Bruno Silva

All my photos from TechEd Developers 2007

''

Powered by Microsoft Popfly

TechEd 2007 - Web Application Security

Web Application Security
Alik Levin

The first part didn’t brought any knews. The only funny thing is that we pretended to be hacking TechEd website, but he was using an internal webserver while spoofing the adress
The showed us Microsoft Network Monitor 3.1 as a sniffing tool. He made some SQL injection in a search form to reveal the schema of the database and retrieve login and password information.
Alik talked about exploiting over privileged accounts. Applications should only have permissions to access and do what it needs, otherwise some hacker can use the extra privileges to his own needs.

I head about some tools I didn’t know and that can be quite useful.
Guidance Explorer - a tools that allows you to navigate in best practices documentation, select topics of your interest and export into a Word document.

Thread Analysis and Modeling tool - a tool where you can describe your application and find out what flaws you may have and how to fix them. It can also produce some useful reports.

FindStr and MSIL Disassembler - These two tools together allows you (for testing) or hackers (for attacking) to find critical data like passwords from .NET assemblies.

TechEd 2007 - Blogging Panel

Blogging Panel
Tom Mertens

During Thursday lunch time it was a Q&A session with some bloggers.
It was discussed that blogs started as an digital diary and nowadays it has any kind of information.
RSS format and readers were pointed as one of the big causes of bog popularity. It’s is easy to follow a lot of blogs with RSS and there are even tools to filter information from these blogs.
Someone in the audience asked in which language did the panel members write in. They write in English because it reaches an larger audience, but if they are talking about some specific content to their country, they also post in their native languages.
Another topic was how to find time to blog. One person said that he thought that if son many important and busy people in the world find the time to blog, he could also find his own time to blog. By the other hand blogging can be important as a profile builder. Blogging makes us known in communities and inside our companies. It’s a way for people get to know us and our area of expertise.

I had to left before the end of the session to have lunch. So this is all I heard about.

TechEd 2007 - Loose Coupling in Practice: Composite UI Application Block (CAB) in the Real World

Loose Coupling in Practice: Composite UI Application Block (CAB) in the Real World
David Platt

Nowadays many information is placed in remote data stores. This information can be accessed by browser clients (webpages) or rich client applications (windows forms). Generally rich clients beats browser clients because of the overhead on interface loading. When an application is used every days, several times a day the interface performance is essential.

There is a big problem: date is stored over different locations and in different systems.
Mainly systems are application-centric. A user has to access different applications and mentally integrate information. As an example, a patient in the medical context may have access to medical record, personal data and laboratory results in different applications when the best choice would be to have an integrated solution. application-centric systems have a overhead, make people loose time and can lead to catastrophic errors.

On the other hand we have user-centric systems where information is integrated into one application that suites all the user needs (in some specific context). This system can be built as a monolithic application which doesn’t work technically or financially because it is unmanageable and you cannot make everyone change their implementation entirely to integrate.

A better idea seems to be Loose Coupling. Create almost independent blocks which are integrated in an common shell. This way we can have distinct data sources and little uniformity issues. An important question when building these systems is what does the user need? Will there be many kinds of users? Which specific functionality does each one need?
With those questions answered we can start to design an common user interface with shared elements (called shell) and think which interface (methods, events, properties) has each module that will be loaded into the aggregating shell.

In this area Microsoft started with Composite UI Application Block which had a publish/subscribe event system to allow inter-module interaction. It had a good architecture but it wasn’t easy to work with.
After the there was a new evolved system easier than this one and also with a good architecture. It is called Smart Client Software Factory.

This last one allows you to define an interface to a service like authentication, define several implementations and change the implementation that is being used by changing an XML file. You must define the interface, develop your implementation, or collect implementation made by third party companies, register these in your application and configure the application which to use.
You can also make some nice integration stuff with UI. There are two key concepts.
Workspace - A module placement zone
View - just a bunch of controls which display data (can be placed on workspaces)
The modules (different functionalities potentially from different software companies) can be integrated in the application by adding themselves into a workspace in the shell application. This creates a slight dependency: the modules must know the shell UI and their workspaces names.

The workspaces and places to which you can load the modules UIs. But this isn’t enough. There are some functionalities to which people are used to and which need a more integrated UI. For example the main menu in the top of the main window or the status bar. This is possible with UI Extension Sites! You just have to register shared zones to which each module can add items. For example each item can add some items to the main menu.

David Platt has written book published by Microsoft Press focusing this subject.

Congratulations André!

Check this out!
André Sousa (Portuguese Microsoft Student Partner) won a Embedded Fusion board by making the best question in a session presented by Rob Miles.

This prize was referred int Rob Miles’ website.
http://www.robmiles.com/journal/2007/11/7/final-talk.html