My Faq on "hashtable lookups for struct types" is published at http://blogs.msdn.com/CSharpFaq

 


Check out


http://blogs.msdn.com/csharpfaq/archive/2006/03/20/556192.aspx 


for a FAQ on Hashtable lookup for value types.

MSN Messenger invites

 

Update: Invites exhausted. Sorry

 

Have got a few MSN Messenger Beta invites. If you need one, drop a comment and your email address and I will send it to your email account.

 

Hurry!!!!

 

 

Testing post from Infopath

Posting from Infopath

Thanks
Vipul

Web chat transcript – Writing Secure .NET Code

Conducted on April 20, 2005, copy of the transcript is available at http://msmvps.com/vipul/articles/48609.aspx and also on the Microsoft India Technical Community Site at http://msmvps.com/vipul/articles/48609.aspx

Web chat transcript – Writing Secure Code – Part 2

Conducted on April 14, 2004, a copy of transcript is available at http://msmvps.com/vipul/articles/48608.aspx and also at http://www.microsoft.com/india/communities/chat/22.aspx

Web chat transcript – Writing Secure Code – Part 1

This webchat was conducted on 13th April, 2004. A copy of the transcript is available at http://msmvps.com/vipul/articles/48607.aspx and also on the Microsoft India Technical Community  site at http://www.microsoft.com/india/communities/chat/21.aspx

Web chat transcript – Configuration Management using Visual SourceSafe

This webchat was conducted on 9th Feb 2005. The copy of the transcript is available at http://msmvps.com/vipul/articles/48606.aspxΒ and and also on the Microsoft India Technical Community site at http://www.microsoft.com/india/communities/chat/12.aspx

Webchat Transcript – Writing Secure .NET Code

















Chat Topic : Writing Secure .NET Code
Chat Expert : Vipul Patel
April 20, 2005
 




 





subhashini (Moderator):
the chat begins at 5.00 pm IST
subhashini (Moderator):
Request all of you to refrain from sending any private messages as that lead sto disconnection of the expert from the chat
subhashini (Moderator):
hello everbody . A very good evening to all of you.
subhashini (Moderator):
welcome to today’s chat on writing Secure .NET code
subhashini (Moderator):
we had chats on writing secure code earlier on 13’th and 14’th April .
and today is the last part in series.
subhashini (Moderator):
We have with us Vipul Patel (MVP)
subhashini (Moderator):
to host today’s chat
subhashini (Moderator):
After pursuing a bachelor’s degree in Chemical Engineering, Vipul pursued a Masters in Computer Application from Gujarat University for the sheer love for computers. He is currently with Patni Computer Systems, and has been working on .NET technologies since last 1.5 years. Once the Chairperson of the Computer Society of India’s college chapter at Nirma Institute of Technology (www.nit.edu ) in his academic days, he sincerely believes that communities can be a powerful platform for developers to share their experiences and queries.
subhashini (Moderator):
He can be contacted at vipul_d_patel@hotmail.com or vipul.patel@patni.com
subhashini (Moderator):
before we begin the chat
subhashini (Moderator):
few chat rules
subhashini (Moderator):
Please refrain from sending any private messages to the expert during the chat
subhashini (Moderator):
This leads to disconnection of the expert from the chat
subhashini (Moderator):
Chat Procedures:
This chat will last for one hour. During this hour, our Experts will respond to as many questions as they can. Please understand that there may be some questions we cannot respond to due to lack of information or because the information is not yet public. We encourage you to submit questions for our Experts. We ask that you stay on topic for the duration of the chat. This helps the Guests and Experts follow the conversation more easily. We invite you to ask off topic questions after this chat is over.
subhashini (Moderator):
let’s welcome Vipul and hope you find this chat useful and informative
subhashini (Moderator):
Hi Vipul
Vipul Patel (Expert):
Thanks Subhashini
Vipul Patel (Expert):
Welcome all to the final episode of writing secure code. Today we shall focus on “Writing Secure .NET code”
Vipul Patel (Expert):
I shall skim thru the best practises and tips on writing secure .NET code…. and will answers the questions on completion of the best practises.
Vipul Patel (Expert):
While the .NET Framework is a robust one, we need to exercise care while coding to make the application secure.
Vipul Patel (Expert):
The good thing about .NET Framework is that common security attacks are not bound to happen with .NET application. But vulnerabilities are still possible.
Vipul Patel (Expert):
A classical example will be sQL injection…. To avoid such an attach, you need to follow the best practises as outlines in the earlier web chats…..
Vipul Patel (Expert):
today will focus more on the .NET side of coding practises…
Vipul Patel (Expert):
Dont forget to apply secure coding techniques like:
Vipul Patel (Expert):
a. Dont store secrets in code or web.config files
Vipul Patel (Expert):
b. Dont create your own encryption; use the one provided by the framework. Use the classes in the System.Security.Cryptography namespace.
Vipul Patel (Expert):
c. Dont trust user input till you have validated its correctness.
Vipul Patel (Expert):
.NET code helps migitate a number of common security vulnerabilities such as buffer overruns. Security in .NET provides code with different level of trust based not only on the user’s capabilities but also on system policy and evidence (digital signature) of code.
Vipul Patel (Expert):
But before that a question to the audience…..
Vipul Patel (Expert):
How many of you are aware of FxCop?
Vipul Patel (Expert):
please reply using the Guest Chat option…..
Vipul Patel (Expert):
thats great. we have one user who actively uses that….
Vipul Patel (Expert):
Tip: Add your own rules to FxCOp if you want to implement coding rules beyond the ones provided by the FxCop…
Vipul Patel (Expert):
For those who are not aware, Fxcop is available from http://www.gotdotnet.com. It is a code analysis tool that checks.NET assemblies for conformation to .NET Framework Design guidelines at http://msdn.microsoft.com/library/en-us/cpgenref/html/cpconnetframeworkdesignguidelines.asp
Vipul Patel (Expert):
FxCop can produce an XMLfile that lists any design guideline violoations in your assembly.
Vipul Patel (Expert):
What are the two most common errors flagged by FxCop are ?
Vipul Patel (Expert):
a. Lack of strong name on the assembly
Vipul Patel (Expert):
b. Failure of the assembly to specify permssion requests.
Vipul Patel (Expert):
How to prevent these errors. Lets take them one by one
Vipul Patel (Expert):
Use strong name for assemblies:
Lack of strong name
Vipul Patel (Expert):
sn -k keypair.snk
Vipul Patel (Expert):
Over and above strong names, you may want to Authenticode-sign an assembly to identify the publisher. Do this after strong naming your assemblies.
Vipul Patel (Expert):
You cannot use Authenticode first because the string name signature will appear as “tampering” to the Authenicode signature check.
Vipul Patel (Expert):
Additionally, You can delay-sign your assemblies to prevent information disclosure by a careless developer.
Vipul Patel (Expert):
Tip: Strong nammed assemblies can only refer to other strong named assemblies. Get your application design ready to use GAC.
Vipul Patel (Expert):
Next we come to second most popular finding of FxCop – Failure of the assembly to specify permssion requests.
Vipul Patel (Expert):
pinto: can you rephrase your question?
Vipul Patel (Expert):
For that, we need to know about CAS or Code Access Security: The theory of the same is located at http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpguide/html/cpconcodeaccesssecurity.asp
Vipul Patel (Expert):
Best practises for CAS
Vipul Patel (Expert):
a. Request minimal permission set: Requesting helps ensure that your code is granted only the permissions it needs.
Vipul Patel (Expert):
eg. if your appliation requires only FileIOPermissions to read one file, and nothing more, add this line to your code:
Vipul Patel (Expert):
[assembly: FileIOPermission(SecurityAction.RequestMinimum, Read = @”c:\FileName.xml”)]
Vipul Patel (Expert):
pinto: that depends on your FxCop settings…..
Vipul Patel (Expert):
pinto: you need to disable this rule if it is already on….
Vipul Patel (Expert):
coming back to CAS, you should use RequestMinimum to define the minimum must-have grant set. If the runtime cannot grant the minimum set to the application, it will raise a PolicyException exception and your application will not run.
Vipul Patel (Expert):
b. Refuse Unneeded Permission: Simply refuse permissions you dont need.
Vipul Patel (Expert):
e.g. If there is no FileIO operations in the application,
[assembly: FileIOPermission (SecurityAction.RequestRefuse, Unrestricted= true)]
Vipul Patel (Expert):
a simple code snippet such as above will refuse File IO access thru your secure code…..
Vipul Patel (Expert):
Tip: If you dont get the requisite permissions, there will be exceptions. Handle these possible exceptions that may arise if the requested permissions are not granted.
Vipul Patel (Expert):
c. use Assert wisely
Vipul Patel (Expert):
What we need to apply for this is that we should make sure that code permissions are granted rationally.
Vipul Patel (Expert):
Suppose A has permissions to do anything on the server
And B has permission to make calls on A.
Vipul Patel (Expert):
now if A makes an Assert statement, B will get access to all resources permitted to A.
This implies that Thru A, B can make any changes on the server and this may not be the desired scenario.
Vipul Patel (Expert):
Q: aren’t you trying to say about the SecurityExceptions?
A: no, the exception being referred here is PolicyException…..
Vipul Patel (Expert):
d. Keep the Assertion as small as possible
Vipul Patel (Expert):
If you do need to Assert, make sure that you revertAssert as soon as you are done.
Vipul Patel (Expert):
in C# code, this will be implied by
CodeAccessPermission.RevertAccess();
Vipul Patel (Expert):

