| Chaitra's profileDotnetWorldPhotosBlogLists |  Tools  Help |
|
DotnetWorldJuly 21 B.NET TechED 2009B.NET TechED 2009 was super successful!
Tech ED Downloads available here... Thanks for attending!
Some Facts about this TechED 2009 1200 people registered within 4 days! ~500 people attended on first day
~400 people attended on second day India's biggest Microsoft community Tech Event Blogs about this event: http://protocolsofmatrix.blogspot.com/2009/06/bnet-teched-2009.html
http://bbalavikram.spaces.live.com/blog/cns!356B26FE510B84C7!395.entry http://getdotnet.blogspot.com/2009/06/teched2009-bangalore.html March 11 Microsoft releases Web 2.0 Developer KitKOBE – Web 2.0 Service Development Resource Kit The much avaited Web 2.0 Developer kit is out. This is a good resource for the Web Developer Community Kobe is a getting started resource kit on planning, architecting, and implementing Web 2.0 style apps and services using the Microsoft Web Platform. The kit includes presentations, white papers, and a sample application with source code. The sample app is built using the ASP.NET MVC framework and other MSFT web platform assets and illustrates a number of patterns that are common in Web 2.0 apps today Link for it : http://msdn.microsoft.com/en-us/architecture/bb194897.aspx January 15 Top 25 dangerous programming errors(January 12, 2009) Today in Washington, DC, experts from more than 30 US and international cyber security organizations jointly released the consensus list of the 25 most dangerous programming errors that lead to security bugs and that enable cyber espionage and cyber crime. What Errors Are Included in the Top 25? The Top 25 Errors are listed below in three categories: Category: Insecure Interaction Between Components (9 errors) Category: Risky Resource Management (9 errors) Category: Porous Defenses (7 errors) Clicking "MORE" in any of the listings takes you to the relevant spot in the MITRE CWE site where you will find the following: links to the full CWE entry data, data fields for weakness prevalence and consequences, remediation cost, ease of detection, attack frequency and attacker awareness related CWE entries related patterns of attack for this weakness. Each entry at the Top 25 Errors site also includes fairly extensive prevention and remediation steps that developers can take to mitigate or eliminate the weakness. CATEGORY: Insecure Interaction Between Components CWE-20: Improper Input Validation It's the number one killer of healthy software, so you're just asking for trouble if you don't ensure that your input conforms to expectations... For more see: http://cwe.mitre.org/top25/#CWE-20
CWE-116: Improper Encoding or Escaping of Output Computers have a strange habit of doing what you say, not what you mean. Insufficient output encoding is the often-ignored sibling to poor input validation, but it is at the root of most injection-based attacks, which are all the rage these days... For more see: http://cwe.mitre.org/top25/#CWE-116
CWE-89: Failure to Preserve SQL Query Structure (aka 'SQL Injection') If attackers can influence the SQL that you use to communicate with your database, then they can... For more see: http://cwe.mitre.org/top25/#CWE-89
CWE-79: Failure to Preserve Web Page Structure (aka 'Cross-site Scripting') Cross-site scripting (XSS) is one of the most prevalent, obstinate, and dangerous vulnerabilities in web applications...If you're not careful, attackers can... For more see: http://cwe.mitre.org/top25/#CWE-79
CWE-78: Failure to Preserve OS Command Structure (aka 'OS Command Injection') When you invoke another program on the operating system, but you allow untrusted inputs to be fed into the command string that you generate for executing the program, then you are inviting attackers... For more see: http://cwe.mitre.org/top25/#CWE-78
CWE-319: Cleartext Transmission of Sensitive Information If your software sends sensitive information across a network, such as private data or authentication credentials, that information crosses many... For more see: http://cwe.mitre.org/top25/#CWE-319
CWE-352: Cross-Site Request Forgery (CSRF) With cross-site request forgery, the attacker gets the victim to activate a request that goes to your site. Thanks to scripting and the way the web works in general, the victim... For more see: http://cwe.mitre.org/top25/#CWE-352
CWE-362: Race Condition Attackers will consciously look to exploit race conditions to cause chaos or get your application to cough up something valuable... For more see: http://cwe.mitre.org/top25/#CWE-362
CWE-209: Error Message Information Leak If you use chatty error messages, then they could disclose secrets to any attacker who dares to misuse your software. The secrets could cover a wide range of valuable data... For more see: http://cwe.mitre.org/top25/#CWE-209
CATEGORY: Risky Resource Management CWE-119: Failure to Constrain Operations within the Bounds of a Memory Buffer Buffer overflows are Mother Nature's little reminder of that law of physics that says if you try to put more stuff into a container than it can hold, you're... For more see: http://cwe.mitre.org/top25/#CWE-119
CWE-642: External Control of Critical State Data There are many ways to store user state data without the overhead of a database. Unfortunately, if you store that data in a place where an attacker can... For more see: http://cwe.mitre.org/top25/#CWE-642
