the client and the service. Microsoft Windows Communication Foundation (WCF) provides these security features by default for any application that is built on top of the WCF framework. In this session the presenters will discuss the WCF security features related to auditing and logging, authentication, authorization, confidentiality, and integrity.

This talk is focused on WCF security features with code demonstration to use behaviors and bindings to configure security for your WCF service. Bindings and behaviors allow you to configure transfer security, authentication, authorization, impersonation, and delegation as well as auditing and logging. This presentation will help you understand basic security-related concepts in WCF, what bindings and behaviors are and how they are used in WCF, authorization and roles in the context of WCF, impersonation and delegation in the context of WCF and what options are available for auditing in WCF.

Targeted towards solution architects and developers, this talk will provide you architectural guidance regarding authentication, authorization, and communication design for your WCF services, solution patterns for common distributed application scenarios using WCF and principles, patterns, and practices for improving key security aspects in services.

 

Presenters

Adnan Masood, MS. MCSD.

Senior Software Architect at Greendot Corp., Chapter Leader and President Pasadena.NET Developers Group

Tin Zaw, CISSP, CSSLP

Chapter Leader and President OWSAP- LA

Share

Refactoring Code to a S.O.L.I.D. Foundation - Speaking @ IE.NET UG

Tonight I will be speaking to Inland Empire .NET users group talking about "Refactoring Code to a S.O.L.I.D. Foundation". Abstract and meeting info follows.

Abstract: SOLID is a mnemonic acronym coined by Robert C. Martin (aka Uncle Bob) referring to a collection of design principles of object-oriented programming and design. By using these principles, developers are much more likely to create a system that more maintainable and extensible. SOLID can be used to remove code smells by refactoring. In this session, you will learn about the following SOLID principles with code examples demonstrating the corresponding refactoring.

S - Single Responsibility Principle - An Object should have only one reason to change.
O - Open/Closed Principle - A software entity(module, library, routine) should be closed to any modification but be open to extension
L - Liskov Substitution Principle - Derived classes should be substitutable for the base classes
I - Interface Segregation Principle - Having more fine grained interfaces over fat interfaces
D - Dependency Inversion Principle - Depending on abstractions, not concrete implementations.

Downloads: SOLID Presentation - Inland Empire UG, LosTechies ebook and SOLID-Code Sample

For RSVP and directions, please click below.

SOLId

Share

WCF Security - Speaking @ OWASP Los Angeles November Monthly Meeting

I had a great time last night speaking to OWASP Los Angeles November Monthly Meeting on the topic of WCF Security – Securing your Service Oriented Architecture. The abstract of the talk, presentation slides and code follows.

Abstract: Any Service-Oriented Architecture (SOA) needs to support security features that provide auditing, authentication, authorization, confidentiality, and integrity for the messages exchanged between the client and the service. Microsoft Windows Communication Foundation (WCF) provides these security features by default for any application that is built on top of the WCF framework. In this session, Adnan Masood will discuss the WCF security features related to auditing and logging, authentication, authorization, confidentiality, and integrity.

 

 

This talk is focused on WCF security features with code demonstration to use behaviors and bindings to configure security for your WCF service. Bindings and behaviors allow you to configure transfer security, authentication, authorization, impersonation, and delegation as well as auditing and logging. This presentation will help you understand basic security-related concepts in WCF, what bindings and behaviors are and how they are used in WCF, authorization and roles in the context of WCF, impersonation and delegation in the context of WCF and what options are available for auditing in WCF.

 

 

Targeted towards solution architects and developers, this talk will provide you architectural guidance regarding authentication, authorization, and communication design for your WCF services, solution patterns for common distributed application scenarios using WCF and principles, patterns, and practices for improving key security aspects in services.

 

Share

LADOTNET Sept Event: Practical Web Application Security with ASP.NET and MVC

Tonight I will be speaking at the Los Angeles.NET User Group on Practical Web application Security with ASP.NET/MVC. Following is the abstract.

Abstract:

This session is a hands-on introduction to the web application security threats using the OWASP (Open Web Application Security Project) top 10 list of potential security flaws. The OWASP Top Ten provides a powerful awareness list for web application security and represents a broad consensus about what the most critical web application security flaws are.