Tip: When Deny, Assert and PermitOnly are used together, Deny has the highest precedence.
Vipul Patel (Expert):
e. Limit who uses your code
Vipul Patel (Expert):
How: Consider sealing your classes. This will make them non-inhertiable.
Vipul Patel (Expert):
Also, You can use InheritanceDemand to require that derived classes have a specified identity or permission.
Vipul Patel (Expert):
[EnvironmentPermission (securityAction.InheritanceDemand, Unrestricted = true)]
public class A
{
}
public class B : A
{
}
Vipul Patel (Expert):
this will imply that if the inheriting class request a actions thru an inherited class, the framework will see if the calling class has the permissions needed to do the action…..
Vipul Patel (Expert):
in the earlier example, B must have environmentPermission, if it were to inherit A.
Vipul Patel (Expert):
Other security Tips for .NET programmers
Vipul Patel (Expert):
Q: How to protect Images in a ASP.NET Project i.e Print, Print Screen, Save Page…. etc
A: i <b>believe<b> that disabling menu options on browsers is achievable thru JavaScript……. I need time to investigate this in details. Please email me at vipul_d_patel@hotmail.com stating your complete requirement.
Vipul Patel (Expert):
a. No Sensitive Data in XML or Configuration files
Vipul Patel (Expert):
Storing data of non secure nature is ok in configuration files such as web.config.
subhashini (Moderator):
Please use the radial button “submit a question ” to ask any questions to the expert
Vipul Patel (Expert):
It is an oxymoron that storing data in registry is safer than storing in the web.config… We need to make a judicious call here…as registry access violates No touch deployment fundas.
Vipul Patel (Expert):
A better option will be to use SQL Server as data storage for confidential information.
Vipul Patel (Expert):
ASP.NET v1.1 supports optional data Protection API encryption of secrets stored in registry. The configurations ectiosn that take advantage of this are <processModel>, <identity>, and <sessionState>….
Vipul Patel (Expert):
aspnet_setreg.exe is a cool tool to explore for using registry to store confidential information….
Vipul Patel (Expert):
Tip: Review Assemblies that allow partial trust
Vipul Patel (Expert):
if you want your assembly to be invoked from partially trust sources, you need to tag it
[assembly: AllowPartiallyTrustedCallers]
Vipul Patel (Expert):
Further more you need the review in details all the assemblies that make calls to this assembly in partial trusted mode… thats because a partial trusted code has considerable access on the resources handled by the called assembly…
Vipul Patel (Expert):
IMP: Assemblies that allow partially trusted callers should never expose objects from assemblies that do not allow partially trusted callers.
Vipul Patel (Expert):
Never forget to review the code of the calling assembly lest it causes any security breach.
Vipul Patel (Expert):
Tip: Check Managed Wrappers to Unmananged code for correctness
Make sure that code calling into unmanaged is well written and safe.
Vipul Patel (Expert):
Issues with Serialization
Vipul Patel (Expert):
Give special attention to classes that implement the ISerializable interface if an object based on the class could contain sensitive object information.
Vipul Patel (Expert):
If these classes store password, it could pose as a considerable security concern.
Vipul Patel (Expert):
Q: Vipul: i have learned that you can save the session in SQL to identify the broken sessions to continue with where they stoped… and do you think suggest such kind of storage?
A: yes, storing session information in SQL server would be a good option… optionally if that code or the user has access to registry, you can use the DPAPI also….
SQL server is better…
Vipul Patel (Expert):
Using Isolated storage
Vipul Patel (Expert):
using Isolated STorage provided by the .NET Framework has the advantage that only the code in a given assembly can access the isolated data when any of the following conditions are met: application is running when the assembly created the store is using the assembly, or when the user who created the store is running the application.
Vipul Patel (Expert):
using System.IO.IsolatedStorage;
..
IsolatedStorageFile isoFile = IsolatedStorageFile.GetStore (IsloatedStorageScope.User || IsloatedStorageScope.Assembly, null, null);
Vipul Patel (Expert):
The major advantage of using isolated storage is that it does not require FileIOPermission to operate correctly.
subhashini (Moderator):
Friends , we have the last 15 minutes left for the chat to conclude
Vipul Patel (Expert):
But Don’t use isolated storage to store sensitive data, because it is not protected from highly trusted code or trusted users of the computer.
Vipul Patel (Expert):
Other tips
Vipul Patel (Expert):
Disable Tracing and Debugging Before Deploying ASP.NET Application
Vipul Patel (Expert):
Because: you can potentially give an attacker too much information
subhashini (Moderator):
So please rush in your questions to Vipul
Vipul Patel (Expert):
How to do this:
Vipul Patel (Expert):
1. Remove Debug verb from IIS.
2. Disable debugging ad tracing within ASP.NET aplication pAge directive
<%@ Page Language=”VB” Trace=”False” Debug=”False” %>
3. In web.Config file
<trace enabled = ‘false’/>
<compilation debug =’false’/>
Vipul Patel (Expert):
Also, Do not deserialize data from untrusted sources.
Vipul Patel (Expert):
in case the application fails, do not tell the attacker too much when you fail.. Rather , write to the application log an error code which is known only to developers
Vipul Patel (Expert):
Thats all for the tips and tricks. Now to your questions…..
Vipul Patel (Expert):
Q: Vipul: can you through some light on “SecurityException”?
A: Security exception occurs when a security error is detected, like making IO calls when the user does not rights on it…
POlicyexception on the other hand is generated when code requests more permissions than the policy will grant or the policy is configured to prohibit running the code.
Vipul Patel (Expert):
OK team,,, the recsources that should keep you going…..
Vipul Patel (Expert):
A book by Michaol Howard titles “Writing Secure Code”. It is by Microsoft Press. Its an extremely good book. Recommend all to read when you get time….
Vipul Patel (Expert):
visit digitalblackbelt.com and view the webcasts on security they are great.
Vipul Patel (Expert):
Also on MSDN webcasts, there is a series of webcasts on Writing Secure Code, you can view them if you can get hands on the book….
Vipul Patel (Expert):
thats all from my side….
Vipul Patel (Expert):
Q: Vipul: i have a small situation.. can i ask you now?
A: sure..
Vipul Patel (Expert):
Q: thnx vipul
A: anytime man
Vipul Patel (Expert):
u can visit http://msdn.microsoft.com/asp.net/articles/security/default.aspx for more information on security /
subhashini (Moderator):
Well, we are almost close to time-up!
subhashini (Moderator):
There’s time for one last question
subhashini (Moderator):
To ask any additional queries , please feel free to email Vipul
subhashini (Moderator):
at vipul_d_patel@hotmail.com
subhashini (Moderator):
Hope this chat in series was informative
subhashini (Moderator):
To read chat transcripts of earlier chats , visit http://www.microsoft.com/india/communities/chat/Transcripts.aspx
subhashini (Moderator):
thanks to all of you for attending today’s chat\
Vipul Patel (Expert):
chakravarty: can you email me this question? I shall reply ASAP. My email id is vipul_D_patel@hotmail.com
subhashini (Moderator):
Special thanks to Vipul for taking time out for this informative session with his geographical constraints regarding timings
Vipul Patel (Expert):
Thanks all for attending this chat
subhashini (Moderator):
Thanks a lot Vipul
Vipul Patel (Expert):
welcome subhashini
subhashini (Moderator):
request all of you to pool in your queries through email
subhashini (Moderator):
Have a lovely evening
subhashini (Moderator):
Also feel free to pool in your feedback for these chats at commind@microsoft.com
subhashini (Moderator):
enjoy your evening all of you and Vipul , have a great day πŸ™‚

