Maung²'s Technical Adventures

October 2009 - Posts

Imagine Cup

clip_image001Sign up for Imagine Cup if you wish to represent your nation at the world stage.

Use your skills and creativity to solve the world’s toughest problems and help make the world a better place.

What’s in it for you? You get a chance to win an XBOX upon registering and if you go on to compete, you could win an all expense paid 5 day trip to Poland and upto $ 25000 worth of cash awards!!

This is your time to shine, so register now at www.imaginecup.com!

Imagine Cup Fan Page - http://www.facebook.com/imaginecupsg

Imagine Cup Local Site – www.imaginecup.com.sg  - (coming soon, stay tuned!)

Visual Studio 2010 Launch Countdown Gadget

If you are equally excited about Visual Studio 2010 launch as I am, here I am presenting to you the gadget for counting down our Visual Studio 2010 launch on 22nd March 2010.

image

You can use it with Windows Vista Sidebar or our latest and greatest Windows 7 which is launched today!

Download your gadget here.

Getting up to speed with Visual Studio 2010 and .NET Framework 4

Training Courses on Channel 9

Today, Channel 9 launches an online learning center that will play host to developer focused training courses created by developers for developers.  As you probably know, Channel 9 has always been about giving direct access to the future technologies from Microsoft.  These videos and labs, with links to extensive training kits, allow us – the developers to get started with the hands-on-learning on Visual Studio 2010 and .NET Framework 4 at your own pace.

Explore Visual Studio 2010 Beta 2 with a new training course on Channel 9

The developer evangelists who bring you the 10-4 Show are providing videos and labs for you to get familiar with .NET Framework 4 and Visual Studio 2010. This exclusive opportunity lets you access free courseware online in a self-paced learning experience.  The online training course also allows you to search for and browse the training content without downloading the full kit.

Visual Studio 2010 & .NET Framework 4 Training Kit

This week, Microsoft also released the updated Visual Studio 2010 & .NET Framework 4 Training Kit October Preview for Visual Studio 2010 Beta 2. This is a downloadable version of the training content including 15 presentations, 13 Demos and 20 Hands-on Labs.

Happy learning!

PS: Don’t forget to download and try our Visual Studio 2010 Beta 2.

Visual Studio 2010 SKUs & The Ultimate Offer

As you might have read from my previous post, Visual Studio 2010 will RTM on 22nd March 2010 and there are changes to Visual Studio SKUs.

Here is a brief comparison of various Visual Studio 2010 SKUs.

image

image

On 22nd March 2010, all customers with an active MSDN Premium subscription will be transitioned up to the next product up the stack.

  • Visual Studio Team System 2008 Team Editions and Team Suite with MSDN Premium will transition up to Visual Studio 2010 Ultimate with MSDN.
  • Visual Studio Professional 2008 with MSDN Premium will transition up to Visual Studio 2010 Premium with MSDN.
  • Visual Studio Professional 2008 with MSDN Professional will transition to Visual Studio 2010 Professional with MSDN.

Learn more about it from this document.

Here is 3 things you can do now to get the most out of Visual Studio 2010 launch.

1. Start thinking about Visual Studio 2010. Decide what level of Visual Studio 2010 you want, and plan for how The Ultimate Offer can get you there.

2. Download Visual Studio 2010 Beta 2 and start using it. The Go-Live license for beta 2 release is a great opportunity for you to begin using it for development projects in your organization.

3. If you really want to get the biggest bang-for-the-buck with The Ultimate Offer, you must step up to Visual Studio Team System 2008 with MSDN Premium subscription now!

Visual Studio 2010 Beta 2 is here!

It is… it is here! HERE!

This blog post is not intended as a guide for installing Visual Studio 2010 Beta 2.  Anyone who needs help with the installation should go back to school and re-learn these 2 simple vocabularies - “Next” and “Finish”. ;)

Beta 2 release of Visual Studio 2010, codenamed “Rosario”, is made available to MSDN Subscribers today and to the general public on October 21st. Not sure about how you feel, but I am elated to have it installed in my laptop. This beta 2 release signifies a major milestone for Visual Studio as Microsoft is also announcing its new logo which replaces the legacy Visual Studio logo we had ever since the release of Visual Studio 97 in 1997. Do you also notice the new cool look of MSDN – repainted with a new color theme?

VSLogo_old2new

Together with its new logo, Microsoft is also announcing the new SKUs for Visual Studio 2010 and their transitions. “Visual Studio Team Suite” is now known as “Visual Studio Ultimate”. And also there will be “Premium” and the usual “Professional” editions. I will blog more about the editions and features comparison in another post.

Below is a quick glance at how Visual Studio 2010 installation looks like. Remember? This is not a guide.

clip_image005

The usual “autorun” dialog with 3 options. New logo, but same user experience.

clip_image007

This release (beta 2) comes with lots of features out of the box – ASP.NET MVC 2, Web Deployment Tool, Silverlight 3 SDK, Office and SharePoint 2010 development tools, UML modeling and, most excitingly, I found great tooling support for WPF. Mobile development is missing in this release though, and sadly, Windows Mobile 6 SDK simply refuses to be installed on VS 2010 beta 2. Cloud Computing – Azure is left as a placeholder, but the team promises to release VS 2010 beta 2 compatible Azure SDK on http://azure.com soonest.

clip_image009

Again, the new-look-same-user-experience finishing screen.

