Gridding .NET

30% performance hit for what?

from Dino Esposito's post:

Kathleen Dollard said "You'll accept a 30% or greater perf hit for simplicity in programming? Sorry, but I think that's nuts."

Well, if development and maintainance both cost 30% less , then yes

Hardening ASP.NET - avoid cross site scripting and script injection - Part 1

Scott Hanselman's excellent article on MSDN shows how to filter dangerous characters from input. My take was to override the Textbox, TextArea and Password controls and add a custom property with validating code for characters, numeric, allAllowed and noDangerousChars. This allows for set the proper data validation at runtime.

Here is more

All the failing input should be logged !!

ASP.NET Job (Contract)

ASP.NET Developer for Bank in Milan(Italy)
Should be Italian speaker and EU resident/EU work permit holder
Local rates
Contact me by blog form

Yukon licensing a la mainframe

At a SQL Server Yukon presentation I asked if there was a possibility for licensing a la mainframe or on demand. No answer was given.
This would help the very large deployments for things like HR and Accounting were over 50% of the monthly data crunching is done in 4-5 days. It would also help MS compete against DB2(IBM) and Sybase in high end scenarios.

Slammer(SQL Server port 1433/1434) anniversary, bugs count, cuddled environments and Security by Obscurity

I've been working in the last year with SQL Server and one of its competitors, both being used by an application.

Now my team has run over 3 different buffer overruns running the most expensive IBM Unix machine into the ground.
Now this DB installation is being "cuddled" by one of the vendors own consulting DBA on a machine, protected by numerous firewalling sofware and monitored 24 hours by special management sofware. Obviously any documentation or KB docs are not available(Security by Obscurity) for these software or are more expensive than an original Shakespeare manuscript. Some NDA also prohibits these issues to become of public domain.
At the same time my team of developers manages the whole software  aspect of SQL Server.

To this point I think that the bugs are really been counted unfairly in the context of the environment:  
In the MS world software is being installed on standard hardware and maintaned by standard techies , while other environments are treated as royalty while being only usurps and mostly technically inferior.

In this context of environment SQL Server(please install SP3 !!) really comes out much better than comparables.

Monitoring ASP.NET applications (again!!)

Went crazy the last 2 days trying to find out why a user couldn't access an intranet portal.

The user access is a bit out of the norm as the user has credentials on our system, but is not a domain user since he is from another bank. Precisely, he is let through a NAT, firewall and/or VPN. The user has only access to 1 portal on which all the back office activities of the joint venture are carried out.

Since the user is in another office/company/country I could not replicate his peculiar network credential from our side.Now, you would say remote debugging. Not really, since the portal is heavily used by our-side users. Set up access, to another website, so I can use it only for isolated debugging. Nope, not possible our inhouse SS erm Systems Security people (another day, another ranty post) have longer waiting lists than the pope.

My only solution has been to brute decorate the app (3-4 large classes) with Streamwriter.Writeline() statements to file and redeploy.

Was it the browser settings? Was it the code (not regress tested by QA)?

It turns out that the DNS tables were misbehaving.
But at the end I' d wish for some sort of inbuilt tracing for all the variables in a method/class perhaps as a custom attribute something like

<(Tracing, "True")> _
sub myMethod() with Tracing ' alternative syntax

End sub

I' heard it to be like a flag on some sort of COBOL systems, anyone care to confirm?

Block port 1433/1434 and IPSEC links (good stuff!!)

http://www.microsoft.com/windows2000/techinfo/planning/security/ipsecsteps.asp

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/HTUseIPSec.asp

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/SecNetHT18.asp

http://dotnetjunkies.com/WebLog/stefandemetz/archive/2004/05/07/13102.aspx
http://dotnetjunkies.com/WebLog/stefandemetz/archive/2004/05/11/13358.aspx

SQL Server and deadly Port 1433 idiots (Sequel)

from http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B813878

For example, to block network traffic from any IP address and any source port to destination port UDP 1434 on a Windows 2000-based computer, type the following. This policy is sufficient to protect computers that run Microsoft SQL Server 2000 from the "Slammer" worm.

ipsecpol -w REG -p "Block UDP 1434 Filter" -r "Block Inbound UDP 1434 Rule" -f *=0:1434:UDP -n BLOCK -x