Webchat Transcipt – Writing Secure code – Part 2

















Chat Topic : Writing Secure Code -II
Chat Expert : Vipul Patel (MVP)
April 14, 2005
Β 




Β 




subhashini (Moderator):
hello everybody
subhashini (Moderator):
πŸ™‚ a very good evening to all of you
subhashini (Moderator):
and welcome all of you to join us for the second part of the series chat
subhashini (Moderator):
on writing secure code
subhashini (Moderator):
Thansk to Vipul Patel (MVP) for hosting this series chat
subhashini (Moderator):
Guys, thanks to him, he’s based out of US and is currently hosting the chat during his odd hours
subhashini (Moderator):
Once again a quick rrun through the chat rules
subhashini (Moderator):
Please refrain from sending any private messages to the expert during the chat
subhashini (Moderator):
Chat Procedures:
This chat will last for one hour. During this hour, our Experts will respond to as many questions as they can. Please understand that there may be some questions we cannot respond to due to lack of information or because the information is not yet public. We encourage you to submit questions for our Experts. We ask that you stay on topic for the duration of the chat. This helps the Guests and Experts follow the conversation more easily. We invite you to ask off topic questions after this chat is over.
subhashini (Moderator):
thansk to all of you for attending this chat.
subhashini (Moderator):
and lets welcome vipul
Vipul Patel (Expert):
Thanks Subhashini for the opportunity. Welcome to the second part of the series on Writing secure code.
subhashini (Moderator):
to continue the series
subhashini (Moderator):
Hi Vipul
Vipul Patel (Expert):
Hello all
Vipul Patel (Expert):
Those wo missed out yesterday: a quick recap. Yesterday the main focus was the need for writing secure code, threat modeling and we saw two security concerns: buffer overrun and ACLs.
Vipul Patel (Expert):
Today we shall focus on the other security concerns….
Vipul Patel (Expert):
We begin with poor cryptographic tehcniques
Vipul Patel (Expert):
Crypto can help secure data from specific threats, but it does not secure the application from coding errors.
Vipul Patel (Expert):
Common mistakes people make when using cryptography include
Vipul Patel (Expert):
a. using poor random numbers
Vipul Patel (Expert):
b. using password to derive cryptographic
Vipul Patel (Expert):
Lets catch them one by one
Vipul Patel (Expert):
Did you know that the Random function provided by the Operating systems generetes the same sequence of random numbers everytime.
Vipul Patel (Expert):
Same case with the Frameworks……
Vipul Patel (Expert):
Consider this code in C++

// Always print 52 4 26 66 26
void main()
{
srand(12366);
for (int i = 0; o< 10 ; i++)
{
int i = rand() % 100;
printf(“%d ” , i);
}

}
Vipul Patel (Expert):
The above code snippet always results in the same sets of numbers…..
Vipul Patel (Expert):
lets see one in C#
class Class1
{
///


