venkat.Murthy

Okay.. My differences about DataGrid, DataList, and Repeater in ASP.NET

2006-08-30T21:50:00.000-07:00

Yes. Illustrated image is for understandings i have over three.

venkat.Murthy

Happy Birthday MUGH!!!

2006-03-31T22:59:00.000-08:00

Wow.. its unbelievable that MUGH is celebrating its 3rd birthday on 1-Apr-06. Started way back as DUNG, it is you all that made it a trend setter in communities space, here in india.

So, keep your comments/suggestions coming in, and we all shall continue in making MUGH the best !!!

venkat.Murthy

New HTMLEncoding and URLEncoding

2006-02-26T20:39:00.000-08:00

Widely used approach to avoid risk posed by XSS is to encode all untrusted input into non-executable forms, before rendering it as output. The System.Web.HttpUtility.HtmlEncode is one namespace provided by microsoft that encoded charecters into safer HTML formats.

The approach looks for bad characters in input, with an assumption of all possible invalid inputs an attacker might attempt. This can provide protection to applications against XSS attacks, but it merely depends on howmuch were assumption were correct? For example, some of currently possible valid encodings of the character “<” are: (I have seperated each encoded value with a ':').

<: %3C: <: < : < : &LT; : < : &#060 : < : &#00060 : < : < : < : < : < : < : < : < : < : &#x03c : < : &#x0003c : < : &#x000003c : < : < : <
< : < : < : < : &#X03c : < : &#X0003c : < : &#X000003c : < : < : < : < : < :
< : < : &#x03C : < : &#x0003C : < : &#x000003C :
< : < : < : < : < : < : < : &#X03C : < : &#X0003C : < : &#X000003C : < : <

Tough... isn't it ? The Anti-Cross Site Scripting Library V1.0 by Microsoft takes an approach based on allowing only known or good inputs, and rejecting every thing else. This is a good and comprehensive approach of allowing all known-inputs rather than not-allowing all unknown inputs.

You can download installer here. There is new support for HTMLEncode and URLEncode exactly the same as their System.Web.HttpUtility counterparts (HttpUtility.HtmlEncode and HttpUtility.UrlEncode), but under AntiXSSLibrary.HtmlEncode and AntiXSSLibrary.UrlEncode namespaces !!!

Finally the results are out!!!

2006-01-12T03:26:00.000-08:00

Microsoft Users Group, Hyderabad (MUGH) has announced winners for CodeWarriors 2005 and SQL server 2005. Check more at http://www.mvpblog.com/techfest/

Trackback : On an intersting opinion

2005-12-01T03:30:00.000-08:00

Sudha, has clearly stated what could we have done to improve the remarks on our engineers.

Having a great potential across world, our engineers have always contributed more. Considering the less 'practical exposure', and more 'theoritical knowledge' indian engineers have, as commented by Criag, could it have been better to point out like: given the right exposure and current knowledge, indian engineers can scale up to new heights, as they have always done.

Well, even all IT industrialists like Naryananan, Anil Ambani speak the same.

How did we go about that?

venkat.Murthy

Count down begins

2005-11-23T03:34:00.000-08:00

Thanks for the participation in CodeWarriors and SQLWHIZ contests at TechFest. Count down begins, and hope everyone could make up to the final round !!!

venkat.Murthy

Code Warriors 2005, SQL Whiz 2005 at MUGH, Hyderabad

2005-09-05T22:27:00.000-07:00

Time for curtain UP!!!

MUGH (www.mugh.net) has lot of action for developers and technology experts this year. As said in promised in this post, we have bought two back to back events for tech-savy professionals.

SQL Whiz 2005 - This is SQL Server White paper contest for Hyderabadis out there, who want to show case their technical skills on Microsoft SQL Server. I am sure, this contest will bring up the SQL guru in you, and you can feel the difference. Wait...... you can have lot of goodies, books, tee-shirts. Ofcourse, a certificate of recognition will come for all winning entries signed by community gurus and champs at Microsoft.

Come, show case your SQL Skills at SQL Whiz 2005.....

Code Warriors 2005 - An ultimate development challenge for all Microsoft technology users. Horn your Whidbey skills, tame your applications and win lot of prizes !!!! The contest is commencing soon, and you can start preparing right now... For preliminary round, submit documents about the application you are going to work on, leveraging Whidbey. Once your entries are valuated, then you can submit a working copy of the application for final evaluation.

