Thursday, October 15, 2009
So, it appears that the FTC is now getting into the business of regulating BLOG's and the disclosure of those who blog.
So, if you are blogging to promote your business or are receiving some kind of goodies from a vendor for blogging about their products, services, etc. You may want to look at these two sites:
Have a look and enjoy!
Tuesday, September 29, 2009
Well, it looks like Microsoft has been busy on the security front this month. Not only did they release their security essentials this week but also some interesting testing tools, too.
Essentials is the Microsoft answer to real-time Home PC protection. It guards against viruses, spyware and other malicious software. It is now available for download from Microsoft.
MiniFuzz is a basic testing tool designed to help detect code flaws that may expose security vulnerabilities in file-handling code. This tool creates multiple random variations of file content and feeds it to the application to exercise the code in an attempt to expose unexpected and potentially insecure application behaviors.
BinScope is a Microsoft verification tool that analyzes binaries on a project-wide level to ensure that they have been built in compliance with Microsoft's Security Development Lifecycle (SDL) requirements and recommendations. BinScope checks that SDL-required compiler/linker flags are being set, strong-named assemblies are in use, up-to-date build tools are in place, and the latest good ATL headers are being used.
I would recommend you check these out…
Wednesday, August 05, 2009
Recently, a friend and past coworker called and of course the topic meandered to work and software development as frequently occurs. We began discussing development and agile development in particular. It seems that a majority of his issues appear to stem from self-styled “Agile” or lean development teams and the lack of attention to adequate requirements gathering and discovery at his organization.
Often and from many people, I hear that agile or lean development processes are flawed because they focus the team on self direction and deliverables rather than ensuring complete specifications before the development has begun. However, being lean or agile is not about skipping the necessary, prudent or regulated development tasks. It is about minimizing the effort spent on tasks where the cost benefit ratio is less than desirable when the guiding policies, regulations and contracts do not require the undertaking, deliverable or function. This means that appropriate and sometimes even complete requirements gathering is a primary pre-requisite of all agile development initiatives.
No, I am not saying that you must completely specify, document and define all interfaces, functionality, architecture and design; however, you had better know the rules, constraints and at least the minimum requirements for successful completion (And, yes although agile prefers working deliverables and satisfied customers over highly specified contracts. Detailed contracts are often the norm). This means that if the requirements have not been defined, legislated or contractually agreed upon prior to the beginning of the project then it is the agile development staff’s initial responsibility to ensure that they discover and define them.
With the high levels of enthusiasm and passion usually associated with the start of a new initiative, I know that it is very easy to start defining and designing a solution prior to truly ensuring that we adequately know the constraints, guidelines, restrictions, and requisites; in addition to the final goal or desired deliverable. While you can freely practice and prepare for a marathon; don’t try to start, run and win a marathon before you ensure you know and complete the application process, the checkpoint requirements, the schedule, and acceptable course. You don’t win the marathon by just being the first person at the finish line the day of the race; by running the race a day early or late, or by running the race without checking in at the required checkpoints.
We need to remember our first goal before solving the problem is to refine, define and appropriately ensure that we know what the problem, goal or destination, as well as, the rules we must follow to get there.
Thursday, July 30, 2009
Emergency patches issued for IE and Visual Studio
Microsoft on Tuesday issued two out-of-band security patches -- one for the development tools suite Visual Studio and another for Internet Explorer.
Read the full article here:
Wednesday, July 22, 2009
I just finished watching David Chappell - The Microsoft Application Platform: A perspective from the Dutch DevDays09 and he definitely raises some interesting points on Service Oriented Architectures (SOA). Having been working for the past few years attempting to develop and test somewhat loosely coupled applications and components that expose functionality via specific interfaces and open service endpoints, I definitely see that there is much a greater development cost. Is this truly SOA? I must agree that many would say yes and many would say no. But, I will have to leave that to a later discussion.
As to the cost/benefit analysis, I will definitely leave that to the financial guys who have time for such scrutiny; however, there have been other benefits from utilizing this type of framework. It has been much easier to extend and in some cases completely replace components (even when the underlying application platforms completely changed) with minimal if any impact on other services, components or applications when appropriate governance has been employed. But as he states, it takes strong leadership, guidance and constant evangelism to maintain the momentum and evolution. Is it worth it, only the future (and the finance departmentJ) can say? For our particular scenario, it has proven to be of some benefit.