/// The main entry point for the application.
///


[STAThread]
static void Main(string[] args)
{
//
// TODO: Add code to start application here
//
Random rnd = new Random(1234);
for(int i = 0; i <20; i++)
{
Console.WriteLine(rnd.Next(100));
}
}
}
Vipul Patel (Expert):
The above code also results in the same sequence of random numbers being generated.
Vipul Patel (Expert):
The problem with using such functions is that if your application is of a secure nature like a financial institution application, such a dependency on system provided (read predictable) numbers can be easily tracked by the hacker……
Vipul Patel (Expert):
If the random numbers are used for say saving the session key, then all the session information is at risk….
Vipul Patel (Expert):
How to avoid such a situation…..
Vipul Patel (Expert):
For win32 applications use the CryptGenRandom class…………………
Vipul Patel (Expert):
and those of you coding in C#, Use the RNGCryptoServiceProvider class available in the system.Security.Cryptography namespace
Vipul Patel (Expert):
another poor cryptographic technique is “Using Passwords to Derive Cryptographic keys”
Vipul Patel (Expert):
some applications are based on a security model that you ask the user for the password for a specfic action and then this user-provided password is used as a cryptographic key.
Vipul Patel (Expert):
The problem with such a approach is that if the password is small, then it is easy to predict thru Dictionary attack……
Vipul Patel (Expert):
Dictionary attack: try all possible words from the dictionary to see which works as an key….
Vipul Patel (Expert):
Suggesstion: Keep your passwords long and randon.
Vipul Patel (Expert):
You can make this a network policy…..
Vipul Patel (Expert):
With Win2003 Server and later, you can validate password compliance with NetValidatePasswordPolicy.
Vipul Patel (Expert):
More information available at <http://msdn.microsoft.com/library/default.asp?url=/library/en-us/netmgmt/netmgmt/netvalidatepasswordpolicy.asp>
Vipul Patel (Expert):
Use Keyed Hash
Vipul Patel (Expert):
Keyed Hash: Is a hash that includes some secret data, data known only to the sender and recipients. It is typically created by hashing the plaintext concatenated to some secret key or a derivation of the secret key. It is one kind of message authentication code (MAC).
Vipul Patel (Expert):
the idea here is to not use a simple hash but to use a keyed hash…….. This is secure things a bit….
subhashini (Moderator):
sorry guys, vipul
subhashini (Moderator):
might have just got logged out
subhashini (Moderator):
please hold on for coupel of mins. he would be back
subhashini (Moderator):
vipul has lost his wireless connection and has had to reboot
subhashini (Moderator):
so, he would be back any minute
subhashini (Moderator):
thanks for cooperating
subhashini (Moderator):
thanks guys
Vipul Patel (Expert):
sorry for the confusion guys…
Vipul Patel (Expert):
lets continue
Vipul Patel (Expert):
Creating a Keyed hash
HMACSHA1 hmac = new HMACSHA1();
Hmac.Key = key;
byte[] hash = hmac.ComputeHash(message);
Tip: Use the Operating system or .NET framework libraries. It’s much easier than implementing the logic yourself.
Vipul Patel (Expert):
Creating a Keyed hash
Tip: Use the Operating system or .NET framework libraries. It’s much easier than implementing the logic yourself.
HMACSHA1 hmac = new HMACSHA1();
Hmac.Key = key;
byte[] hash = hmac.ComputeHash(message);
subhashini (Moderator):
apologies for the technical tricks played on us by the chat tool πŸ™‚ we are back and lets get the chat rocking!
Vipul Patel (Expert):
So how do you protect secrets?
Vipul Patel (Expert):
We usually hash the data…..
Vipul Patel (Expert):
But better than hash, do a salted hash…
Vipul Patel (Expert):
Hash: is a cryptographic algorithm that produces a different output, called a message digest, for each unique element of data
Vipul Patel (Expert):
Better than hash, use a salted hash
Vipul Patel (Expert):
Salt is a random number that is added to the hashed data to eliminate the use of precompiled dictionary attacks, making an attempt to recover the original secret extremely expensive. The salt is stored unencrypted with the hash.
Vipul Patel (Expert):
More information is available at <http://www.vsdotnet.be/blogs/tommer/PermaLink,guid,66a14fe3-bfc7-4089-8b55-69480a7b78fc.aspx>
Vipul Patel (Expert):
Coming to talk of DPAPI, lets see what is available in Windows 2000 and above
Vipul Patel (Expert):
In Windows 2000 and later, we can use the Data Protection API (DPAPI) functions CryptProtectData and CryptUnprotectData.
Vipul Patel (Expert):
http://www.vsdotnet.be/blogs/tommer/PermaLink,guid,66a14fe3-bfc7-4089-8b55-69480a7b78fc.aspx
Vipul Patel (Expert):
Guys the above link shoud work…
Vipul Patel (Expert):
These functions encrypt (DPAPI) and decrypt data by using a key derived from the user’s password. In addition, decryption can be done only on the computer where the data was encrypted unless the user has a roaming profile, in which case she can decrypt the data from another computer on the network.
Vipul Patel (Expert):
A Special Case: Client Credentials in Windows XP
Vipul Patel (Expert):
Windows XP includes functionality named Stored User Names And Passwords to make handling users’ passwords and other credentials, such as private keys, easier, more consistent, and safer. If your application includes a client component that requires you to prompt for or store a user’s credentials, you should seriously consider using this feature for the following reasons:
• Support for different types of credentials, such as passwords and keys, on smart cards.
