ASP.NET 2.0 Security Scenarios and Solutions

Scenarios and Solutions are basically whiteboard solutions that quickly depict key engineering decisions.  You can think of them as baselines for your own design.   We have a set of solutions that show the most common end-to-end ASP.NET 2.0 authentication and authorization patterns:  Intranet Windows Authentication to AD Groups Windows Authentication to SQL Roles Forms Authentication…


Input Validation Principles and Practices

If you use a principle-based approach, you can get rid of classes of security issues.  SQL injection, cross-site scripting and other flavors of input injection attacks are possible because of some bad practices.  Here’s a few of the bad practices: Bad Practices you’re relying on client-side input you’re not validating input you’re ignoring that input…


Catalysts and Drains

This is a follow up to my post, Manage Energy, Not Time.  A few folks have asked me how I figure out energy drains and catalysts. For me, clarity came when I broke it down into: Tasks People On the task side …This hit home for me when one of the instructors gave some example scenarios: You…


What’s a Scenario

In general, “scenario” usually means a possible sequence of events. In the software industry, “scenario” usually means one of the following:1. Same as a use case2. Path through a use case3. Instance of a use case #3 is generally preferred because it provides a testable instance with specific results. Around Microsoft, we use “scenarios” quite a…


Scenario and Feature Matrixes

One of the most effective approaches I’ve found for chunking up a project for incremental value is using a Scenario and Feature Matrix. A Scenario and Feature Matrix organizes scenarios and features into a simple view.  The scenarios are your rows.  The features are your columns.  You list your scenarios in order of “MUST”, “SHOULD”,…


What’s the Cost of Not Doing Security Engineering

Alik is out in the field helping customers bake security into their product cycles.  Of course, customers ask how much does it cost to implement Security Engineering practices?  The answer is, of course, … it depends.  The flip side is, what’s the cost of NOT doing it? I think understanding the cost of NOT doing it is…


Manage Energy, Not Time

Manage energy, not time, to get more things done …  This concept really resonates with me.  I also like it because it can be counter intuitive or non-obvious. One way to try and get more things done is to, jam more in your schedule.  Yuck!  Unfortunately, that’s a fairly common practice. I actually have lots…


User Experience, Tech Feasibility and Business Value

I found a way to explore more and churn less on incubation (i.e. R&D) projects.   It helps to think of your project experiments and key risks in terms of these three categories and in this order:1. user experience2. technical feasibility3. business value Sequence matters.  If you don’t get the user experience right first, who cares…


Timing Managed Code in .NET 2.0

In .NET 1.1, we timed managed code by wrapping QueryPerformanceCounter and QueryPerformanceFrequency.  The following How To shows how: How To: Time Managed Code Using QueryPerformanceCounter and QueryPerformanceFrequency In .NET 2.0, you can use the Stopwatch Class.  I found the following references useful: The .NET 2.0 Stopwatch Class MSDN Stopwatch Class documentation


Scenario Evaluations for Product Design and Feedback

When I need to quickly analyze a product and give actionable feeback, I use scenario evaluations.  Scenario evaluations are basically an organized set of scenarios and criteria I use to test and evaluate against.  It’s a pretty generic approach so you can tailor it for your situation.  Here’s an example of the frame I used…