Focusing on Microsoft platform with examples in ASP.NETand ASP.NETMVC, we will go over some of the common exploits and techniques for writing secure code in the light of OWASP top 10. In this code centric talk, we will discuss built in security features ofASP.NET and MVC such as cross site request forgery token and secure cookies and how to leverage them to write secure code. The OWASP Top 10 Web Application Security Risks for 2010 which will be covered in this presentation include Injection flaws, Cross-Site Scripting (XSS), Broken Authentication and Session Management, Insecure Direct Object References, Cross-Site Request Forgery (CSRF),Security Misconfiguration, Insecure Cryptographic Storage, Failure to Restrict URL Access, Insufficient Transport Layer Protection and Unvalidated Redirects and Forwards.

RSVP Here.

Share

Notes from LaTeX / LyX 101 –A Hands-on BYOL Workshop

I thoroughly enjoyed attending the Summer Dissertation Conference @ SCIS NSU and presenting the LaTeX / LyX 101 – A Hands-on BYOL Workshop  (Rm. 3032/3034) on day 2. I would like to thank the attendees who participated in the workshop; Hopefully I was able to transfer some of my enthusiasm about LaTeX to you during the session :).

Special thanks to Dr. Seagull for arranging this event, Dr. Sun for attending the workshop and my advisor Dr. Li for his support.

As promised, here are the links to TalkNotesLaTeX101 tutorial by John Gardner and Alex Yu a, helloworld.tex and nsu.bib used during the demo. Other links from the workshop follows.

LaTeX Learning Curve Graphic - Courtesy Marko Pinteric

 

My earlier post on Dissertation 2.0 and LaTeX and a Strategy for Overcoming the Learning Curve are relevant readings.

Please feel free to send any questions or comments @ adnan at nova dot edu.

Share

Notes from my SF.NET Developers user group talk

I spoke to The San Francisco .NET Developers User Group last week on the topic of Practical Web Application Security with ASP.NET / MVC. Following are the some of the links from my talk. For additional links, please see my earlier talk Resources – talk @ 10th Annual SecureIT conference

  • Home/MVC/Overview/Chapter 7. Security
  • Security Extensibility in ASP.NET 4 (This whitepaper covers the major ways in which security features in ASP.NET 4 can be customized, including: Encryption options and functionality in the <machineKey> element, interoperability of ASP.NET 4 forms authentication tickets with ASP.NET 2.0, configuration options to relax automatic security checks on inbound URLs, pluggable request validation, and pluggable encoding for HTML elements, HTML attributes, HTTP headers, and URL)

The code from the talk can be downloaded from here. Also, Jerry Hoff's ASP.NET port of WebGoat is available here. jerryhoff / WebGoat.NET

 

Share

Notes from WCF & SOA Talk @ SoCal.NET Architecture Group

Last week I spoke to Southern California .NET Architecture Group regarding implementation of Service Oriented Design Patterns with Windows Communication Foundation. The talk was an architectural overview of so called SOA tenants and how to implement these best practices using WCF. Being technologists, we tend to focus more on underlying technologies and have tendency to avoid topics like BPM, enterprise decision management, business rules engine, ESB, event stream processing, registry and discovery, component and composites, orchestration and mediation to name a few. Trying to avoid abstractions and TLA's (three letter acronyms), the focus of the talk was towards explaining the key-components of a generic, platform agnostic service oriented architecture and how WCF fulfills one part of this larger puzzle. In real-world SOA implementations, aside from usual Service ABC's (Address, Binding, Contracts) which are essential parts of service components and composites, there is lot of attention paid to tracking and monitoring the artifacts in a SOA, enforcing and ensuring compliance with the policies associated with the artifacts and measuring the outcomes related to their use. Following are some of the salient features of a comprehensive service oriented design.

  • BPM - Business process management solution
  • EDM - Enterprise decision management
  • ESB - Enterprise Service Bus
  • ESP - Event Stream Processing
  • Service Orchestration
  • Service components and composites
  • web service mediation (Protocol mediation, Traffic management,Version rationalization, Runtime governance)

After introducing these fundamental entities as part of a comprehensive SOA platform, I spoke further about how component oriented architecture has evolved into SOA, the definition and  importance of boundaries (machine, network, datacenter) and the connection between SOA and cloud. While answering a question about why WCF != SOA, I found the following geek & poke comic very useful.