• Support for securely saving credentials by using DPAPI.
• No need to define your own user interface. It’s provided, although you can add a custom image to the dialog box.
Vipul Patel (Expert):
Use NTFS for enhanced security. FAT and FAT32 do not enforce strict security checks.
Vipul Patel (Expert):
Other small nuances to take care of…..
Vipul Patel (Expert):
Use NTFS for enhanced security. FAT and FAT32 do not enforce strict security checks
Vipul Patel (Expert):
Trust no input
Vipul Patel (Expert):
Always validate any user input for all possible values: minimum, maximum, boundary conditions, etc.
You can check the format of the inputed data by regular expressions
Vipul Patel (Expert):
DOS device name vulnerability
Due to compatility reasons, DOS device named have been carried over to Windows. That’s why you cant create a file named PRN or COM1, COM@ or LPT. Creating such files (even for temporary purpose) thru code should be avoided.
Vipul Patel (Expert):
Don’t trust PATH variable. Use Full path names
If your application uses the PATH variable explicitly for a good number of reasons, it is better to create a custom environment variable for the purpose as PATH variable should not be dependede upon as a lot of applications may be and modify it..
Vipul Patel (Expert):
SQL Injection attacks
Vipul Patel (Expert):
consider a SQL statement
Vipul Patel (Expert):
string sql = “select * from client where name = ‘” + name + “‘”
Vipul Patel (Expert):
imagine a user entering
Blake’ or 1 = 1
Vipul Patel (Expert):
Q: vipul, is SQL injection attacks fully prevantable through Stored procedures.
A: no for SQL injection , SPs are not a solution.
People use two solutions
Vipul Patel (Expert):
Q: vipul, is SQL injection attacks fully prevantable through Stored procedures.
A: Correct solution is
a. never ever connect as sysadmin (This limits database damage by SQL injection)
b. Build your SQL statements securely, use Parameterized commands in your SP…………..
Vipul Patel (Expert):
Q: what are your strong recommendations to deal with SQL injection attacks
A: a. never ever connect as sysadmin (This limits database damage by SQL injection)
b. Build your SQL statements securely, use Parameterized commands in your SP…………..
subhashini (Moderator):
guys, we have the last 13 mins left for the chat to conclude for today
subhashini (Moderator):
please ask the last few questions to get them answered
Vipul Patel (Expert):
I agree with Chakravarthy: If possible prevent the user from entering “‘” when he is specifing text based information. But the problem is with names like L’Oreal… how to deal with that.. πŸ˜€
Vipul Patel (Expert):
Q: vipul, is there any other security areas that you need to highlight and you may not have time to disscuss them fully here.
A: I will not be able to cover the security in .NET framework whcih I will cover tomorrow…….
Vipul Patel (Expert):
Q: i want to ask whether parameterized commands are foolproof.
A: Depends on your code. But it is deemed and projected as quite secure..
Vipul Patel (Expert):
Q: suppose, i have a web application, then..using encryption class is not going to help much, as encryption would occur at server side, after all data is transfered across the n/w with out encryption. m i right???
A: If you use SSL,, then your data will be secure when transferred from the client to the server….
Vipul Patel (Expert):
Q: Hi, tell me more about DPAPI and what all complexities are involved implementing it ?
A: already answered….
Vipul Patel (Expert):
Yes,,, dont allow where word, if possible, I must add….
Vipul Patel (Expert):
Chakravarthy: Whidbey: I shall answer that tomorrow…..
subhashini (Moderator):
So this brings us to teh end of today’s chat
subhashini (Moderator):
and hope to see you all tomorrow
subhashini (Moderator):
and hold on to your questions till tomorrow
subhashini (Moderator):
alos feel free to email vipul at vipul_d_patel@hotmail.com
Vipul Patel (Expert):
The best resource on writing secure code is a book by Michael Howard titled “Writing secure code”………. Google for more information on the book….
Vipul Patel (Expert):
Chakravarthy:….. go ahead…
subhashini (Moderator):
go ahead chakravarthy
Vipul Patel (Expert):
For securing already written code, I suggest that you have a robust code review policy, revisit your design,, bascially perform a threat modelling for a already existing application..
Vipul Patel (Expert):
That is a judgement call, if you feel that the previously written code is not secure, demo the failure to your team lead, and then suggest that the following remedies will apply….
Vipul Patel (Expert):
what do you mean by wrapping mechanism?
Vipul Patel (Expert):
Best practises for writing secure code:
Vipul Patel (Expert):
a. Dont tell the attacker anything
Vipul Patel (Expert):
b. Dont leak information in banner strings and unhandled errors…
Vipul Patel (Expert):
Doubel check your error messagess and paths…
Vipul Patel (Expert):
Add security commenst to your code…
Vipul Patel (Expert):
Dont write user files to \Program Files
Vipul Patel (Expert):
Dont write user data to HKLM
Vipul Patel (Expert):
Allow long passwords…
Vipul Patel (Expert):
and have an application log.
Vipul Patel (Expert):
Thats all for today…..
subhashini (Moderator):
thanks again to all of you for attending teh chat
Vipul Patel (Expert):
if you have any further questions,,,, please email me at vipul_d_patel@hotmail .com or visit my unfrequented blog at http://spaces.msn.com/members/vipul and leave your comments there. I shall revert…
subhashini (Moderator):
see you alla gain tomorrow for the last part of this series
subhashini (Moderator):
have a lovely evening.

