Jul242008

Securing your Site?

Last few weeks we had some problems with some of our old web sites mostly developed using classic asp, and also somebody at the Ceviz.NET forums, asked how to develop a secure web site, what is our practices. Below is my practices for developing a secure web site. In the order of what comes to my mind first:

  • I use client side UI validation (asp.net validators) only to respond the user quicker, i dont trust the client side UI validation but i am using it
  • Every input: QueryString, Cookies, Form Elements arre validated at the server side
  • Each layer has its own validation (UI,BAL,DAL)
  • I try to use 1 validation class to handle the validations in the project
  • I dont use direct sql commands, i try to use orms such as SubSonic, if i cant cause of the nature of the project, i create my db layer and always use stored procedures
  • I never use dbo permission to access the db
  • If there is membership involved in the project, i dont rewrite my own membership classes, i use the framework provided one
  • i use health monitor to track the app
  • i use certificate in the login page
  • i encrypt personal info in the database
  • i think that somebody can easily see my source code, so i try not to leave a back door in the code.

Any other ideas?

 



Tags:

E-mail | Permalink | Trackback | Post RSSRSS comment feed 1 Responses

Jul232008

User Group Websites

I dont know what's up with the user groups' web sites. They mostly use DNNm so their template is kinda similar, but most of'em lack one thing: RSS for the events. I usually check the events for the month, but it is not easy to find all of them in one page. We have this Socal Tech Events page, however this page lists only the socal .net user groups' web site, but i need the events :). Why am i so obsessed about checking the events? Usually i tended to visit 3-4 user groups in a month without even checking who the speaker or topic is, but with the gas prices going up, and salary staying still, i cant afford this anymore, so i decided to check the speaker and guest first :).

Anyways to cut the long story short, i decided to write a scraper that will check the southern california .net user groups' web sites for the events, hopefully i will convert this into a BlogEngine control, so i can maybe put the control on my blog to list all the events.

Have fun coding.



Tags:

E-mail | Permalink | Trackback | Post RSSRSS comment feed 0 Responses

Jul122008

Are you really a Software Engineer?

Everybody is calling themselves software engineer :), why ? maybe it sounds cool, maybe engineering is a good thing... In the hearth of engineering, there is calculation, planning, timing and costs. For example if you ask a contractor to build a house in your property, it is very likely that before everything begins, you will ask the contractor how will the project take, how much money will it cost, even maybe the project phases.

It is the same with software engineers, if somebody claims:) to be a software engineer; he/she should be able to answer questions like how long will this project take, how many lines of code is expected, how much will it cost, what are the project phases , how many bugs is expected etc... 

If you take software engineering class probably you have learnt how to calculate these, if not, you can start from PSP. When i was talking with one of my friend about why an engineer should answer those answers; my friend disagreed with me and told me developing a software is not like constructing a house or manufacturing because in these engineering areas, they have automated tools, and processes. It is amazing that most developers i have met; either dont use the tools that will help them to automate the stuff, or  havent heard of them.

Things have changed since my c++ development days, i am now wanna be a .net developer, who try to become a good programmer.  I read about good programming practices, and try to copy the best techniques in my codes. I have won some nice tools from Inland Empire .NET user group. I really love these tools so far, such as ReSharper from JetBrains (a must have tool if you are using Visual Studio), CodeSmith (a nice code template generator), SubSonic (which is a free ORM), SVN, TortoiseSV. 

Some of these tools and some others will help you to automate the programming tasks, and will help you to come with a good expected time for your projects. The very recent tool i got is code smith, it is only my second day i am playing with this tool and start liking it already :)

I created one template right away that will help to me create a class faster. How? When i create class, i try to put a heading signature at the top of the class which gives information such as, class name, date created, author, tasks , history. Before codesmith my method is: saved a small template file, and for each class i generate i copy back from the template and modify it. After code smith, i created a template which has properties, after you fill in the properties u get ur class :) Below is my simple template (hey before you critisize my code, dont forget i am learning codesmith :)) 

Here is my simple template

[code:c#]

<%--
Name: C# Basic Class
Author: Volkan Uzun
Description: Basic C# class with comments
--%>
<%@ CodeTemplate Language="C#" TargetLanguage="Text" src="" Inherits="" Debug="False" Description="Generates a C# class with comments at the top." %>
<%@ Property Name="StartedBy" Type="System.String" Description="The first coder creates this class." Default="Volkan Uzun"%>
<%@ Property Name="VersionNo" Type="System.Int32" Description="Starting Version Number" Default="1000"%>
<%@ Property Name="Description" Type="System.String" Default="Description of the class" Description="Description of the class"%>
<%@ Property Name="ClassName" Type="System.String" Default="" Optional="False" Description="Class Name"%>
<%@ Property Name="Accessor" Type="AccessType" Default="Private" Optional="False" Category="Options" Description="Class Accessor"%>
<%@ Property Name="ProjectName" Type="System.String" Default="Project Name" Optional="False" Category="" Description="Project Name" %>
<%@ Property Name="Namespace" Type="System.String" Default="" Optional="false" Category="" Description="Namespace for the class" %>
/*
<Author> <%=StartedBy %></Author>
<Date><%=DateTime.Now.ToShortDateString()%></Date>
<ProjectName><%=ProjectName%></ProjectName>
<ClassName><%=ClassName%></ClassName>
<StartingVersion><%=VersionNo%></Date>
<Description><%=Description%></Description>
<History>
    <Version No="<%=VersionNo%>">
        <Action>File Created</Action>
        <Notes></Notes>
    </Version>
</History>
*/
namespace <%=Namespace%>
{
    <%=GetAccessor(Accessor)%> class <%=ClassName%>
    {
        public <%=ClassName%>()
        {
   