I will say this. Planned, designed in re-use of a software component has always been an extremely difficult objective and in my experience seldom if ever really occurs (even when you don’t count at least one evolution or iteration that almost always occurs). So, I must agree that the cost of construction and maintenance is always greater when re-use is a primary (and seldom achieved) goal. More often than not, I must agree that the opportunity for re-use only occurs well after the component is obsolete for some reason or has been flagged for replacement for another reason.
So, take a look at this video, it raises several interesting questions on future architectures, application and development platforms and a uniquely David Chappell viewpoint.
Tuesday, July 21, 2009
Well, I guess I have to file this one under I wish I had known earlier BUT…
If you are in the need for some reasonably priced developer training and can get there
DevLink looks to be quite an interesting small conference and you can not beat the price. Having heard some very interesting positive feedback from others about,
DevLink; I regret that I have other commitments or I would be there! So, if you have August, 13
th – August 15
th free and can get there, I would check this out.
Thursday, July 16, 2009
Do you want... an opportunity for FAME, Fortune, some GREAT information on Tools, Techniques and not too mention just plain fun?
(hmmmm, maybe some swag too.. who knows)
Then…
Make sure you make it to the Tampa Microsoft office by 6:15 PM EDT on 7/22/2009 for the Tampa .Net User Group meeting for the recording of the next episode of “It’s all about the Tools!” Or, if you can’t make that then definitely check out the other episodes and videos on
Channel9 - Russ's Tool shed
Wednesday, July 15, 2009
If you have not heard there is an updated MS SDL Starter Kit available for download. This kit provides a compilation of baseline developer security training materials on core Microsoft Security Development Lifecycle (SDL) topics.
The core Microsoft Security Development Lifecycle (SDL) topics include:
- Secure design principles
- Secure implementation principles
- Secure verification principles
- SQL injection
- Cross-site scripting
- Code analysis
- Banned application programming interfaces (APIs)
- Buffer overflows
- iSource code annotation language
- Security code reviews
- Compiler defenses
- Fuzz testing
- Microsoft SDL threat modeling principles
- The Microsoft SDL threat modeling tool
Each set of guidance contains Microsoft Office PowerPoint slides, speaker notes, train-the-trainer audio files, and sample comprehension questions. All materials have limited formatting so that you can leverage the content to achieve broader, enhanced adoption of Microsoft SDL principles in your development organization.
Wednesday, July 01, 2009
Using the SDL? if not, you should be considering it…
Having blurred the line between development and Test Engineering at our organization, I am finding out how little our development team(s) knows about secure development practices. Not a good thing. Recently, Microsoft released the SDL process template for VSTS and I think it’s going to help.
So, if you have not seen this it is a nice start at helping ensure secure development practices are used by your team. Hmmm, amazing what a little process, a little knowledge and a nice video can achieve?
So, check it out Here at the Microsoft Security Development Center.
Wednesday, May 20, 2009
Recently, I have been noticed numerous of blogs, articles and other sources reminding me of the technologies, techniques and practices that the software development industry has begun to discard and developers are or should be ignoring. While many of these are obvious obsolete technologies that have been replaced by others across all modern and common platforms; there are many that are still necessary in today’s software development environments and organizations.
The techniques to which I am referring are low level coding skills, memory management, code optimization and performance optimizations. I know that every application does not require the “optimized” and “superlative” implementation and performance, but many environments still do require better performance and resource management than our tools can provide. To ignore and discard these techniques as un-necessary and obsolete would be similar to saying that we don’t need to learn to add, subtract or divide since we all have cell phones and computers which always have a calculator application.
What concerns me most about this trend is that it targets several of the most complex, intricate and challenging areas of expertise that are still completely necessary in many of our more limited environments. And even in our more contemporary platforms, these areas are no where near maturity. I know we are advancing technology at a fast pace and will outgrow some of these issues, but I am tired of waiting (possibly un-necessarily) when I run multiple applications at the same time on my portable devices. And I know as an engineer, even the best of these platform based solutions are not nearly as efficient as what a highly skilled engineer can do.
Yes, most applications to have very acceptable performance do not have to be optimized and there will always be those one-off or quick and dirty implementations due to other time or business constraints. BUT, we need to consider that we have not reached the “nirvana” that many platform developers, tool developers and academics would like us to believe. When the complex code we rely on is so bloated, inefficient and hidden behind the scenes; how do we debug, accurately test and correct any issues without understanding the techniques used. If these techniques are further blurred by poor implementations, excessive code and disproportionate resource requirements then; the performance and quality of our applications will suffer. Especially, when we are running multitudes of these applications on server implementations in virtual environments all on the same hardware platform; while it may not be the perfect storm, it sure sounds like a hurricane to me.