Webchat Transcript – Configuration Management Using Visual SourceSafe

Conducted on Februay 9, 2005, below is the transcipt of the webchat.


Β 



















Β 









Chat Topic : Configuration Management using Visual SourceSafe
Chat Expert : Vipul Patel (MVP)
February 9, 2005
Β 




Β 




GKhanna_MS (Moderator):
Hello All πŸ™‚
GKhanna_MS (Moderator):
Welcome to the community chat.
GKhanna_MS (Moderator):
My name is Gaurav Khanna and am filling in for Subhashini as the moderator
GKhanna_MS (Moderator):
as she is stuck in traffic πŸ™‚
GKhanna_MS (Moderator):
Welcome to the chat on VSS – our expert for the day is Vipul Patel
GKhanna_MS (Moderator):
Before I start
GKhanna_MS (Moderator):
few ground rules – to post a question, select the Question radio button and then submit ur question
GKhanna_MS (Moderator):
any questions submitted without following this procedure will not be entertained
GKhanna_MS (Moderator):
πŸ™‚
GKhanna_MS (Moderator):
That said.. lets get started
GKhanna_MS (Moderator):
Welcome Vipul
GKhanna_MS (Moderator):
πŸ™‚
Vipul (Expert):
Hello All…
I am Vipul Patel and today we shall be discussing about Configuration Management using Visual SourceSafe
Vipul (Expert):
i shall begin by the basics…
GKhanna_MS (Moderator):
Very well – so how would u want to start off? Best Practices?
Vipul (Expert):
We shall start with learning about VSS with Microsoft developer environments, like Visual Studio and Visual Studio.NET, following with best practises with VSS.
Vipul (Expert):
Most of us IDEs like Visual Studio and VS2003 for our projects…\
Vipul (Expert):
Now, these IDEs coming from the sameflagship company (Microosoft) are tightly integrated with VSS. so you can perform your source control from with the IDE itself.
Vipul (Expert):
IN VS2003 , you have the option File > Source COntrol… You can bind your porject to a project in VSS and then seemlessly checkin -checkout from the IDE itself.
Vipul (Expert):
You may need to enabke source control provider to VSS . That option will be under Tool > Options > Source control.
Vipul (Expert):
Now, that we use VSS on a regular basis. here are a few tips..
Vipul (Expert):
Make sure that you do now flood your project with overwhlming size. the performance of VSS decreases rapidly when Database size increases beyond 3 GB.
Vipul (Expert):
TIP: If you think your project will expand beyong 3 GB, break it into smaller projects.
Vipul (Expert):
Ganeshk: i am beginning with best practices.
Vipul (Expert):
wnderdot: smaller projects does not mean more and one VSS> It means more projects.
Vipul (Expert):
Q: can you brief on what all VSS can do and what it does not do in a bird view
A:
VSS is a configuration managemenet tool. like Rational ClearCase and CVS>. It is used to track file historyies, create baselines when you have a software delivery, etc…
Vipul (Expert):
Q: Would like to know on how to do versioning management using VSS
A:
You need to add the file to source control and then you can check in and check out the file. Right click the file and you will get the options.
Vipul (Expert):
Q: Is Smaller projects means more than one VSS
A:
No, it means that you have more than one VSS database. You can create multiple database fromVSS admin .. Go to Tools> Create Database..
Vipul (Expert):
Q: Do .net2003 has its own VSS or we have to use the one with Visual studio 6.0
A:
VS2003 uses the same VSS from VS 6.0, only it has been tweaked to perform better
Vipul (Expert):
Tip 2: CM Admins: Use Analyze tool frequently.
Vipul (Expert):
Analyze tool checks the integrety of the VSS database. Over time, the file system of your VSS database may get dis-oriented. Anaylze tools checks for this and you will be aware of this very early on. You should run the Analyle tool on a weekly basis.
Vipul (Expert):
Tip3: Location: VSS performs best under NTFS file system on Windows NT and higher…. If you have many VSS users, a performance boost will be well worth it.
Vipul (Expert):
Tip4: Free disk space: Whenever you run the Analyze tool, make sure you have ample free space, equal to you VSS database folder size. You do not want to run out of Hard disk space when the analyze tool is running else, it will corrpt the database.
Vipul (Expert):
Tip5: Check on restored version and then run Analyze on main database: TO prevent loss in information, always perform Analyze on restored version on not on the live database.. If the analyze on the restored is cussessful, then you can proceed to the live version.
Vipul (Expert):
Tip6: Make sure you do not have any active users when running backup-restore-anaylze-anaylze and fix utility. This is because any changes made by the user after the activity is started will not be reflected in the current version and you may have orphaned version of some file. Make sure that all users logout before you do any suck utility runs.
Vipul (Expert):
Tip 7: Server rights: Assign rights to the VSS database wisely, Start with Readonly and give a “try” project with write-access to all for new users to play with. OOnce they get comfortable, then provide them rights on the necessary folders. You dont want to loose any information, just because some one did not know how to use VSS.
Vipul (Expert):
Tip8: Synchronize the dates and system clocks for all Visual SourceSafe client computers with the Visual SourceSafe server. This prevents check-in and check-out operations from appearing to happen out of sequence and affects any labels that are applied. Synchronizing dates and system clocks is particularly important when users from different time zones access the same database
Vipul (Expert):
Tip 9: Moving VSS: Dont use XCOPY simply because it does not copy some zero-byte files and VSS file system has plenty of these… Instead use Windows Explorer to copy your database to create a backup…
Vipul (Expert):
How to run analyze:
Step 1: Analyze –V4
The first pass should always locate problems before trying to fix them.
Step 2: Analyze -F –V4
If errors are reported in the first pass, run Analyze again in fix mode to correct them.
Step3: Analyze -F -C –V4 (If you have a “Found a DIFF” and “Found a COMMENT” error that you want removed
Vipul (Expert):
Tip10: Make your backup and daily as well as weekly jobs…. Liek your code folder should be backup up daily whereas the project management and archive folders can be archived weekly.
Vipul (Expert):
Q: I would like to know more about merging in case of simultaneous check out of a single document
A:
When a single document is checked out multiply, when the second user checks in(he gets to know what changes were made by the first user) and then he can make sure that he does not override the first user’s code
