I've summarised some of the most interesting/important parts of my TechEd 2011 NZ notes here.
- Null object pattern - Avoid the ceremony of checking if something is null before using it.
- Command pattern - Alternative to adding additional methods to interface by instead creating new objects.
- Object Emancipation - Objects are more than just buckets of information.
Give your objects responsibility for managing their own State.
- State Pattern - Partially change the type of the object by swapping out behaviour based on state.
- With REST. No URI construction on the client; follow the hyperlinks instead. Dependency on the namespace.
- With REST. DO NOT define new verbs; use GET, PUT, POST, DELETE
- Polyfill - A way to support HTML 5 features in older browsers using JavaScript shims.
What is a Polyfill?
A polyfill, or polyfiller, is a piece of code (or plugin) that provides the technology that you, the developer, expect the browser to provide natively. Flattening the API landscape if you will.
- Rather than UserAgent sniffing using feature detection with something like Modernizer
-
SQL Injection is still the number one threat to most websites.
-
SQLMAP - a python script fpr automatic SQL injection and database takeover
- Cross Site Scripting (XSS) variations are still a serious issue. They can be weaponized with a server for the hacker to send instructions to the users browser.
-
Unescaped twitter feeds can be used for XSS attacks.
-
Local proxies for security testing
Paros - "Through Paros's proxy nature, all HTTP and HTTPS data between server and client, including cookies and form fields, can be intercepted and modified."
Burp proxy - "an intercepting proxy server for security testing of web applications. It operates as a man-in-the-middle between your browser and the target application"
-
It's important to check that the credit card authorized amount was the amount expected amount.
- A functional language that is native to .NET. It can call and be called by other .NET code.
- Is well suited for Scientific and numerical computing, Finance, Insurance, Parsers, and Domain Specific Languages
- Pipeline operator |> makes chaining operators easier to read. Kind of similar to extension methods in C#
- SQL Injection - As a start, look for calls in SQL to
sp_executesql, exec that aren't using parameters correctly
- Cross Site Scripting (XSS) - With ASP.NET use HttpUtility or AntiXSS Html and Attribute Encode. Consider the Security Runtime Engine - Safety Net
- Enforce Session logout server-side rather than just removing the cookie client side
- Set 'httponly' and 'secure' flags on cookies.
- Cross Site Request Forgery - ASP.NET - Set the ViewStateUserKey in the OnInit of a base page. Used in addition to the MAC Key to hash the ViewState.
- Send the following HTTP headers when server content uploaded by users:
- Content-Disposition: Attachment
- X-Download-Options: noopen
- X-Content-Type-Options: nosniff
- Content-Type: [mime-type]
- WinDBG with the SOS Extension from the .NET framework team can make debugging specific classes of bugs much easier.
- Memory Leaks
- Deadlocks
- Race conditions
- Dumps form production applications (where it isn't otherwise possible to attach a debugger)
- Mindscape Web Workbench - Add Sass, Less & CoffeeScript support to VS2010
- Web Standards Update for VS2010 - Adds support for HTML5 & CSS 3 to VS 2010 SP1
- Nuget - Manage common packages and dependencies for your projects
- Chrome Developer Tools - "Pretty Print" to reformat compressed Javascript.
- fiddler - a Web Debugging Proxy which logs all HTTP(S) traffic between your computer and the Internet. Fiddler allows you to inspect traffic, set breakpoints, and "fiddle" with incoming or outgoing data.
- OData is useful in .NET to .NET scenarios
- RIA Services - OData endpoint that can be queried over LINQ.
- MEF is a framework for creating extensible applications and consuming plug-in parts.
- Visual Studio 2010 editor extensibility is built through MEF.
- The VS2010 Find Box is also a command box when prefixed with >
- > File.CloseAllButThis
- > File.CopyFullPaths
- > Tools.GoToCommandLine
- Submit pipeline
- Pre-processing
- Process modified entities
- Execution – LightSwitch passes all of the changes to the underlying data provider for processing
- Post-process modified entities
- Post-processing
Online sessions