Again..... You application shall be showcase for entire community at gotdotnet, apart that, you recieve lot of prizes, books signed by Microsoft experts.

Come on, start working on... After all, its your code and your sword for code warriors 2005 at MUGH!!!

Find more about contest at
http://www.mvpblog.com/techfest/index.htm
http://www.mugh.net

Events, Contests gala at MUGH - Part I unfolds

2005-09-01T21:12:00.000-07:00

MUGH, short for Microsoft Users Group, Hyderabad is launching events that tend to bring out best in you. This contest is open for all Indian Residents :) who have a passion for Microsoft latest technologies (none other than .NET 2005) and SQL Server.

We have two series of events occuring, and part one is unfolding today. SQL Whiz 2005 is a SQL white paper contest, where in you can show case your strong architecture, design and technical skills in form of white paper, that caters to SQL technologies. Promoted by INETA, Satyam, Infotech, Microsoft, the event is a unique blend of professionalism and passion. Community blog has just been updated, and its really thrilling!!! [http://www.mvpblog.com/techfest/]

Watch out this space for more info on SQL Whiz 2005 and Part II event updates.

venkat.Murthy

Design Aspects

2005-08-25T01:40:00.000-07:00

This is an excellent resource for thinking design flaws in Java. .NET 2005 has similar retrospectives, but since it has not yet been public, blogs are the only resources for design decisions on .NET 2005. One such thing is listed here.

venkat.Murthy

ASP.NET Training

2005-08-18T02:13:00.000-07:00

Microsoft has limited time offer on ASP.NET free training here. Hurry up, otherwise, it would cost you $$349.00 !!!

Fun way of learning new features in Visual Studio 2005 and SQL Server 2005

2005-07-28T00:21:00.000-07:00

Microsoft has launched new site to learn about the benefits of Visual Studio 2005 and SQL Server 2005 in a humorous way. Follow this link for more details and fun ofcourse !!!.

Happy Visual Studio and SQL server programming !!!

venkat.Murthy

How many threads does a typical managed process have when it just starts to run?

2005-07-13T01:50:00.000-07:00

Yun Jin in this very interesting post talks about threads in managed process.

very interesting indeed!!!

Basic Security Profile 1.0 Sample Application: Preview release for the .NET Framework version 1.1

2005-06-04T09:23:00.000-07:00

Patterns and Practices (PAG) team at Microsoft has just released a preview of Basic Security profile 1.0 application.

The Microsoft WS-I Basic Security Profile 1.0 Sample Application is a preview release to demonstrate interoperability of secure Web services.

This release includes the Sample Application, which was developed using the Microsoft .NET Framework version 1.1 and Microsoft Web Services Enhancements (WSE) 2.0. Also included is the Microsoft Basic Security Profile (BSP) 1.0 Sample Application Guide which describes the design and implementation of the Sample Application and steps you through the process of installing and using the Sample Application. The guide also describes how the Sample Application uses WSE 2.0 to provide interoperable secure Web services based on the WS-I BSP 1.0.

Apart from Source Code, The guide includes information about the:

Implementation of Web service security using X.509 certificates and using declarative security policy.
Design of services to provide interoperability and resilience to change.
Manner in which the Sample Application uses WSE 2.0 to provide interoperable secure Web services based on the WS-I BSP 1.0.
Process of installing and using the Sample Application.
Factors to consider when developing and implementing your own secure interoperable Web services.

More info can be found here.

venkat.Murthy

Oracle support for .NET

2005-05-19T21:12:00.000-07:00

Though I am not an avid Oracle user, it is good to see how different products continue to leverage .NET capabilities and resources.

Oracle has announced a new set of development tools called Oracle developer tools for .NET to .NET enthusiasts who wanted to utilize Oracle database.

Oracle developer tools for .NET come with a set of development tools - the tools that are tightly integrated with Visual Studio .NET 2002 or Visual Studio .NET 2003. The developer tools combine the rich UI of Visual Studio .NET and allow to interact with Oracle database. Oracle Explorer (an explorer of Oracle Database), wizards and designer(for creating Oracle .NET applications) , Automatic Code generation (Pull in the data from Stored Proc, and code is automatically generated !!!) and .NET stored procedure deployment are some of the tools available at oracle developer tools for .NET.