Vipul (Expert):
Q: Vipul, can you please exlain about Multiple Checkouts, Versioning, Merging
A:
Multipe checkouts: A file can be checked out by more than one person at a time
Versioning: The system of keeping a file history of a document with history numbers like, 1st version(Created initial draft), 2nd version (Reviewed by Manager)
Merging: The process followwed by the second user of multiple checkout to make sure that the file which he checks in does not override the first user’s work
Vipul (Expert):
Q: is multiple check out supported? if yes then how?
A:
Multiple checkout is support, but not recommended. To enable multipl checkouts, GO to VSS Admin application. TOols Options. In the General Tab, chekc “Allow multiple checkouts”
Vipul (Expert):
Q: When does second user get updated copy of the first user when there are multiple check-outs ?
A:
When he tried to check in his file.
Vipul (Expert):
Q: is backup and recovery safe in VSS
A:
If the Analyze results say the database is clean. then you can safely go ahead and perform backup and recovery. Else, you need to fix the database.
Vipul (Expert):
Q: The whole file got messed up…had to resolve compilation errors..any tips on how to merge sucessfly?
A:
I would recommend to not use multiple checkout with VSS 6.0. It is not a good tool for multiple checkouts.
Vipul (Expert):
Q: Can we have simultanous checkouts for the same file by multiple users
A:
yes, you need to enable multiple checkouts. please check the a few questions back I have answered the same.
Vipul (Expert):
Q: will analyze tool help fix the problem if any or will it just detect the problem?
A:
Analyze when used with the proper swicthes will fix… Some options fill just identify, some options will fix… please check the previous questions.. I have answered that
Vipul (Expert):
Q: i want to know how to do labeling and create build out it
A:
When you want to label a project, Select the project. File -> Label and give the name of the label…
Vipul (Expert):
Q: can we write the comment in the header of file when we checked in File
A:
you can write the comment in the comment space given by the VSS. IN that way the comment will be in the VSS database and not in the file. You can also write the comment in the file, for future, like you migrate to another source control.
Vipul (Expert):
Q: I came to know about one of diadvantages of VSS :- Database size cannot exceed 3 GB..Why is it so ??
A:
Because VSS uses a windows based file system…All the data is in form of files. when there are thousands of files, you will surely get a performance hit.
Vipul (Expert):
Q: If we enable VSS through IDE, and then decide follow the concept of smaller projects for fotnet projects, how can we implement the same?
A:
Technically, your code for a project will never reach 3 GB so this will not be a concern. But in case you need to do the same, make sure you make the proper settings when archiving… You can clean up your database that way
Vipul (Expert):
Q: Ashsih could you please give some breif idea that how multiple check-outs take place
A:
Already answered
Vipul (Expert):
Q: SIMPLE Question : how can I set a particular folder as working folder once for all…currently I have to set every time I start a VSS session
A:
Right click the pojetc for which you need to set the working folder and then Set Working folder. Make sure the Save as default for project is checked. IF it faisl even after this, then please advise your VSS admin to check the file permission for you on the VSS database. I is possible that you have read access to your file in folder in the VSS database where user preferences are stored
Vipul (Expert):
Q: Vipul, if the first user is working on a file and has not checked how will VSS merge when the second user checks in same file
A:
Then the first user will be intimated of the changes by the second user.
Vipul (Expert):
Q: Can you brief on Advantage of VSS over Rational ClearCase and CVS
A:
Basic Advantage: Tight integration with Visual Studio IDE
Vipul (Expert):
Q: I would like to know how merging is done
A:
Already Answered
Vipul (Expert):
Q: Can I link the users from my active directory to VSS users list?
A:
I shall revert later on this.. Please email me at vipul_d_patel@hotmail.com.. This is a very specific case. We can take this offline. You can also check with the chat transacript.
Vipul (Expert):
Q: But if there is an existing project which has crossed 3gb what should we do
A:
Try to move the archive information (for which you dont need version history) to a new database. Else, get a better server configuration if you have a performance hit.
Vipul (Expert):
Q: Whats Team Development all about.. is that the next generation VSS management tool?
A:
Team Development is about development taks -based. When you check in a file in VS2005 (to be released soon), you will have to check it out against an activity. So you will always know for a particular activity which files you modified.
Vipul (Expert):
Q: No I mean Project Versioning management!. Save all weekly versions may be would like to save versions every 3 days.
A:
Can you rephrase your question? I did not get the jist of it
Vipul (Expert):
Q: Had a query related to Database Objects being versioned from VSS directly. Is that feature there in VSS 6? I guess there is some sort of compatibility od DB objects with VSS.Net? Please elaborate on this.
A:
can we take it offline.. mail me at vipul_d_patel@hotmail.com.
Vipul (Expert):
Q: is Archive facility provided in VSS
A:
Yes,… You need to go to the VSS admin applicatrion Archive > Archive projects…
Vipul (Expert):
Q: what do you mean by cleaning the database if the file system is dis – oriented? what will be the result after fixing the database?
A:
You will have a faster database. And you will be able to restore that database on any other computer.
Vipul (Expert):
Q: Once labeled How do we retreve thea particular labled build
A:
Right click that file/folder, and see history… and then browse to that .. The version containing the label text which you specified can be retrived by doing a Get..
Vipul (Expert):
Q: Hi vipul, can we connect to VSS server remotely, i mean if our server os not in LAN if is in other states (through internet)
A:
Yes, there is a separate tool fr that from Source Gear
Vipul (Expert):
Q: hi Vipul, can I set any folder to be the working folder permanently…currently I have set working folder in each session of VSS
A:
Already answered
Vipul (Expert):
Q: Hi Vipul, Is it possible to search files as we do in windows evironment ?
A:
