Recently Microsoft has conducted Tech Ed 2006 events in various cities. I could participate in the event at Bangalore. There were different tracks and sessions demonstrating the capabilities of upcoming MS products and technologies. This document summarizes some of these striking technologies and products.
In order to hacker proof your applications you must know the possible ways and means of hackers and the process of Threat modeling using the guidelines and best practices. Thereat modeling is the process of identifying all possible threats to the application, risk due to each threat and mitigation planning for each threat.
Best Practice: Failure of planning is planning for failure. Introduce threat modeling at the early stages of project life cycle. One of the many best practices – never leave any loop holes; always check for specifics.
//Bad way of Coding
SecurityCheckStatus = CheckSecurity();
If (SecurityCheckStatus != NOT_ENOUGH_CREDENTIALS)
//Good way of coding
SecurityCheckStatus = CheckSecurity();
If (SecurityCheckStatus == ALL_SUCCESS)
Good news: There is a Threat Modeling tool from Microsoft which helps to automate much of the threat modeling process.
WCF (Windows Communication Foundation)
“Windows Communication Foundation (formerly code-named "Indigo") is a set of .NET technologies for building and running connected systems. It is a new breed of communications infrastructure built around the Web services architecture. Advanced Web services support in Windows Communication Foundation provides secure, reliable, and transacted messaging along with interoperability. The service-oriented programming model of Windows Communication Foundation is built on the Microsoft .NET Framework and simplifies development of connected systems. “
Message: Abstraction is playing it’s role in the upcoming version of .Net Framework 3.0. A whole set of discrete technologies – ASP.Net web services, WSE, .Net Remoting, Enterprise Services and MSMQ are getting replaced by WCF in .Net Framework 3.0.
Good News: WCF will be the single technology platform from MS for connected systems development. But you have to wait for .Net Framework 3.0!
Managed Code in SQL Server 2005
In SQL server 2005, it is possible to write managed .Net Code (C#, VB.Net for the time being). All the functionality of TSQL can be implemented using this managed code hosted in SQL Server 2005.
Best Practice: It is not a good idea to always use the managed code in SQL Server 2005 and completely avoid stored procedures, simply because it is possible! The best practice is to use TSQL for straight queries (simple queries or having many joins) and managed code for processes/calculations involving queried data. The overload that the managed code is adding on to SQL Server is also to be considered before using it.
Good News: OOPS in SQL Server also! Say we need to store the co-ordinates of a straight line joining points A and B, in SQL Server table. Our table definition would normally contain the following columns
Create table LineTable (XaxisA int, YAxisA int, XaxisB int, YAxisB int)
These are almost redundant! Now, in SQL Server 2005, you can define a managed struct named ‘Point’ with integer properties ‘X’ and ‘Y’ and host this code in SQL Server. Then your table definition would be
Create table LineTable (PoinA point, PointB point)
You can use object oriented constructs like
Select PointA.X, PointB.Y From LineTable
Good bye to debugging lengthy Stored Procedures. Now it is possible use managed .Net code in SQL Server 2005. Gen X needs to learn only C# and it will work for both friend end and back end!
LINQ (Language Integrated Natural Query)
“Rather than add relational or XML-specific features to our programming languages and runtime, with the LINQ project we have taken a more general approach and are adding general purpose query facilities to the .NET Framework that apply to all sources of information, not just relational or XML data. This facility is called .NET Language Integrated Query (LINQ).”
Message: Abstraction is on the stage again! LINQ is your gateway abstract base for all sorts of queries in .Net. And then, you have more specific DLINQ (Data LINQ) for relational data access, XLINQ (XML LINQ) for XML etc..
Good News: Fed up with inline queries in C# which will show errors only in run time? LINQ is for you! It is a .NET query system which the .NET compiler can fully understand. Another advantage is that instead of using entirely separate query mechanisms (SQL, XQuery etc..) for different types of data such as relational or XML, now you can use a unified Natural Query for all kinds of data. Again, learning curve is reduced for Gen X ! But you will have to wait for .Net Framework 3.0 to get this feature.
OR (Object Relations)
Now you have ADO.NET, data access application blocks etc.. But wait for DLINQ! It includes a command line tool called SQLMetal.exe that runs against a specific database and auto-generates classes. One of the classes it generates represents the database itself which can perform all the database operations.
Good News: Forget ADO.NET! Now data access is going to be as simple as this!
NorthWindDB myDB = new NorthWindDB(“connection string”);
DataRow myProduct = myDB.Products.NewRow();
Guess what it does? It has created an object having exact structure of NorthWind DB, opened a connection to the DB and added a new record to Products table! Where is all that SqlConnection, SqlCommand, SqlDataAdapter and ‘INSERT INTO.. ‘ ? It is all done internally! Wait for .Net Framework 3.0 and all these are going to be reality!
DMV (Dynamic Management Views)
It is a special type of views in SQL Server 2005. These views provide changing server state information. They contain metadata that is not persisted on disk but stored in memory only. Dynamic management views can be used to answer diagnostic questions.
Good News: Are you tired of trouble shooting long running queries and deadlocks? Is it nearly impossible to pin-point the problem maker query? Dynamic Management views are there to reduce your work load! These views contain all kind of online statistical information such as re-compiled queries, missing indexes, query causing deadlock etc..