 

As handbook of cloud computing notes,

Web Services and Service Oriented Architecture (SOA) are not new concepts; however they represent the base technologies for cloud computing. Cloud services are typically designed as Web services, which follow industry standards including WSDL, SOAP, and UDDI. A Service Oriented Architecture organizes and manages Web services inside clouds (Vouk, 2008). A SOA also includes a set of cloud services, which are available on various distributed platforms.

Therefore, it is fair to describe an SOA environment as enabler for cloud computing. This lead us to the SOA concepts and how it maps to WCF.

  • SOA Entity corresponds to WCF DataContract
  • SOA Message corresponds to  WCF MessageContract
  • SOA Interface corresponds to  WCF ServiceContract
  • SOA Transport corresponds to  WCF Binding
  • SOA Endpoint corresponds to WCF deployment model (service endpoint)

Next logical step was premier to a simple WCF service, wcf service library, client utility, metadata endpoint and what's new in WCF 4 to help leverage service oriented architecture. Don Box's infamous (and controversial) SOA tenants were discussed in context with the service oriented design.

  •  Boundaries are Explicit
  •  Services are Autonomous
  • Services share schema and contract, not class
  • Service compatibility is based upon policy

At this point, attendees were introduced to WCF 4 hands-on-lab and it's individual exercises on Simplified Configuration, Service Behavior, Protocol Mapping, Service Discovery, Metadata Extensions, Discovery Announcements, Discovery Proxy, Routing/Service Routing and Content Based Routing.

There’s a lot more to discuss including design of contracts, versioning, governance, Forward and backward compatibility, trade-offs associated with various deployment options, Integration and regression testing, Security (authentication, authorization, privacy), Reuse, High Availability, anti-Patterns, AppFabric's role in monitoring, caching and hosting etc but we had to conclude the talk in the interest of time.

Thank you Mike Vincent and David Wells for the invite.

References & Download Links:

Whats New In WCF4 (WCF 4 Lab document and Source) and a nice concluding comic from beloved Geek & Poke.

Enterprise Software Architecture and Design: Entities, Services, and Resources By Dominic Duggan

Web Service Contract Design and Versioning for SOA

SOA Design Patterns (The Prentice Hall Service-Oriented Computing Series from Thomas Erl)

Service Design Patterns: Fundamental Design Solutions for SOAP/WSDL and RESTful Web Services

RESTful Web Services

and a Future title really looking forward to

SOA with REST: Principles, Patterns & Constraints for Building RESTful Enterprise Solutions (Prentice Hall Service-Oriented Computing Series from Thomas Erl)

 

 

Share

Speaking @ SoCal .NET Architecture Users Group - Implementing SOA Design Patterns with WCF

I will be speaking at the next SoCal IASA chapter meeting will be Thursday May 17, 2012 at Rancho Santiago Community College District, 2323 N. Broadway, Santa Ana. Meeting starts at 7:00 pm iA, pizza and networking 6:30 pm. RSVP by emailing to mike.vincent@mvasoftware.com if you plan to attend.

Implementing SOA Design Patterns with WCF

Service Oriented Architecture (SOA) is an architectural design pattern where it's design is determined by few guiding principles mainly (a) Ser- vice compatibility is determined based on policy (b) Services share schema and contract, not class (c) Services are Autonomous and (d) Boundaries are Explicit. Implementation of these so-called SOA tenants requires a powerful framework which provides a unified programming model, reliable messaging, security, workflow service, interoperability and integration, syndication, meta-data exploration support, service versioning, REST-Ful endpoints and many other modern connected systems features. Both Service-Orientation and the Windows Communication Foundation (WCF) offer the promise of greater interoperability and ease of integration, but in order to realize benefits such as these we must evolve the way we architect solutions.

This session will be a hands-on introduction to SOA with Windows Communication Foundation. Speaker presents patterns using WCF that allows you to define descriptive, maintainable, yet extensible contracts and implementation of SOA tenants. Since SOA promotes loose coupling at the transport layer; you'll learn how to create loosely coupled systems, the difference between web reference, service reference and channelfactory. The attendees will learn how to avoid anti-Patterns and leverage WCF to create extensible, versioned, responsive, interoperable, and easy-to- maintain services.

Share
Go to Top