Yes, Tools > Find in Files…
Vipul (Expert):
Q: Hi vipul,in order to solve the 3gb space problem is it possible to have 2 databases on 2 different machines and merge them or can share certain common files to save space
A:
you can havethe database on the same machine, that is not a issue. you need gto have two different VSS databases… Go to VSS Admin, Tools> Create Database….. Hope this helps
Vipul (Expert):
Q: How to make network id as VSS login
A:
Ask you VSSadmin to ue the VSS Admin console > Tools> Options > Check :”Use network name for automatic user login”
Vipul (Expert):
Q: Hi Vipul, How to find out deleted files in the VSS.
A:
There is no mechanisn to finding deleted files. I would reocmmend that you dont deleted any files permanently.
Vipul (Expert):
Q: Vipul, Is Visual Source Offsite in the same line as SourceSafe that supports remote login
A:
Can we take this offine. I need to investiaget (vipul_d_patel@hotmail.com)
GKhanna_MS (Moderator):
Any more questions ?
Vipul (Expert):
Q: Find in files option can works only for text files..?
A:
yes
GKhanna_MS (Moderator):
We are at the end of the chat – hopefully the chat was of much use to you πŸ™‚
GKhanna_MS (Moderator):
Thank you Vipul – for joining in.
GKhanna_MS (Moderator):
Thank you all for joining in.
Vipul (Expert):
Q: Hi vipul is there any major diff between VSS 6 and VSS whidbey
A:
Yes, there will be huge difference.. VSS2005 (WHidbey version) will be a lot better that the current VSS . You can check out http://msdn.microsoft.com/chats/transcripts/vstudio/vstudio_080504.aspx
GKhanna_MS (Moderator):
Looking forwar to seeing you all for the next chat:)
Vipul (Expert):
Q: Vipul, Is Visual Source Offsite in the same line as SourceSafe that supports remote login
A:
Can we take this offiline,I need to investigate this…
Vipul (Expert):
Q: How to find out delete files from VSS
A:
not possible
Vipul (Expert):
Q: How to find out deleted file from VSS ?
A:
not possible in VSS 6.0
Vipul (Expert):
Q: hi Vipul, can I set any folder to be the working folder permanently…currently I have set working folder in each session of VSS
A:
Yes, already answered earlier
Vipul (Expert):
Q: Vipul, Is Visual Source Offsite in the same line as SourceSafe that supports remote login
A:
Already answered
Vipul (Expert):
Q: Is it possible to archive files rather than project?
A:
No.. You can only archive projects. But you can share a file to another project and then archive it…
Vipul (Expert):
All: Please note that I will answer most of unasnwered question on my blog: http://spaces.msn.com/members/vipul in a few days from now.. Be sure to check them out……………
Vipul (Expert):
Q: how do search in non-text files?
A:
not possible…..
Vipul (Expert):
Q: In coming version, we are able to find out deleted files ?
A:
no idea as of yet.. i shall try to find out and answer, please check my blog.
Vipul (Expert):
Q: Is there any automatic merge tool available when you do multiple-checkouts?
A:
not from microsoft…
Vipul (Expert):
Q: is there any option to find a particular file in the vss
A:
yes. View > Search > Wildcard search
Vipul (Expert):
Q: When is the next version releasing?
A:
soon. thats the best i can say right now. It shall be in this year.. Chekc out microsoft.com/ssafe for more detaisl
Vipul (Expert):
Q: VSS user rights database often gets corrupted . While changing rights of certain users, an error saying ‘File or project not found’ shows up, where it is quite possible to change rights of a other users. How can i prevent this
A:
To make sure you dont have recurreing problems. Lock all users out and then check out the users folder in VSS> and make sure everyone in your user is present and the files are not ready only..
Vipul (Expert):
Q: Is it possible to get VSS History and comments/ labels printed in the source safe file( For Text Files)
A:
Yes. Right click the file > Properties > Report > PReview. I did not understand what do you mean by “printed in the source safe file”…?
Vipul (Expert):
Q: Is there any option to retrieve files based on Label name in VSS client tool? It is available in Command tool.
A:
Yes. you can retrieve files based on label… Right click folder.select version history. On the required label, go a Get…. I think it is available on command line interface. Please email me at vipul_d_patel@hotmail.com
Vipul (Expert):
Q: VSS user rights database often gets corrupted . While changing rights of certain users, an error saying ‘File or project not found’ shows up, where it is quite possible to change rights of a other users. How can i prevent this
A:
already answered
Vipul (Expert):
Q: I mean that it is printed inside the file as a header
A:
It was possible,,,, but can you get back to me at vipul_d_patel@hotmail.com. I shall investigate….
Vipul (Expert):
Q: One Q: Can i create user in VSS admin for remote access, i mean can i connect VSS thru internet, and can i create local copy through remote user
A:
already answered Please email me at vipul_d_patel@hotmail.com and I shall investigate
Vipul (Expert):
Q: Vipul, they are concepts, but we are intrested in knowing the steps to perform the same actions. Many times, I encountered errors while merging or trying to make build out of the labeled version
A:
Can you elaborate the erros.
Vipul (Expert):
Q: Hi Vipul can you please brief on the concept of ‘build’
A:
a build is a process in which you create a project executable
Vipul (Expert):
Q: In case of multiple checkouts can VSS make sure that the code modified by user 1 cannot be modified by user 2 until user1 checks in
A:
i dont want to guess. I shall investigate this. please email me at vipul_d_patel@hotmail.com
Vipul (Expert):
Q: But, Vipul, managing small projects would become a problem
A:
Not as much as a corrupt database πŸ˜‰
Vipul (Expert):
Q: Vipul, is multiple checkout enabled for all kinds of roles ?
A: What do you mean by roles?
Vipul (Expert):
Q: Even the same thing is available with java ide’s like websphere application developerll
A: Yes…… If you are using Microsoft projects, it would be slightly better than non-MS products
Vipul (Expert):
Q: when i select 2 files and do a show differences , it shows difference b/w those 2 selected files. but what i wanted is to show differneces from the working folder for those 2 selected files. Is it possible?
A: can you rephrase your question, i did not get the jist
Vipul (Expert):
OK then. thanks to all for joining the chat. You should having a chat transcript on the Community website very soon….
Vipul (Expert):
You can always mail your questions to me at vipul_d_patel@hotmail.com or vipul.patel@patni.com

Next Page »