        }   
    }
}

<script runat="template">
public enum AccessType
{
    Internal,
    Protected,
    Public,
    Private
}

public string GetAccessor(AccessType access)
{
    string result = "private";
   
    switch (access)
    {
        case AccessType.Internal:
            result="internal";
            break;
        case AccessType.Protected:
            result="protected";
            break;
        case AccessType.Public:
            result="public";
            break;
        case AccessType.Private:
            result="private";
            break;
    }
    return result;
}
</script>

[/code]

After you fill the properties you get this as a generated template:

[code:c#]

/*
<Author> Volkan Uzun</Author>
<Date>7/12/2008</Date>
<ProjectName>Project Name</ProjectName>
<ClassName>Test</ClassName>
<StartingVersion>1000</Date>
<Description>Test class</Description>
<History>
    <Version No="1000">
        <Action>File Created</Action>
        <Notes></Notes>
    </Version>
</History>
*/
namespace ACM
{
    protected class Test
    {
        public Test()
        {
   
        }   
    }
}
 

[/code]

Now i am reading how to create DAL from a database using codesmith, which i am sure will help me to write faster, better code :)

what do you use to automate you coding ? Are you really software engineer? Do you know when a project will be completed before you start it ?

 



Tags:

E-mail | Permalink | Trackback | Post RSSRSS comment feed 5 Responses

Jul102008

Remove _svn folders with a script?

Sometimes one of my collegaue adds some folders to the svn, and when i checkout the project, i get all those folders that i dont need (such as resharper folder, proj files, sln files etc). I can delete the folders very easily but guess what, i have my own copy of those folders that i am using.so i need those folders but now from svn. I cant ignore the project cause they are already under revision control (if the file/folder is already checked in, you cant ignore it before you remove them from the repo)

So only thing i need is a way to delete _svn folders from the the folders that i dont need to check out, and then ignore the folders. I found this smart posting that does exactly what i need.In case the posting is removed , let me copy the content, i am not changing a single word from the posting

==============

 

Shell Command - Remove SVN Folders

The Subversion source control client maintains your local state in hidden folders named .svn inside your project, which can be a problem if you want to copy or share the project directory.  This REG file adds "Delete SVN Folders" to the context menu for folders. When you select it, it removes all folders named .svn inside the folder and it's children (it does nothing if the project's not under Subversion source control.

I'm not going to bother explaining reg file installation here - I figure if you're using SVN, you're good with reg files.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shell\DeleteSVN]
@="Delete SVN Folders"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shell\DeleteSVN\command]
@="cmd.exe /c \"TITLE Removing SVN Folders in %1 && COLOR 9A && FOR /r \"%1\" %%f IN (.svn) DO RD /s /q \"%%f\" \""

I got the idea from Wyatt Preul's post comparing Powershell and Command Prompt commands to delete SVN directories, so if you'd like to do this manually take a look at his scripts.

==============



Tags: ,

E-mail | Permalink | Trackback | Post RSSRSS comment feed 1 Responses

Jul092008

MVM

James Johnson started the Inland Empire .NET user group 5 years ago. I started attending the user group like 2, 2.5 years ago. I watch this user group growing and becoming better every day. Good speakers, good pizza, nice location (hey no parking fee!!!), very friendly people, and really devoting president James. We discussed about a lot of stuff with James to leverage the user group and do better stuff for the community. We had a 12 weeks Beginner's Asp.NET course, we recently completed it and i think it was a succesfull training. We opened our forums, i still dont understand why it didnt become popular to help people.

Thanx to James and our sponsor, we raffle tons of stuff in every meeting ( I attend 3 or 4 different user group in southern california, there is no other user group that raffles this much of stuff ).
One year ago James started a program which will reward the members who helps back the community, called MVM program; and as you can see from the right corner of this blog, i am this year's winner.I literally got tons of stuf , but one of the best thing is this proves i could give it back to the community. When i started coming the user group, i was more likely  a consumer. Now after some time, this shows to me that, i start paying back to the user group which still i owe a lot (look at the prices dude!!! :P). 

We have so many ideas to leverage our user group , just stay tuned, dont give up your support; support?!! what do i mean with support? Do you know you can help the group with:

  • advertising the user group
  • help tearing down the meeting room
  • help setting up the room 
  • find a speaker
  • speak yourself, give a presentation
  • bring more people
  • rsvp so we can now how much pizza we should buy
  • check the forums, help to the people

... so many different ways to help, just ask for it.

I again thank to James and the user group.

 



Tags: ,

E-mail | Permalink | Trackback | Post RSSRSS comment feed 3 Responses

Jul032008

Broken Window, Software Entropy

I am reading The Pragmatic Programmer, From Journeyman To Master. It seems to be a nice book. In the first chapter it is talking about software entropy. Basically if the software has some parts that are buggy (of course you dont write code that has bugs), it will spread out to other parts too till the whole software is rot.

According to the book, Broken Window is a theorem, that New York Police Department used to clean the streets. Basically the idea is, if there is a street and some of the windows are broken, and you don fix those, people start littering. They start thinking that the street is abandoned, and not secure any more, so if u have broken windows left unrepaired, u ll see more crime, graffitis etc. How does this apply to software? If you have buggy codes left in your application, it wont be secure any more, and it will be more and more buggy, crime is going to go up :). 

If you have a bug in the code, fix it. I know rapid shipping sometimes will stop you fixing all the bugs, but then remove the feature that your bug is in. Dont let broken windows to be spreaded around, dont let other developers (including urself) think that your code is abandoned.

Have fun coding



Tags:

E-mail | Permalink | Trackback | Post RSSRSS comment feed 0 Responses