For example, to block any network traffic that originates from your Windows 2000-based computer that is directed to UDP 1434 on any other host, type the following. This policy is sufficient to prevent computers that run SQL Server 2000 from spreading the "Slammer" worm.

ipsecpol -w REG -p "Block UDP 1434 Filter" -r "Block Outbound UDP 1434 Rule" -f 0=*:1434:UDP -n BLOCK

get this col tool from: http://www.microsoft.com/windows2000/techinfo/reskit/tools/existing/ipsecpol-o.asp

.NET and code refactoring maintainability (links)

from google (http://www.google.it/search?hl=it&ie=UTF-8&oe=UTF-8&q=code+maintainability&spell=1)

http://www.advogato.org/article/258.html
http://www.iam.unibe.ch/~scg/Teaching/ESE/Material/codeInspections/maintainabilityChecklist.html
http://www.strayneuron.com/mt/archives/000033.html
http://www.softwarecraftsmen.com/blog/archives/000010.html

.NET wishlist Issue 2 (IPSEC and ADO.NET connections)

A connection to a DB from ADO.NET should be mandated with IPSEC, just as Forms Authentication requires SSL by default.

BTW, is there a way to detect if the connection goes over IPSEC.

SQL Server and deadly Port 1433 idiots

Everytime I see an instance of SQL Server installed with the  port 1433 open, I get mad.
Since multiple trojans target port 1433, why would anyone NOT change the default port 1433 when risking to get their systems infected?

ADDENDUM:

http://www.itsecurity.com/asktecs/oct3903.htm
http://support.microsoft.com/default.aspx?scid=kb;EN-US;815146

SQL vs SPROC (Frans vs Rob) : a retrospect a.k.a. MY reasons

to revive the Frans vs Rob wars  :-)

In the applications my group develops we follow these guidelines:
- use SQL in codebehind classes to VISUALIZE data
- use SPROC to process data (insert, update, delete and transfer)

Why is that? ... because s**t happens

and we value certain DATA/REPORTS more than anything else

Am doing apps for a financial institution interfacing to Accounting, Compliance, Audit and Risk ERP systems with ASP.NET through IE.
In accounting and compliance reporting you are working up to a deadline, trying to report on compliance to some bodies like SEC.
Since everybody is late, data is being processed up till the last minute.
A minute later and your CEO has to ask for forgiveness to a SEC commission,balance sheets are not certified, the company pays a BIG fine, AND YOUR ceo has to take
a flight to ask forgiveness in person.

Despite high availability solutions, best hardware tec etc you can never tell what fails
and we

WANT

to be able to run outr beloved/hated SPROCs by hand, firing up Query Analyzer, a cmd line isql
or a Unix shell with Open Client.

Not performance, but our a** (when the CEO comes back from that trip) is the reason

Beware bad drivers

Testing a native driver for Sybase ......

Would you choose:

a) questionable, but cool driver promising speed and commandbuilder or

b) a standard one without spped and features but very stable

.NET: developers vs admins (boo boo!!)

After a few heated arguments with the manager of systems support (aka admins) we came to a conclusion that it is best to cooperate.I said I would prepare a list with all the stuff and admin needs to know about the admin side of the framework and he said to help out us developers with a few chores.

I went to look for something useful, but couldn't find anything good.

Since the choice of technology depends often by admins not wanting to put something on their cute boxes,
why isn't there more done for them?

One (well, sometimes) the battle cry from Redmond should be admins, admins, admins

Am starting the list:

- watch out for AV and Indexing service harassing ASP.NET
- install ASP.NET with  noupgrade uption

etc etc ...

Visual Studio.NET and code serviceability

In the inifinite diatribes pro and against our favorite
visual IDE I have to sit on the fence.

While VS.NET is very good at helping beginners at entering
in the environment it gets a bite leightweight when
starting to maintain big codebases(100 KLOC +).

That is also a disadvantage for MS push for the enterprise market.
As a modest project evolves during its lifetime and adds pieces
it becomes more difficult to re-engineer (refactor) a codebase
or modify an existing architecture. Granted, the design should be done
at the beginning, but in the real world, feature requests will arrive
and we developers want to make our users happy.
Therefore an evolved project, maybe passed though various project leaders
or developers, will bloat to no end.
The maintainance gets more expensive and the codebase loses its vitality and zest.