So, before we ignore these highly valuable skills and techniques because they are not so pleasant to many of us and very difficult to most; I think we should remember that there is still a great demand and need for engineers capable of developing, debugging and appreciation of low level, embedded and complex technology skills.
The trick is to not only have the expertise but also the wisdom and sense to determine when and where they need to be applied. Yes, we may need fewer people with these proficiencies but like many skills, historically, the rarer the “required” skill set is the more valuable the resource is…
Ahh, got a bug… it sounds like a job for “super geek” and he is not cheap!
Tuesday, March 10, 2009
While attending a Microsoft Developer Event today (the VSTS Fire Starter in Tampa), I was reminded by Joe Healey that it is my civic duty to write a blog entry at least once a year. That being said, I find that next week would be the 1st anniversary of my last Blog post. To those who actually read my blog, I apologize and to those who didn’t I apologize for making you read this one
First, thanks to all who presented at the event, it was enjoyable and informative. To anyone who missed, I would recommend that you consider going to the Orlando .NET Code Camp (http://www.orlandocodecamp.com) and check out the VSTS sessions presented by Catapult Systems. Last but not least, if you are not aware of the Microsoft DevLabs site I would like to introduce you to it http://msdn.microsoft.com/en-us/devlabs. I, recently, stumbled across it due to one of the recent additions from last December…
Let me introduce you to PEX if you have not seen the project, it is an interesting project to implement “White Box Testing for .NET”. The name PEX is derived from Program Exploration and the tool produces a traditional unit test with high code coverage. Although, it is in its early stages of development, I must admit the concept of using automated code exploration and execution analysis to automatically generate a systematic and somewhat intuitive white box test is definitely a good thing. Yes, I know that using code coverage as a measure of testing and software quality is relative and not a true accurate measure of how well we test. However, when used in conjunction with other test quality metrics it does give a more complete picture of the quality of the code. So, I would check this one out The PEX Site.
And, by the way; while you are at DevLabs site, I would also recommend you check out the Code Contracts and Small Basic projects too. I, am looking forward to playing with all of these tools.
Enjoy!
Wednesday, March 19, 2008
So, if you’re a small independent software provider in need of an inexpensive way to license MSDN, several internal use licenses for Vista, XP, Office; in addition to, SQL Server® 2005, Exchange Server, SharePoint® or Windows Server; you may want to check out this program.
The Microsoft Empower for ISV Program is an initiative for independent software vendors creating new software solutions using Microsoft® technology. Membership gives you access to essential development tools, resources, and support. This is all available for U.S. $375 per year.
This is really not bad when you consider the annual subscription for MSDN alone. For more information and to see if you qualify go to Microsoft Empower for ISV Program (http://www.empowerforisv.com/)
Thursday, March 13, 2008
So, Mike Wells was kind enough to pass this information on to me so I will do the same…
Register to Be the "First to Know" and Save on Your Exams (Worldwide)
Know when Visual Studio 2008 and SQL Server 2008 exams are available and save 40% on selected exams in your track.
Try Your Choice of Microsoft E-Learning for Free (U.S. only)
For a limited time, you can try Official Microsoft E-Learning for free! Choose from 1,400 hours of IT professional and developer content covering all of the latest technology from Microsoft.
Also, the Sarasota SQL Server Developers group meeting is tonight at the Community Foundation of Sarasota. Rob Hatton, leader of the Tampa SQL Business Intelligence Group, will be giving his presentation Designing Analysis Services Cubes.
Designing an Analysis Services Cube
Designing an Analysis Services cube is a completely different undertaking than designing a relational database. This presentation will cover the steps needed to design a cube, as well as the fundamental concepts needed for a good design.
This is a must see presentation for anybody that is new to working with cubes or wants to learn about Analysis Services. Please RSVP for this event.
Register for the Sarasota SQL Developers Group Meeting
Thursday, February 14, 2008
Want some free Microsoft eBooks…
You can get some free MS eBooks and Visual Studio eLearning at: Microsoft Visual Studio Learning Portal
This is a great place to keep up with the latest Visual Studio training opportunities from Microsoft.
Check it out…
Don’t Forget, the 2008 Tampa SQL Saturday is this weekend. For more information, go to: 2008 SQL Saturday
Enjoy!
Friday, February 01, 2008
Free Food, Giveaways, raffles, and GREAT Free Training.... Sounds like CodeCamp!
The South Florida CodeCamp is tommorrow, so don't miss this one if you can be there. You need to sign up at http://www.clicktoattend.com/?id=122048
Don't miss this opportunity to learn, network and just have fun.