Jul 23

mobileme

reviews, technology 1 Comment »

exchange for the rest of us? i don’t think so. i signed up to try this out a couple of days ago and its disappointing. starting with email – this is simply an IMAP email account yourname@me.com. So it doesn’t work with existing accounts, and certainly doesn’t synchronise anything since the imap protocol manages messages on the server. the syncing software itself is actually provided as part of iTunes (why? this ought to be an explicit install surely?) and syncs calendar, contacts and bookmarks. Contact synchronisation suffers from the problem that on a target pc in outlook, though the contacts are in outlook, adding them as recipients in email messages results in an error and the message wont send. i’ve had to open the contact cards, and copy and paste the email addresses over one by one to get this to work. calendar synchronisation suffers from this hugely irritating and frequent message:

mobileme message

thing is, this happens even though i’ve not updated any calendar entries, yet every 15 minutes or so this pops up. which leads me to suspect that synchronisation does not occur automatically or is driven by changes – instead it must be on a timed interval basis. in addition, if you have another pc booted up, then you’ll also get this message too:

mobileme message

rubbish. especially for a £60 per year subscription. instead this looks much more promising…

Share
Aug 30

writing secure code (second edition)

code, reviews, security No Comments »

Writing Secure Code, Second Edition

Some years ago i worked for a software house with over 30 developers, of which only one other had read the first edition of this book. I don’t think that was uncommon. Few developers cared about application security in general terms, their encounters with security being an inconvenience that either ‘broke’ code or (often post-exploit) resulted in ‘extra work’ bug-fixing. I use the past-tense, but i’ve really no evidence to suggest that things have changed all that much. Hopefully the wider distribution and publicity granted this second edition will help change that.

The book is organised into four major sections.

The first provides background material that outlines the need to secure systems and techniques for designing secure systems. It is carefully written, appropriately illustrated and has only two very small code examples (one of which pseudo-code, the other a couple of lines of asp), making it good for photocopying and distribution to project managers…

The second and third sections provide the bulk of the book – secure coding techniques. As you’d expect buffer overruns, acls, least privilege, crypto, canonical mistakes, sql injection, cross site scripting, dos attacks, to name a few are all covered, and there are chapters on internationalisation, sockets, rpc, and one – surprisingly small – on .net. I say surprisingly because a good part of the marketing for this book was that it was updated to cover .net, which it has – but not to the extent you’d think. If you’re looking for an in-depth analysis of .net security, this work doesn’t have it. But it doesnt needs it – if there is one single message in the second and third sections it is that there is no replacement for responsible, informed programming regardless of the syntax or technology used. The chapter entitled ‘All Input Is Evil’ makes that point well, it – like the others – applies whether you use .net or not.

The final section covers ‘everything else’ – testing, code reviews, installation, error messages, and a good – but brief – chapter on privacy and data security, and an excellent chapter on general good practises.

Part of what made the first edition a classic, to my mind, is that it addressed the security fundamentals *every* programmer on a microsoft platform should be aware of. After reading it i was in doubt of the importance of application security, the core principles, threats and coding countermeasures, and i went on to apply those in subsequent projects. This edition builds, updates and expands on the first and is, simply, required reading. unlike many sequels, it does not disappoint.

Share
Jul 11

threats and countermeasures

code, reviews, security No Comments »

Improving Web Application Security – Threats and Countermeasures is part of microsoft’s ‘patterns and practises’ group. Though much of the guidance is general best practise, specific guidance is given for .NET web apps. This really is an excellent paper complete with appendices of resource links, checklists and how-to’s. Which is appropriate to what is a very practically focused document, not the idealised theorising that it could so easily have been, and which certain other papers in the series indulge in. Simply put, it is an essential read.

Share
Jul 01

hijacking .net vol 1: role based security

code, reviews, security No Comments »

Hijacking .Net Vol 1: Role Based Security

I had to read this – touted as the first volume in a series that could be for .NET what Appleman’s books were for the Win32 API. A fair bit of the book is just a guided tour of windows role based security, well written though. The core of the ‘hijacking’ part could be boiled down to a couple of pages. Essentially it’s this:

Marking a class or method as private in .NET impacts its visibility, but not its security boundary – i.e. it is possible to invoke private methods. And vs.net provides all the means necessary to do so:

Step One – navigate to the library/class you want with ildasm and have a peek at the IL. From that its pretty straightforward to grok the private objects/methods you might be interested in.

Step Two – use the InvokeMember method of the Type class to make use of private class/method.

That’s it. Classic Win32 API Appleman this is not, how useful the technique is – I’m not sure (not in commercial work), but it’s still worth a read.

Share
Jul 01

enforcing xhtml compliance in asp.net applications

code, reviews No Comments »

Enforcing XHTML Compliance in ASP.NET Applications

Having spent the last few years working on government projects where the use of xhtml was required, it was very frustrating for me, and the project teams, that asp.net did not support the standard. You might argue that the asp.net environment is a visual ide where you drop your controls and, as Don Box put it at a conference a couple of years ago “let .net and let go” of the output. Even so, if you want to use asp.net on standards compliant projects – and I certainly do – something has to be done until (or if) vs.net more fully supports xhtml. So I had high hopes for this ‘eBook’.

Alas, it’s way more optimistic than I am about vs.net and xhtml, it doesn’t present real world problems, and whilst it’s true that we can always write our controls to produce xhtml output, it doesnt really address the issue. Has this person ever even run a simple aspx page through a validator? I think not. And writing a filter to ensure that the resulting output is valid xml is missing the point altogether. Finally the ‘eBook’ is really only an article from asptoday – it’s simply not worth the money.

Share
Jun 09

professional sql server 2000 programming

code, reviews No Comments »

Professional SQL Server 2000 Programming

This is, quite simply, the best introduction to SQL Server 2000 programming. It’s well laid out, contains all the key information and is very easy to read. Vieira promotes a balanced architectural view and steers the reader away from the ‘do it all in data layer’ approach so typical of other SQL programming texts.

Share
Jun 09

inside sql server 2000

code, reviews No Comments »

Inside SQL Server 2000

A fascinating text describing the internals of SQL Server. A pretty wide statement that, but true, and whilst this book is considered ‘a bible’ for sysadmins/dbas I recommend it to developers too. Whilst Vieira covers some of the same territory, this does so in real depth.

Share
preload preload preload