Implementing SOA Design Patterns with WCF

Service Oriented Architecture (SOA) is an architectural design pattern where it’s design is determined by few guiding principles mainly (a) Ser- vice compatibility is determined based on policy (b) Services share schema and contract, not class (c) Services are Autonomous and (d) Boundaries are Explicit. Implementation of these so-called SOA tenants requires a powerful framework which provides a unified programming model, reliable messaging, security, workflow service, interoperability and integration, syndication, meta-data exploration support, service versioning, REST-Ful endpoints and many other modern connected systems features. Both Service-Orientation and the Windows Communication Foundation (WCF) offer the promise of greater interoperability and ease of integration, but in order to realize benefits such as these we must evolve the way we architect solutions.

This session will be a hands-on introduction to SOA with Windows Communication Foundation. Speaker presents patterns using WCF that allows you to define descriptive, maintainable, yet extensible contracts and implementation of SOA tenants. Since SOA promotes loose coupling at the transport layer; you’ll learn how to create loosely coupled systems, the difference between web reference, service reference and channelfactory. The attendees will learn how to avoid anti-Patterns and leverage WCF to create extensible, versioned, responsive, interoperable, and easy-to- maintain services.

• OWASP Top 10 Presentation
• AppSec Tutorial Videos
• OWASP Cheat Sheets
• ASP.NET MVC Best Practices
• Microsoft Partners in Learning
• OWASP 2010 Top 10 Cheat Sheet
• Free eBook: OWASP Top 10 for .NET developers
• Troy Hunt (MVP) OWASP Related posts
• Anti-Forgery Request Recipes For ASP.NET MVC And AJAX
• Microsoft Security Development Lifecycle
• Authorize Attribute
• OWASP Webgoat Project
• Keep your .config clean with external config files
• jQuery Ajax calls and the Html.AntiForgeryToken()
• Does ASP.NET Viewstate implicitly prevent CSRF attacks? What does this mean for MVC?
• Protecting against CSRF attacks in ASP.Net MVC
• Anatomy of a Cross-site Request Forgery Attack
• webgoat.mvc (kahanu fork - complete)
• Step by Step improvement in Guarding against CSRF in MVC

Happy Secure Coding!

Here is the abstract.

Practical Web Application Security and OWASP Top 10 implementation on Microsoft Platform

Presenters: Adnan Masood, Tin Zaw

This session is a hands-on introduction to the web application security threats using the OWASP top 10 list of potential security flaws. The OWASP Top Ten provides a powerful awareness list for web application security and represents a broad consensus about what the most critical web application security flaws are.

Focusing on Microsoft platform with examples in ASP.NETand ASP.NETMVC, we will go over some of the common exploits and techniques for writing secure code in the light of OWASP top 10. In this code centric talk, we will discuss built in security features ofASP.NET and MVC such as cross site request forgery token and secure cookies and how to leverage them to write secure code. The OWASP Top 10 Web Application Security Risks for 2010 which will be covered in this presentation include Injection flaws, Cross-Site Scripting (XSS), Broken Authentication and Session Management, Insecure Direct Object References, Cross-Site Request Forgery (CSRF),Security Misconfiguration, Insecure Cryptographic Storage, Failure to Restrict URL Access, Insufficient Transport Layer Protection and Unvalidated Redirects and Forwards.

Last but not least, one of the attendees brought up an excellent question of how to handle HIPAA and PCI compliant data in the cloud. To the best of my knowledge, based on my last conversations at the cloud summit in LA, the best approach is to do a hybrid cloud implementation i.e. public cloud CDN Style for the public facing sites while keep the sensetive data in-house where your internal data center is PCI/HIPAA compliant. Feel free to check with Lynn since she has been following this area closely.

Thanks to the great audience including celebrities like Jeremy Clark . Special thanks to Art Villa and Janet Chung for the speaking opportunity. For links and code sample, please see my previous talk.

As discussed, AppFabric 1.1 can be downloaded from here which introduces read-through and write-behind provider support, graceful shutdown, domain account support, new ASP.NET session state and output caching providers, compression and multiple cache client application configuration sections to the existing appfabric feature-set. The sample app can be downloaded from here. CacheWebAppSample.

Links

• AppFabric Home @ Microsoft
• Caching Algorithms
• Installing, Configuring and Using Windows Server AppFabric and the “Velocity” Memory Cache in 10 minutes
• Microsoft Windows Server AppFabric Cookbook
• AppFabric Cache Feature Comparisons
• Velocity vs. HA Velocity
• Windows Server AppFabric Introduction
• AppFabric Client API
• Windows Server AppFabric  Learning Center