As for MS, detractors will happily declare that .NET does not scale,
costs to much to keep alive and other bad stuff we don't want to hear.
And just because the project initiator hired cheap developers who could only make
the datagrid pretty - and fast.

With ISV still a bit weak on .NET refactoring VS Whidbey is the first version with a
few basic items of refactoring, but needs to do lots more for code serviceability,
especially if MS is serious of getting the upperhand in enterprise development.

What do you think needs to be done for .NET code serviceability?

SQL Server scalability on 64 bit windows

sql server scalability casestudies

http://dotnetjunkies.com/WebLog/stefandemetz/archive/2004/05/16/13724.aspx

http://www.unisys.com/about__unisys/news_a_events/01218375.htm

.NET wishlist Issue 1

Monitoring profiling and tracing ASP.NET applications

I found it quite difficult to monitor ASP.NET applications.

Besides the performance counters we did some custom classes doing following:

- pinging the app with webrequest

- monitoring the aspnet_wp.exe process itself using the proces info capturing process restarts, pages served, max RAM used

- connection string class appending pagename and user to OLEDB connection string to see who's using the database spids

- reading the machine event logs

- IIS logs analysis

- the usual 10-15 logs tracing/logging exceptions, user input, et al

 What I'd like? (Hm, about time someone did a .NET wishlist !! )

-some control says if the numbers of performance counters are good or bad (perhasp something with green, yellow or red traffic lights)

- perhaps some minimal runtime profiling saying which parts are not so well behaved (I know, but testing never catches all scenarios)

Has anybody implemented some other interesting code?

UPDATE: Good article  + tools

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnaspp/html/monitor_perf.asp

Yukon features

Went to a Yukon presentation last week.

The best part of it is the ease of creating
datawarehousing application through Visual Studio.

Also found the mirroring features quite compelling.

I asked about the possibilities of mirroring
between two instances, which the speaker
answered positively.

This type of clustering is good news for mostly-readonly apps.

Enterprise grade ASP.NET Development and code reuse

The solution I describe was implemented in a financial services organization and
is used in several applications.

This development concept is meant to create solid code and save on development by half in componentizing and reusing code.

For each iteration features are moved up the source three and retested.

Good software practices are highly recommended to manage this process
... you should know the fluff (versioning, testing, ....)!!

To start we create a new namespace called ENTsystem, which will be the first level or enterprise-wide root.
 
Then we do another one as APPSystem, which is the application level.

In the ENTSystem, we extend the Webcontrols as empty classes first, by prefixing each level with ENT
e.g. ENTSystem.ENTWeb.ENTUI.ENTWebControls.ENTDatagrid

We do the same for the APPSystem namespace, this time by deriving from the
ENTSystem classes.
e.g. APPSystem.APPWeb.APPUI.APPWebControls.APPDatagrid

The ENTSystem will be the enterprise root, will the APPSystem will be the
Application-level root -co-maintained by all dev groups - and the APPSystem WebControls are the lucky ones, which will be imported in Visual Studio.NET.

Another important class to be extended is the Page class. This can be specialized into IntraPage and ExtraPage to be able to use them in both Intranet and Internet scenarios with different security models within.

At this point features can be added.

One item we did was:
e.g. Setting the CSSClass to the ID in all controls so that we could create a nice style sheet with classes named after the controls and making the controls pretty ;)

I would recommend getting a first application ready before distributing the root DLL, so that some basic features get into the ENTSystem root classes and the developers get comfortable with the development process.

Obviously, this component-structured development can be applied to any namespace in your organization.

After 2 years of using it my organization has surely been able to maximise developer productivity and avoid reinventing the wheel over and over.

That is all for the first part. It's a very simple overview and the implemention is simple too., really.

Next time I will write some stuff about the security model we used out Intranet scenario.

posts about code reuse:

http://weblogs.asp.net/jkey/archive/2003/07/13/10030.aspx

http://weblogs.asp.net/bgold/archive/2003/09/08/49811.aspx

http://weblogs.asp.net/lhunt/archive/2003/12/17/44124.aspx

http://weblogs.asp.net/mscilipoti/archive/2003/02/13/2363.aspx

http://www.reusability.org/blogs/brian/

http://blogs.msdn.com/ricom/archive/2004/01/08/48796.aspx