ODP.NET or Oracle Data Provider for .NET is a rich data base programming interface. Moreover, it is derived from ADO.NET specification, and thus, has inbuilt all features that ADO.NET supports. While all can be the same, interesting point here is that, ODP.NET supports multiple "resultsets" for a single command object. ODP.NET has also some of the performance tuning options available for Oracle. Above all, ODP.NET comes with full support to Oracle 10g database.

ODP.NET is available for free download. Any prizes for that?

venkat.Murthy

Threat Modeling Guide resource at Microsoft

2005-05-17T21:00:00.000-07:00

Microsoft has an excellent resource for Threat Modeling here. This guide intends to speak on Threat Modeling and covers steps to create Threat Models.

For those new, let me brief about Threat Modeling: Threat Modeling is technique that encompass around security right from the Design phase. Applications should be secure by design, as well as secure by coding. Threat models when fully constructed can be seen as "attack patterns". It would enable all - architects to app coders, to successfully absorb threats, vulnerabilities and attacks.

Threat modeling revolves around three key stages:
1. Collecting background information for the application
2. Modeling the system : Typically in this stage you would draw boundaries around the app you develop and start seeing application from attackers prespective.
3. Determine threats : Once you have modeled the system, you determine the threats and develop some severity for each threat detected. This severity would be qualitative as well as quantitative. Quantitative in the sense, you apply STRIDE for the threats determined, and Qualitative in the sense you apply DREAD ranking. And finally you get the severity count for each threat determined. Higher the severity, higher is the app risk prone. And you could solve the problem, before it actually begins !!!

venkat.Murthy

IIS WebCast Series Website

2005-04-26T21:00:00.000-07:00

This http://www.iiswebcastseries.com link is awful one, for all potential people involved in IIS 6.0. It is a mixture of all previous web-casts, future webcasts on IIS 6.0. I found it pretty cool to delve into details of IIS 6.0 server, and configuration issues.

You can mail iiswcast@microsoft.com for further queries and comments.

Get deeper into IIS 6.0, and happy programming !!!

SecureString in Whidbey 2005

2005-04-18T03:53:00.000-07:00

Enter Password: ********** .What if the password you’ve kept alive till the transaction is not garbage collected?
Enter Credit Card Number: 54XX-XXXX-XXX-XXXX. Are you sure enough that, your own encrypting algorithm will clean up memory, after the credit card info is validated?
Enter your SSN Number; Enter your Account Number, the list seems unending.

Assigning sensitive data to string is more common development strategy. String class in .NET flexible and is immutable. Immutable in the sense, once the instance of string variable is created, it is read-only, and it is not possible to predict when that instance is garbage collected. Having no control over finalization, makes us to think twice while assigning a password to string variable.

There is a new class available in .NET 2005, “SecureString”. In this entry, I will evaluate some of the features of securing your secure info, leveraging new SecureString class.

A SecureString object is same as String object. Both can hold text values. SecureString is available in System.Security name space. SecureString represents that the text should be encrypted. It represents text that should be kept confidential and is encrypted for privacy when being used, and deleted from computer memory when no longer needed. That is, it guarantees that data should be deleted from computer memory, after use. (No more waiting till GC cleans!!!). That is SecureString has deterministic destruction(will have its destruction well defined) after usage. SecureString can encrypt/decrypt data on its own, and uses windows well defined and proven encryption/decryption methods. When we assign a password to secure string, the data is encrypted, and when we retrieve, it is decrypted. The value of an SecureString instance is automatically encrypted when the instance is initialized or modified.
The value of an instance of SecureString is automatically encrypted when the instance is initialized or when the value is modified. Your code can render the instance immutable and prevent further modification by invoking the MakeReadOnly method.
SecureString has no members that inspect, compare, or convert the value of a SecureString. The absence of such members helps protect the value of the instance from accidental or malicious exposure.

DevCon2005 @ MUGH

2005-04-11T23:26:00.000-07:00

Finally,

Thanks a zillion to all for making DevCon 2005 a grand sucess. It was really great experience in planning, organizing and conducting such a great event. There was tremendous technology flowing every where at DevCon 2005, and wide audience were just in high spirits !!!

DevCon 2005 had attendees from Infosys, Satyam, Virtusa, Wipro, TCS, Infotech and Keane. It is thrilling to have such high profile audience in any event.

There are couple of suggestions for MUGH, and wait more to see them implemented.

