admin

Perth .NET User Group Meeting: Thurs 4th Sept, 5:30pm – 7pm: Federated Identity Management in a Service Oriented World with Bill Poole

by

Join us at the Perth .NET Community of Practice, Sept 4th to hear Bill Poole talk about Federated Identity Management in a Service Oriented World. Gone are the days of siloed applications that identify users with a simple username/password combination stored in the application database. In today’s world of Internet based e-commerce where secure transactions occur over insecure open networks and in a service oriented world of composite applications where identity must be shared between systems hosted by different organisations on disparate platforms; in a world where increasing numbers of businesses are turning to hosting their applications in the cloud, and where users from partner organisations need to be securely granted access to enterprise resources, architects are turning to an ever increasingly complex array of security solutions to solve their identity woes. How do we as mere mortals make sense of PKI, Kerberos, SAML, and a plethora of WS-* standards aimed at addressing these concerns? This session will provide a clear and practical description of how to apply today’s security technologies in order to effectively manage and share identity across applications, service and organisational boundaries.

TOPIC: Federated Identity Management in a Service Oriented World with Bill Poole
DATE: Thursday, Sept 4th, 5:30pm
VENUE: Excom, Level 2, 23 Barrack Street, Perth
COST: Free. All welcome.

Core .NET Reference Card

by

Jon skeet has produced a handy Core .NET refcard for some of those things you might commonly look up in MSDN. It’s 6 pages long and quickly covers:

  • Common .NET types, aliases and sizes
  • String literals and escape sequences
  • Format strings (general, numeric, date/time)
  • Working with dates and times
  • Text encodings
  • Threading
  • Using the new features of C# 3.0 / VB 9.0 in .NET 2.0 projects

You have to register which is a bit of a pain (although if you have registered before, you don’t need to register again). There are a few other handy reference cards there too.

SQL Server 2008 Express

by

The release of SQL Server 2008 means that the Express version is also available. SQL Server 2008 Express edition comes in 3 flavours: Express, Express with Tools and Express with Advanced Services. You can get more details on the individual versions and download them here.

Microsoft Urlscan Helps to Filter SQL Injection Attacks

by

Microsoft recently re-released an improved version of a security filter for IIS that is designed to help thwart SQL injection attacks by restricting the types of HTTP requests that IIS will process. UrlScan 3.0 is an IIS add-on that provides real-time validation of HTTP server requests, potentially blocking SQL injection exploits.

UrlScan has actually been available for several years, but Microsoft added some new features in this 3.0 release, including support for query string scanning.

Determining Poorly Performing Queries for Tuning from SQL Server Workload Trace Files

by

Whenever you gather workload traces to identify poorly performing queries, you need to import this data into a database table, and to “normalise” and aggregate this information to identify the worst offenders. This can be done in a variety of ways. One way is to define a regular expression such as this SQL CLR method based on work done by Itzik Ben-Gan and modified by Adam Machanic:

[Microsoft.SqlServer.Server.SqlFunction(IsDeterministic = true)]
public static SqlString sqlsig(SqlString querystring)
{
    return (SqlString)Regex.Replace(
       querystring.Value,
       @"([\s,(=!](?![^\]]+[\]]))(?:(?:(?:(?:(?# expression coming
       )(?:([N])?(')(?:[^']'')*('))(?# character
       )(?:0x[\da-fA-F]*)(?# binary
       )(?:[-+]?(?:(?:[\d]*\.[\d]*[\d]+)(?# precise number
       )(?:[eE]?[\d]*)))(?# imprecise number
       )(?:[~]?[-+]?(?:[\d]+))(?# integer
       )(?:[nN][uU][lL][lL])(?# null
       ))(?:[\s]?[\+\-\*\/\%\&\\^][\s]?)?)+(?# operators
       )))",
       @"123#4");
}

Recently I’ve been trying out ClearTrace, a free tool based around Read80Trace (described and downloadable here). Read80Trace was originally part of a Microsoft PSS engineer’s internal toolkit, but was released to the public in Dec 2007 (RML Utilities for SQL Server). ClearTrace is extremely simple to use, imports files (including rollover) very quickly and the results are good. The project is being supported so if you find a SQL statement that isn’t normalised/parameterised correctly, you can click a button and report it.

The larger RML Utilities toolkit for Microsoft SQL Server was released here.

The RML Utilities can help you answer the following questions:

  • Which application, database or login is consuming the most resources, and which queries are responsible for that.
  • Whether there were any plan changes for a batch during the time when the trace was captured and how each of those plans performed.
  • What queries are running slower in today’s data as compared to a previous set of data.

You can also test how the system will behave with some change (different service pack or hot fix build, changing a stored procedure or function, modifying or adding indexes, and so forth) by using the provided tools to replay the trace files against another instance of SQL Server. If you capture trace during this replay you can use the tools to directly compare to the original baseline capture.

If you decide to install and experiment with the RML Utilities toolkit, be warned that the tools are provided as is, and the install process is neither easy nor particularly pleasant!