Tada!

clip_image010

The new beautified splash-screen really made my monitor wet! Hey, you gotta hold your saliva, man!

clip_image011

Here is the environment/profile selection dialog.

Can you see??? Can you see that “Web Development (Code Optimized)” option?

Okay, have you had enough of the excitement already?  Here is the deal!  Visual Studio 2010 Beta 2 release delivers the “Go Live” rights in the license to allow you, our customers, to truly evaluate the use of the product and platform in production environments. So, don’t wait till it’s RTM.  This is an opportunity for you to conduct proof of concept work and get yourself familiarized with the state-of-the-art technologies and the development tool.

Finally, if you are thinking of asking me the RTM release date, save your breath.  The official launch of Visual Studio 2010 and .NET Framework 4 is March 22nd 2010.

Meanwhile, you enjoy your Visual Studio 2010 Beta 2 and let’s countdown the RTM!

SQL Injection Revisit

I am sure many of you have heard about SQL Injection vulnerabilities and how these can happen due to bad coding practices.  But, are you confident that the preventive measures you currently have are sufficient enough to get you out of this trouble? 

One common misconception is that using Stored Procedure would easily mitigate the attack as the inputs are parameterized.  Few developers, including "some" senior folks, truly understand that the real enemy of the SQL injection attack is the construction of dynamic queries - either on the client (in the programming languages) or the server (the use of sp_executesql in the T-SQL stored procedures).

Below is an example of constructing dynamic query on the server-side, inside the stored procedure which apparently causing the application vulnerable to SQL injection attack.

CREATE PROCEDURE SqlInjectionSample
              @EmpName varchar(50), 
              @EmpNameOperator tinyint
AS
DECLARE @SqlString varchar(255)
SET @SqlString = 'SELECT * FROM HR.Employees WHERE ' +
              CASE @EmpNameOperator
              WHEN 0 THEN 'EmployeeName = ''' + @EmpName + '''' -- Exact match
              WHEN 1 THEN 'EmployeeName LIKE ''%' + @EmpName + ''''  -- Starts with
              WHEN 2 THEN 'EmployeeName LIKE ''%' + @EmpName + '%'''  -- Contains
              END
EXEC sp_executesql @SqlString
GO

In the above example, the developer may have parameterized the @EmpName and pass into the stored procedure, the statement to execute was dynamically constructed on the server-end leading to the vulnerability.

So, how can we defend against this public enemy?  My recommendations are as follows.

1) Sanitize Inputs

Input validation is one of the commonly known mitigation approaches for almost all sorts of application security issues.  The issue which I am seeing is that most developers tend to make the mistake of removing the known harmful inputs (UPDATE, DELETE, DROP, ALTER) instead of crafting the validation logic to accept only what is acceptable. Come on! Admit it. We can't possibly list out all the harmful inputs in our validation logic.  I personally would recommend sanitizing inputs in the application logic as the programming languages are far more powerful, as compared to T-SQL language, with access to regular expression and string manipulation classes.

2) Parameterized Query

I have said enough!  Stored Procedure with @Parameters is not good enough.  Remember? The rule of the game is to avoid dynamic query construction.  We could have rewritten the above stored procedures in the following manner.

CREATE PROCEDURE NoSqlInjectionSample
       @EmpName varchar(50), 
       @EmpNameOperator tinyint
AS
       IF (@EmpNameOperator = 0) -- Exact match
              SELECT * FROM HR.Employees WHERE EmployeeName = @EmpName
       ELSE -- @EmpNameOperator is 1 (starts with) or 2 (contains)
              SELECT * FROM HR.Employees WHERE EmployeeName LIKE @EmpName
              -- We add % to parameter @EmpName in our application logic
GO

3) LUA - Least-privileged User Account

Run your application logic or connect to the database using the user account with just enough permission to perform what your application is required.  While the "Admin" rights give you tons of convenience in debugging and deployment, they can also wipe your database out instantly if it's combined with SQL injection vulnerability.  This also includes running your SQL Server service in the least-privileged account like "Network Service" instead of "Local System".  At least, we can minimize the damage if the vulnerability kicks in.

4) Minimize the Attack Surface

Install and enable features of your SQL Server only if you are absolutely sure that you need them in your applications.  Features such as extended stored procedures (xp_cmdshell), CLR integration may not be used by your LOB applications.  So, why turn them on when you don't need them in the first place. Reference: http://msdn.microsoft.com/en-us/library/cc281850.aspx

Beginners: After all that readings, if you still don't have any clue about what is SQL Injection, go ahead and watch this 17.5 min video (http://msdn.microsoft.com/en-us/security/ee216344.aspx) to learn more from the live demonstration.  This video discusses about Truncation-Based SQL Injection attacks and how we can defend the attack.