Meet with Leads

2005-03-15T05:00:00.000-08:00

We had a round table meet with s somasegar, vice president for developers tools at campus. It was really interesting to listen from guru about the road map ahead for and new features in Whidbey.

Win32 API -> .NET Framework API

2005-03-01T03:03:00.000-08:00

This cool link has details about good old Win32 API's mapped to .NET Framework API.

We can acheive almost the same using .NET Framework API's, which we were doing using Win 32 API !!!

Really awesome.

XSS Attacks

2005-02-18T01:44:00.000-08:00

Following three things i found across my experience, that happen with query strings appended to URL.
1. Write to a object and store for some other use
2. Redirect to a different page
3. Pass the value to database as parameterized value (This one is particularly i m not happy about)

This posting talks about XSS Scripting and vulnerabilities. It speaks about utf-8 encoding to overcome. What about content that does not support utf-8 ?

What about in .NET 2.0 ?? Breaking news is that .NET 2.0 has lot of improved security enhancements, like new cryptographic routines, improved security namespaces, new Security APIs..

Time to get fingers crossed.

New MSN Search

2005-02-01T19:56:00.000-08:00

MSN search is back with improved search engine.

I've been googling, but this bubbly new MSN search has taken me of all favourites. One feature i've liked is cached search results, as we get on Google Complete, but with no extra different URL !!!

One thing I would like to see there in MSN Search is no top banner, and contain some cool XP Floating themes instead.

Happy Searching.

Nerd ? Huh..

2005-01-27T01:04:00.000-08:00

Access Modifiers Internals (Excerpt from mail - Courtesy Jeff Atkins)

2004-12-13T21:45:00.000-08:00

The public and private keywords specify access at the individual class level.

Comparing Access Levels
It is important to realize that internal access is different from public or private access:
· Public access is logical.
The physical deployment of a public class (or a public class member) does not affect its accessibility. Regardless of how you deploy a public class, it remains public.
· Private access is also logical.
The physical deployment of a private class (or a private class member) does not affect its accessibility. Regardless of how you deploy a private class, it remains private.
· Internal access is physical.
The physical deployment of an internal class (or an internal class member) does affect its accessibility. You can deploy an internal class directly in an executable file. In this case, the internal class is visible only to its containing compilation unit. Alternatively, you can deploy an internal class in an assembly. You can share this assembly between several executable files, but internal access is still limited to the assembly. If an executable file uses several assemblies, each assembly has its own internal access.
Comparing Internal Access to Friendship
In languages such as C++ and Visual Basic, (though I've never tried my hand at C++) you can use friendship to grant to the private members of one class access to another class. If class A grants friendship to class B, the methods of class B can access the private members of class A. Such friendship creates a strong dependency from B to A. In some ways, the dependency is even stronger than inheritance. After all, if B were derived from A instead, it would not have access to the private members of A. To counteract this strong dependency, friendship has a few built-in safety restrictions:
·Friendship is closed.
If X needs to access the private members of Y, it cannot grant itself friendship to Y. In this case, only Y can grant friendship to X.
·Friendship is not reflexive.
If X is a friend of Y, that does not mean that Y is automatically a friend of X.
Internal access is different from friendship:
·Internal access is open.
You can compile a C# class (in a source file) into a module and then add the module to an assembly. In this way, a class can grant itself access to the internals of the assembly that other classes have made available.
·Internal access is reflexive.
If X has access to the internals of Y, then Y has access to the internals of X. Note also that X and Y must be in the same assembly.

My Upcoming News: Security Article - This week end

2004-12-05T20:38:00.000-08:00

Just now geared myself to start on a article about - what makes it way to build :- write code for secure applications.

Following would be brief synopsis about the same.

- Why should we go for secure systems: An overview about un-secure applications, and potential harms.
- Design considerations for n-tier application: Design a secure application:- About Secure Development life Cycle, Threat Models/DREAD
- Secure n-tier environment: Secure Web Server, Application Server, Database Server, and client machine. (machine-level security)
- Write Secure Code: Write (Validations, SQL Injections, buffer overruns, caching, sessions, HTML encoding, encryption/decryption, choosing Data Types, cannocalization), verify (FxCop, code-reviews) and test (Security test Cases) .
- Tools and Techniques for Secure Application: MBSA, IIS Lock Down, URL Scanner and Threat Model hints.
- Future for secure initiative: Leverage secure initiative, and make bad guys feel more insecure.