The .NET Sweatshop

Working day and night to help .NET users get the most out of programming the coolest platform on the planet.

Wednesday, June 18, 2003

It's finally here. After 8 long months of blood, sweat, & tears, the menfrom the "Security GoF" has just released the follow-up to Building Secure Web Apps. This guide helps you design, build, & configure tough web apps that withstand most attacks and mitigate the extent of damage if someone slips by. The key words: holistic and systematic. STRIDE is cool and it gets the ball rolling, but as JD puts it, this guide is gonna "rock people's world". Now, I gotta warn you--this thing is HUGE. Over 800 pages and it's free as a PDF! There will be a print version for those of you who don't want to destroy your printers, but this isn't about selling books. Security is like a baseball umpire--you don't notice him until he screws up. Well, you don't know security until you've been burned. Unfortunately, most of you have been burned whether you realize it or not. This guide is a collection of experiences converted into actionable guidance. How To's, Checklists, QuickStarts. I think I even saw the kitchen sink in there ;>. Anyway, take a look and let me know what you think (mailing address is

Improving Web Application Security

Wednesday, June 11, 2003

Obviously, security is a key issue here at Microsoft and especially within our guidance juggernaut. Specifically dealing with ASP.NET, our first guide is out there and our second guide is soon to follow. The security studs at @Stake did a study of WebSphere on Red Hat running against Win 2003/.NET Fx 1.1 and I have to say I was pretty happy with what they came up with, especially because they pointed out the emphasis that Microsoft put on provididng security guidance. That's JD, Srinath, Ray, and Dunner (or as I like to think of them, the Security GoF ;>). When I started on this job, everyone was telling me we couldn't be better than IBM & their Redbooks. It reminded me of Conan O'Brien's first episode 10 years ago when everyone told him he could never be as good as Letterman. Well, folks, I loved Letterman but Conan is better. And Redbooks are cool, but we're better. No trash-talking, just one man's opinion. Well, one man and the folks at @Stake. Check out their report at:

(WARNING: Shameless Plug Ahead)
And for those of you who have been enligtened by our first guide, you can find it at:

Friday, June 06, 2003

Authentication flow in ASP.NET - Picture that never made it to big screen...

One late evening Dunner, JD and I were discussing that we should have a BIG picture in the Building Secure ASP.NET guide that captures the complete process flow of Authentication in ASP.NET, starting from browser, to IIS and through all the layers in ASP.NET. I grabbed a couple of dry erasers and in 10-15 minutes, we came up with a picture. Occasionally we glanced at the source to make sure we are not missing anything…that picture stayed on my whiteboard for a very loooooooong time. I didn’t want to erase it, I was occupied with others things that I didn’t time to capture this…I started using the corners of the whiteboard until I ran out of whitespace. I finally decided to capture the contents on the board, in Visio. I captured parts of it; never got it validated with other developers, on top of that we had to come with a smaller version, because the picture was too big to fit in.

This was drawn several months ago, during v1.0 days. I can’t guarantee the accuracy; however, the logic should be pretty close to what you see here. Hope you find this useful! If you did, I would like to know…please drop us a like at secguide @ microsoft . com
Link to AuthNProcessFlow.jpg

Thursday, June 05, 2003

I should take a second to introduce another member of the .NET Sweatshop. Srinath Vasireddy was pulled into the PAG team about a year or so ago as a subject-matter expert on ASP.NET technologies and his first task was to join forces with JD Meier to lead a team delivering on the corporate Trustworthy Computing message with an extensive examination of ASP.NET Security. What has ensued has been over a year of blood, sweat, and tears from a team that I am proud to be even associated with. They've taken the topic, looked at it from every angle and every customer perspective, and created 1,200 pages of pure .NET bliss. The first guide "Building Secure ASP.NET Applications: Authentication, Authorization, and Secure Communication". This site is named after my nickname for the guys that produced those guides and Srinath is a charter member. I'm looking forward some great contributions from him.

Wednesday, June 04, 2003

We've done a lot of exciting work around the application architecture and our design patterns are really coming along. Personally, I am on a mission to get smarter about the integration story. Applications & platforms that talk to each other. Business processes conducted like a perfect symphony. Taking information once restricted to a green screen and using it in your .NET application. I think (and I am not alone) that the mission begins with web services. I was reading a book by John Hagel called "Out of the Box" that provided an interesting treatise on the impact of web services on businesses. From a technical standpoint, web services are phenomenally hard (especially when you use VS.NET to create them :>). But they have the power to deliver on the promise of many past technologies. UDDI, SOAP, and WSDL all create this immense flexibility. Of course, I think this book might blow the transforming abilities of web services out of proportion, but they really are an exciting change that, once it completes its evolution, will really impact how the internet is used. We are ramping up on Patterns & Practices content around web services. Our focus is on optimizations, compliance, and leveraging existing technologies in a service-oritented architecture. Eventually, we want to really drive home the exciting capabilities of BizTalk as the centerpiece of an integration architecture. IBM is right--there's no "magic pixie dust". But there is architecture along with Patterns & Practices and that goes a long way. :>

Sunday, June 01, 2003

Apps designed by independent software vendors have helped make the Microsoft Windows® operating system the world’s most popular computing platform. Since the first version of VB, Microsoft has done a lot to make coding cool. Over the last several years, the evolution of computing has resulted in an increase in system complexity. This phenomenon led Microsoft to create the .NET Framework as a flexible architecture designed to support increased system complexity while permitting developers to more easily take advantage of system capabilities. Microsoft has spent a lot of time and resources to create Visual Studio.NET, an awesome IDE that enables developers to realize the potential of the .NET Framework. Personally, I've loved tooling around with VS.NET and messing around with web services, .NET CF, and ADO.NET. I'm from the old school of C++ programming, but .NET has been a delight and I've gotta say I love this stuff. I know I am biased, but this stuff is really good!

But what's really exciting is that Microsoft is taking it one step further. I work for the Microsoft Platform Architecture Group here in Redmond and we make Patterns & Practices. Patterns & practices provide proven architectures, production quality code, and lifecycle best practices. This stuff takes some of toughest pitfalls and help you navigate through it. ADO.NET, Security, Deployment, and all the other stuff that is may be totally new to you. You can find this good stuff at: .

I'm a Product Manager and I am charged with coming up with ideas for new programs and new guides. To do that, I read the news, listen the to analysts, "eat the dogfood" (write my own .NET apps to feel your pain), and most important, pound the pavement and talk to customers. This blog will be featuring myself and some of my colleagues to give you some of the inside skinny as we keep generating more of these solutions to help you code some exciting .NET applications. Keep coming back here to get our latest thinking on what's hot, what's not, and maybe even some early morsels of future guidance. Also, we'd love to get your feedback, on our comments, stories, titles, plans, etc. so feel free to ping us when you've got something to say.