This Issue Sponsored By
DevConnections: Win a Harley Motorcycle
In This Issue
Developer .NET Perspectives
New and Improved
Sponsor: LearnKey, Inc.
Enter to win FREE SQL Server DTS training on CD-ROM at http://www.learnkey.com/sqldev. If you design or work with databases that are stored in different formats, then LearnKey's SQL DTS & OLAP training is for you! Learn to use DTS & OLAP to go beyond the capabilities of relational database systems and simplify data transfer and analysis. Save 25% on additional SQL Server and .NET developer courses at http://www.learnkey.com/sqldev or call 800-865-0165.
Developer .NET Perspectives
In addition to bringing new life and warmer temperatures, the onset of spring starts the season for training. As part of its spring training, Microsoft is currently holding Developer Days (DevDays) 2004 events around the country. This multicity event started at the end of February and runs through the end of March. This year's DevDays has two tracks: the Web Development Track, which covers how to secure ASP.NET applications, and the Smart Client Track, which discusses how to build smart client applications. I presented the final session in the Web Development Track in San Diego on Tuesday and will repeat my performance on March 15 in Los Angeles. For information about the DevDays event in your area, go to this Web site:
Because not everyone who receives Developer .NET UPDATE is near a participating city or can take the time to attend this Microsoft event, I want to let you know what DevDays 2004 covers and tell you about some informative materials that are currently available.
The good news is that DevDays doesn't concentrate on what's coming or what's new in developer tools. Instead, after you get past the opening keynote, you're immersed in best practices for working with existing tools, such as Visual Studio .NET 2003.
In the Web Development Track, the presentation starts with an introduction to security threats, such as the cross-site scripting attack or the far more dangerous SQL Injection attack. In case you've never heard of these commonly used attacks, let's take a quick look at them. The cross-site scripting attack targets input that your site reposts to the user's display. To execute this attack, an intruder attempts to input script tags through your input fields, which are then included in text displayed on your site. The result is that the embedded tags redirect other users and their subsequent input to the intruder's site. The rogue script tags, which become embedded in your site, pose a risk to your site's visitors. In an SQL Injection attack, an intruder submits commands against your site's database. The SQL Injection attack relies on two coding practices that you should avoid: not validating user input before using it and using dynamic SQL statements.
You can easily defend against the cross-site scripting attack and the SQL Injection attack. At the end of this column, I include links to sites where you can get more information about defending against the SQL Injection attack. However, at DevDays, Microsoft presented a more elegant way to defend against this attack.
As part of DevDays, and in particular in the session I present, participants review the source code for Microsoft's OpenHack reference application. Microsoft created this application for eWeek's OpenHack 4 competition, which was held to test Web application security. For this competition, eWeek asked participants to harden a provided Web application and deploy the hardened application on their choice of OS, Web server, application server, and database platforms. Both Microsoft and Oracle submitted hardened applications and servers, which were posted online. Then eWeek issued a challenge to hackers to try to complete any of five hacking challenges on the posted systems. In the competition, Microsoft's hardened application withstood more than 80,000 attacks.
What makes Microsoft's OpenHack reference application really interesting is that Microsoft built this application to meet a third party's requirements. The application wasn't based on what someone in Redmond wanted marketed that week, nor does it highlight the latest technical feature. For example, the application doesn't rely on Active Directory (AD) for authentication but instead uses Forms-based authentication and keeps its users in Microsoft SQL Server. The application operates as a true Internet application.
The point of the DevDays session is to show that by addressing input validation issues, you can use ASP.NET to create a secure Internet application. Fortunately, you don't have to attend DevDays to get this information. Although I can't give you a link to the source code for the OpenHack reference application, Microsoft has a comprehensive review of how to secure ASP.NET applications in the guide "Improving Web Application Security: Threats and Countermeasures." You can download this free guide from the following Web site:
The Smart Client Track provides practical information about how to leverage the power of the desktop. As XML Web Services continue to evolve, you can create a distributed application that isn't bound to the browser's limitations. To this end, DevDays has a series of presentations that culminate in the creation of a trickle-down smart client. The concept behind trickle-down smart clients is that you can post your client application to a local URL and have users download and run the application locally. The result is that you leverage the power of the client without having the costs associated with physically touching each client to install applications or perform machine maintenance.
Although the opening and closing keynote speakers discuss the future of Microsoft tools, the tracks in this year's DevDays concentrate on what you can do with the tools you have today. In the March 19 issue, I'll continue that theme by discussing how to use SQL Server 2000 Windows CE Edition (SQL Server CE), a poorly documented but powerful tool for mobile applications. In the meantime, here are some links to information about the topics covered in DevDays:
- "MSDN Webcast: Best Practices for ADO.NET Development" (http://msevents.microsoft.com/cui/eventdetail.aspx?eventid=1032244722&culture=en-us). The first demonstration in this Microsoft Developer Network (MSDN) Webcast introduces you to the SQL Injection attack and describes how to defeat it.
- "MSDN Webcast: Protecting Your System From SQL Injection Attacks - Level 200" (http://msevents.microsoft.com/cui/eventdetail.aspx?eventid=1032246187&culture=en-us). This Webcast takes an in-depth look at the SQL Injection attack.
- "MSDN Webcast: Smart Client Deployment with Windows Forms" (http://msevents.microsoft.com/cui/eventdetail.aspx?eventid=1032239685&culture=en-us). This MSDN Webcast discusses trickle-down smart clients.
Literally hundreds of Webcasts exist that can provide you relevant information about all kinds of topics, including development, security, Microsoft .NET and Web services, and SQL Server. The good news is that Windows & .NET Magazine recently added an events section to its Web site that indexes many of these events. To access this site, which is devoted to both on-demand and upcoming live events, go to:
Sponsor: DevConnections: Win a Harley Motorcycle
DevConnections conference and expo will be held April 18 - 21. Back by popular demand are concurrently running events Microsoft ASP.NET Connections, Visual Studio Connections, and SQL Server Magazine Connections. Details about workshops, sessions, and speakers are online, including the exclusive Microsoft Day on "Yukon" and "Whidbey". Save $200, receive access to all three conferences for one price, and get a chance to win a Harley motorcycle. Go online or call 800-438-6720 or 203-268-3204.
(brought to you by SQL Server Magazine)
SqlJunkies is your online community resource for original tutorial and how-to articles for developing applications with SQL Server 2000 and Yukon; peer-to-peer help and networking through discussion forums and newsgroups; technology tips and pointers from expert bloggers; and the latest in SQL Server-related events and news.
SQL Server Magazine offers advice, content, and valuable tips that take the word "timesaving" to a different level. For example, the March 2004 issue is dedicated solely to providing 116 tips to SQL Server developers, administrators, and business-intelligence architects. Each issue is packed full of useful information. Subscribe today and get a free gift!
(A complete Web and live events directory brought to you by Windows & .NET Magazine: http://www.winnetmag.com/events )
The key to getting the most out of Reporting Services is learning the tips and tricks. SQL Server Magazine invites you to attend a free, Reporting Services Web seminar designed specifically for SQL Server professionals. This live, online event will be presented on March 17, 2004. Register today!
New and Improved
by Shauna Rumbaugh, [email protected]
Quest Software, Inc.
DB Ghost for SQL Server
This email newsletter is brought to you by Windows & .NET Magazine,
the leading publication for IT professionals deploying Windows and
related technologies. Subscribe today.
Windows & .NET Magazine a division of Penton Media, Inc.
221 East 29th Street, Loveland, CO 80538
Attention: Customer Service Department
Copyright 2004, Penton Media, Inc. All Rights Reserved.