CWE-73: External Control of File Name or Path When you use an outsider's input while constructing a filename, you're taking a chance. If you're not careful, an attacker could... href="http://cwe.mitre.org/top25/#CWE-73
CWE-426: Untrusted Search Path If a resource search path is under attacker control, then the attacker can modify it to point to resources of the attacker's choosing. This causes the software to access the wrong resources at the wrong time... For more see: http://cwe.mitre.org/top25/#CWE-426
CWE-94: Failure to Control Generation of Code (aka 'Code Injection') For ease of development, sometimes you can't beat using a couple lines of code to employ lots of functionality. It's even cooler when... For more see: http://cwe.mitre.org/top25/#CWE-94
CWE-494: Download of Code Without Integrity Check You don't need to be a guru to realize that if you download code and execute it, you're trusting that the source of that code isn't malicious. But attackers can perform all sorts of tricks... For more see: http://cwe.mitre.org/top25/#CWE-494
CWE-404: Improper Resource Shutdown or Release When your precious system resources have reached their end-of-life, you need to... For more see: http://cwe.mitre.org/top25/#CWE-404
CWE-665: Improper Initialization Just as you should start your day with a healthy breakfast, proper initialization helps to ensure... For more see: http://cwe.mitre.org/top25/#CWE-665
CWE-682: Incorrect Calculation When attackers have some control over the inputs that are used in numeric calculations, this weakness can lead to vulnerabilities. It could cause you to make incorrect security decisions. It might cause you to... For more see: http://cwe.mitre.org/top25/#CWE-682
CATEGORY: Porous Defenses CWE-285: Improper Access Control (Authorization) If you don't ensure that your software's users are only doing what they're allowed to, then attackers will try to exploit your improper authorization and... For more see: http://cwe.mitre.org/top25/#CWE-285
CWE-327: Use of a Broken or Risky Cryptographic Algorithm You may be tempted to develop your own encryption scheme in the hopes of making it difficult for attackers to crack. This kind of grow-your-own cryptography is a welcome sight to attackers... For more see: http://cwe.mitre.org/top25/#CWE-327
CWE-259: Hard-Coded Password Hard-coding a secret account and password into your software's authentication module is... For more see: http://cwe.mitre.org/top25/#CWE-259
CWE-732: Insecure Permission Assignment for Critical Resource If you have critical programs, data stores, or configuration files with permissions that make your resources accessible to the world - well, that's just what they'll become... For more see: http://cwe.mitre.org/top25/#CWE-732
CWE-330: Use of Insufficiently Random Values If you use security features that require good randomness, but you don't provide it, then you'll have attackers laughing all the way to the bank... For more see: http://cwe.mitre.org/top25/#CWE-330
CWE-250: Execution with Unnecessary Privileges Spider Man, the well-known comic superhero, lives by the motto "With great power comes great responsibility." Your software may need special privileges to perform certain operations, but wielding those privileges longer than necessary can be extremely risky... For more see: http://cwe.mitre.org/top25/#CWE-250
CWE-602: Client-Side Enforcement of Server-Side Security Remember that underneath that fancy GUI, it's just code. Attackers can reverse engineer your client and write their own custom clients that leave out certain inconvenient
June 26 Html Helper classes in MVC toolkitThe MVC toolkit bits were part of the ASP.NET 3.5 release. When we create a view using ASP.NET MVC, the view is inheirted from System.Web.Mvc.ViewPage<>. At the HTML part there is a set of Extension methods called the MVC Toolkit. The toolkit is used to push the data from the controller to the screen wrapped in HTML controls. The UI helper library called System.Web.Mvc.Toolkit extends the HTMLHelper class which hangs from ViewPage.HTML. To use this new UI bits we just need to include the System.Web.Mvc namespace in the web.config. A few Examples of the Helper methods are as follows : If we want to get data from the form <%using(Html.Form("Home","Index"), FormExtensions.FormMethod.get)%>
<%=Html.Submit()%> We can also configure the UI controls easily Eg: We can populate a ListBox using a string array as We can populate a checkboxlist using We can give a name and size to a textbox as Password textbox We can configure a ActionLink as We can configure a navigation button as We can assign a click method to a Button as June 25 ASP.NET 3.5 Extensions IIADO.NET Entity Framework The Entity Framework is a set of technologies that simplify the development of flexible data-oriented applications .Provides an intrinsic layer of abstraction over a database called the Entity Data Model(EDM) Benefits:
ADO.NET Data Services provides the ability to create and consume data-centric, RESTful services. Exposes data as a URI-addressable resources June 19 ASP.NET 3.5 Extensions - IDynamic Data :
ASP.NET Dynamic Data provides the Web App Scaffolding that enables you to build rich, data-driven Web Applications. We can build a working website with very little manual effort.
Features:
1. Dynamically constructs pages based on the data model of the underlying database. 2. Provides a usable application with no code, but it can be customized 3. Dynamic data App consists of three components: Data Model – LINQ to SQL mapping file Page Templates – ASPX pages that provide default views of data Dynamic Data fields – user controls for rendering individual fields 4. Provides a view of the data based on the default templates Templates use the data model to determine the correct controls to display and their behavior AJAX-enabled templates provide filtering, paging and validation This is different from the traditional web page creation approach where we had to:
1. First create a model :Eg: A LINQ to SQL model 2. Then create ASP.NET pages 3. Add data controls and data source controls to the web page 4. Add some validation like the regular expression validation or the required field validation The disadvantage of this approach is a lot of work had to be done to create a web page. Since all the validation had to be done manually the logic resided in a wrong place. The database schema information was not used. If we had another web page using the same database field then all the validation has to be repeated. So reuse and customization is difficult. June 16 Features of ASP.NET 3.5 - Part IINew controls in ASP.NET 3.5
ListView control as explained before combines many aspects of the existing data controls. It displays data in a repeatitive but in a customizable fashion like the datalist, repeater and formview. But it also has some extra features of a gridview like the sorting and paging capabilitites and edit, delete, insert and update operations. It has many templates to accomplish this functionalities. It has the Layout template, Item Template, Group Item Template, EditTemplate, InsertItemTemplate. DataPager control supports built in paging UI. The DataPager can work with any control that displays IPageableItemContainer like the ListView Control. It has the NumericPagerField object that lets the user select a page by the page number or the NextPreviousPagerField object which lets the user navigate one page at a time or to jump to first or last page. We also have a TemplatePagerField object for defining customizable Pagining.
We can use the LINQDataSource when creating a web page that retrivies and modifies data and we want to use the programming model provided by LINQ. The amount of code needed to perform the operation is less compared to using the SqlDataSource or the ObjectDatasource. WE can use this a s a declarative mark up control that connects to data from either database or any data collection. In the markup we have keys to support filtering , grouping, sorting facilities. If the datasource is a SQL datasource sepate commands are there to perform edit, delete, insert or update operations What are the advantages of using the LINQDatasource compared to the other object sources: SQLDatasource works on only relational data and we must explicitely set the selectcommand, UpdateCommand, InsertCommand and DeleteCommand to sql queries. But LInqDataSource uses LINQ to SQL to create them automatically. IF the datasource is a Object Data source then we must manually create objects that represent data and then write methods for interacting with the data. In LinqDataSource we have the O/R designer to automatically create the classes the represent the data and no need to write methods to insert, update, delete or edit data.
LINQ:Or .net Langauge Integrated querying. Using LINQ we can query on any IEnumerble data source, by that we mean any sql server datasource, xml file or objects. The Objects could be a collection or an array. We have compile time syntax checking in LINQ. If we write a sql statement. We will not know of the errors until runtime, but using linq we have intellisense for writing queries. LINQ is an extendable API. This API can be futhur extended to any IENumerable data source. A LINQ query is formed of Where, select and orderby clauses. These operators have the same functionality as they have in a sql statement. LINQ is based on Deferred query execution, the complete query is evaluated and executed at runtime. ASP.NET AJAX
Over the few years the concept of using Javascript to make asynchrounous postbacks to the web servre that only transmit and receive the necessary data has been termed as AJAX. AJAX enabled web applications have a rich user interactive and responsive user interfaces.The microsoft ajax framework was designed to work with ASP.net 2.0 and future versions. The asp.net 2.0 developers need to download and install the framework, whereas the framework comes integrated with VS 2008. The integral part of asp.net ajax is the ScriptManager control that adds references to the client-side script in the page, so that the browser requesting the ASP.NET page downloads the appropriate JavaScript libraries as well. The other server controls are the UpdatePanel, Timer and UpdateProgress control. The UpdatePanel control allows you to define a portion of the page that will be updated by an asynchronous request. i.e it allows us to do a partial page postback rather than an full page postback. Once an UpdatePanel has been added to a page, you can add the standard ASP.NET web controls - TextBoxes, Buttons, GridViews, DropDownLists, and so on - and they will automatically take advantage of AJAX techniques. AJAX Control Toolkit
The ASP.NET AJAX Control Toolkit is a free download and contains more than 40 additional AJAX controls and components that work on top of the core ASP.NET AJAX functionality now built-into .NET 3.5. It is a codeplex project that needs to be downloaded and installed into the toolbox. This project was first started as an initiative from the microsoft developers but now it is open for all the non-microoft developer community as well. The purpose of this project is to add ajax based funnctionality to commonly used server controls.The ASP.NET control extenders are controls that derive from the ExtenderControl base class which can be used to add additional functionality to existing controls declared on a page. The AJAX control toolkit is an example of a project that takes advantage of the control extender functionality. It includes more than 40+ free control extenders we can download and use to add ajax functionality. Javascript Support Visual Studio 2008 adds support for type inference, which means that it evaluates and computes how a JavaScript block is being used and dynamically infers the variable usage and type information of the code to provide accurate intellisense support. There is intellisense support not only for in-line script for also extenally referenced javascript files. We also have support for Build time syntax checking. The output of an AJAX Web Service method call can now be a JSON object also. The enhanced debugging support for the Javascript also helps in asp.net ajax development. |
|||
|
|
